What Changed About Your Personal Data in Healthcare Institutions Thanks to the GDPR?
It has been just over a month since the European Union implemented General Data Protection Regulation (GDPR). The GDPR is a regulation within the EU and the European Economic Area. It's basically a law on data protection and privacy for everyone within the EU itself, though it deals with the export of private data outside the EU's territory as well. The GDPR affects almost every business out there, but with the increased data collection practices in hospitals and other healthcare organizations, it's worth making sure we understand just how it affects that sphere and us as patients.
Effect on the healthcare system.
The GDPR has hit basically every business within the EU and many outside of it, but it poses a special challenge to health institutions. The EU's controversial new law considers "any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" as personal information.
Additionally, the GDPR has a few entries about health care specifically. According to them, the GDRP considers health-related data any "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status."
The GDPR also considers genetic and biometric information as personal data.
According to Article 6 of the GDPR, your data can only be used if it follows these regulations:
- it is necessary for the performance of a contract to which the data subject is party;
- it is necessary for compliance with a legal obligation;
- it is necessary to protect the vital interest of the data subject or another natural person;
- it is necessary for the performance of a task carried out in the public interest;
- it is necessary for the purposes of the legitimate interests pursued by the controller or third party.
That's not all, though. Hospitals and other healthcare entities are now obligated by the law to protect your personal health data (including genetic and biometric data) with even stricter security measures than your general personal information. Healthcare organizations are prohibited by the GDPR to use your personal data without your consent. "Didn't they need my consent before?" you may ask. Well, yes, but now it's your explicit consent, according to the law.
What's the difference between explicit consent and just consent?
Good question. I'm afraid there's no actual definition of "explicit consent" as opposed to regular "consent". This has generated some debate among lawmakers, healthcare representatives, lawyers, and even the general public. It seems the general consensus is that we'll need to fill in more forms in the hospital now. I can't say I'm looking forward to that.
American organizations can be affected by the GDPR too.
Europeans are not the only ones affected by these changes. American healthcare institutions have been called to re-think their own handling of patient data and implementing stronger security measures.
What it all boils down to.
Nothing dramatic has happened, to be honest. The GDPR is mostly about managing users' private data and explicitly informing them of what private information they're putting out there and who has access to it. This includes healthcare organizations and their handling of patient data. As long as any company or healthcare institution gets their client's explicit consent they'll be in compliance with the GDPR.