The European Union's General Data Protection Regulation goes into effect May 25, and it applies to anyone — even those in the U.S. — who handles European citizens' personal information, according to Bloomberg.
The EU's new rules will cover addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data and anything else that can be traced back to an individual. This means the law will affect businesses of all sizes across the world that use Europeans' data in their services.
Here are four things to know about how GDPR affects healthcare organizations in the U.S.
1. GDPR is stricter than the U.S.'s healthcare privacy law HIPAA. It requires breached entities report the incident to EU officials in 72 hours, which is a stark contrast from HIPAA's 60-day window. This means that any U.S. organization that also handles data for citizens in the EU's 28 countries must revamp their data breach reporting timelines.
2. GDPR is broader than HIPAA. Data protected under HIPAA is limited to individually identifiable health information, called protected health information, which includes any data about health status, provision of healthcare or payment for healthcare, according to HHS. GDPR is much more expansive and covers any and all data that can be traced back to an individual. What's more, companies must be transparent about data collection policies, and they are only allowed to collect data that serves a legitimate business interest.
3. GDPR affords individuals the 'right to be forgotten.' If an individual requests their data be erased, the organization must do so. GDPR also requires more transparent consent processes that aren't riddled with legal-jargon and ensures individuals can access all the data an organization is collecting on them upon their request.
4. GDPR cracks down on data storage. The EU's new law limits how long data can be stored and mandates data encryption. Many large organizations will be required to establish a data protection officer and implement stronger security measures.
Any U.S. organization that handles data for EU citizens must familiarize themselves with GDPR to ensure they meet its requirements. Large multinational organizations are projected to spend $7.8 billion to comply with the privacy regulations, and some consultants are concerned many won't be ready for its May 25 rollout, according to Bloomberg.
More articles on cybersecurity:
Google exploring a blockchain solution for its cloud
UK surgeon believes hackers used his computer to lead warplanes to Syrian hospital
1 February data breach took 4 years to discover: 7 statistics on last month's data breaches