SlideShare a Scribd company logo

The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation

Cognizant
Cognizant

U.S. healthcare organizations must soon comply with the EU’s General Data Protection Regulation (GDPR) - which goes far beyond the Health Insurance Portability and Accountability Act (HIPAA) - or face major fines. Here’s a guide to get started.

1 of 12
Download to read offline
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations Domestic healthcare organiza- tions must brush up on the EU’s General Data Protection Regulation (GDPR) compliance or risk heavy fines; here’s how to get started. Executive Summary Effective May 25, the European Union’s General Data Protection Regulation (GDPR) promises to levy business-crushing fines on companies that fail to protect consumers’ personal data. A wide array of U.S. healthcare organizations that market to, serve and/or employ EU residents will find themselves subject to the GDPR’s provisions. In our view, many organizations may have to go beyond their Health Insurance Portability and Accountability Act (HIPAA)-compliant mea- sures to meet GDPR requirements. Investing in GDPR-approved technologies, such as pseud- onymizing, will enhance healthcare organizations’ overall data security and privacy, as this white paper recommends. Cognizant 20-20 Insights | April 2018 COGNIZANT 20-20 INSIGHTS
GDPR: HIPAA ON STEROIDS The U.S. healthcare industry is well acquainted with privacy and security regulations, mainly in the form of HIPAA. Yet the GDPR, designed to protect the data and privacy of individual Euro- pean Union citizens, makes HIPAA look tame in comparison. U.S. healthcare organizations that collect data on EU citizens, whether they are customers or employees, are likely to face strict GDPR enforcement — and not just for health data. The GDPR replaces older EU privacy legislation (see Figure 1). It applies to all companies that collect, store and process information about indi- viduals in EU countries, even if the companies themselves are not headquartered in Europe. The regulation sets much higher penalties for corporate noncompliance than previous statutes — up to 4% of a company’s total global revenues. To put that 4% into context: In 2016, the UK’s Information Commissioners Office (ICO) fined Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 2 Evolving EU Personal Data Protection Legislation 1984 MAY 2018 1995 DATA PROTECTION DIRECTIVE (EU) 2000 INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES ESTABLISHED 2015 INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES OVERTURNED 2016 GDPR IS APPROVED BY EU PARLIAMENT DATA PROTECTION ACT OF 1998 (UK) 1998 EU COMMISSION ANNOUNCES PLAN TO DEVELOP GDPR 2012 EU-U.S. PRIVACY SHIELD REPLACES THE INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES 2016 DATA PROTECTION ACT (UK) GDPR TAKES EFFECT Figure 1
Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 3 Talk Talk, a British communications provider, £400,000 ($560,000) after it determined secu- rity failings allowed a cyber-attack to access the company’s customer data “with ease.”1 Under GDPR, Talk Talk’s fine would have been £59 mil- lion ($82.7 million) — a nearly 1,500% increase. Overall, fines against UK companies in 2016 would have skyrocketed from £880,500 ($1.23 million) to £69 million ($96.7 million) if GDPR had applied that year.2 Fines like these, and EU member countries show- ing a willingness to investigate the privacy and security practices of U.S.-based companies oper- ating physically or virtually within their borders, should create some urgency among domestic healthcare organizations for ensuring they are GDPR compliant. Industry organizations affected include international healthcare, medical supply and life sciences companies; health analytics companies; international pharmacy benefit managers; payers; and healthcare providers. Broader and Deeper than HIPAA The GDPR calls for higher protection standards for health data and delineates a variety of defini- tions and conditions that apply to such data (see sidebar, page 4). The regulation creates three main categories for health data: • Data concerning health: This is defined as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.” • Genetic data: The regulation defines this as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natu- ral person in question.” • Biometric data: The GDPR definition is “per- sonal data resulting from specific technical processing relating to the physical, physiolog- ical or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or [fingerprint] data.” Under GDPR, this health data may be processed only under three specific conditions: • The subject must give “explicit consent” to the data processing. Explicit consent must be unambiguous — a clear affirmative state- ment or action of the subject to agree to the processing. • Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, for a medical diagnosis, the pro- vision of health or social care or treatment, or the management of health or social care systems and services. • Processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. The GDPR clearly differs from HIPAA in its scope and intent, with GDPR designed to help individ- uals gain more control over how their complete digital data trails are used, by whom and for how long (see Figure 2, page 5) vs. regulating a single industry.
Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 4 QUICK TAKE What GDPR Requires In addition to basic conditions for data collection and processing, the GDPR spells out other requirements companies handling data on EU citizens must meet. These include: • Data protection officer (DPO): Organizations that engage in large-scale moni- toring and processing of sensitive personal data must appoint DPOs (Art. 37).3 • Right to data portability: Requires entities to send personal data back to the data subjects for them to transmit it elsewhere more easily. • Right to be forgotten: Requires entities to erase personal data without “undue delay.” • Subject access right (SAR): Allows subjects to gain access to their personal data free of charge and within a month of the request. • Right to not be subject to profiling: Allows subjects to opt out of profiling activities. • Right not to use data beyond its original purpose: Data must not be accessed for any purpose other than the intended use. • 72-hour breach reporting: Breaches including health data are automatically considered “likely to result in high risk” and must be reported within 72 hours. • Contract/agreement renegotiations: Existing vendor contracts and state- ments of work must be renegotiated before May 2018 to incorporate the provisions required by the GDPR. New contracts must include the required provisions. • Data privacy impact assessments (DPIAs): Will be required when using new technologies and for any data deemed “high risk” to the rights and freedoms of individuals. • Compliance: Companies must demonstrate compliance with its GDPR obliga- tions. They need to maintain extensive records and documentation, as ongoing monitoring and audits will be required. • Training: All associates involved in data processing, potentially including clini- cians, must be educated as they share the responsibility of the law.
GDPR is designed to protect the fundamental rights and freedoms of data subjects, address data processing in the light of digital advances and streamline data protection laws across the EU. By contrast, HIPAA is designed to prevent unauthorized data access within a healthcare ecosystem vs. addressing broader digital trust and data ownership issues. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 5 A Study in Compliance: Comparing GDPR to HIPAA GDPR HIPAA Intent Protect the fundamental rights and freedoms of data subjects. Enable the free movement of personal data within the EU. Contribute to economic and social progress and trade. Address the processing of personal data in light of technological progress. Harmonize data protection laws across the EU.4 Ensure the security and confidentiality of patient data and information. Mandate uniform standards for electronic data transmission of administrative and financial data relating to patient health information. Scope Legislation applies to all industry sectors. Healthcare sector. Geography Protects EU residents. It applies to goods and services offered to EU residents or when the behavior of EU residents is monitored. Protects US residents’ health information. Scale Same rules apply to all types and sizes of organizations. Health plans, healthcare clearinghouses, health providers. Type of Data Personal data (i.e., name, date of birth, pseudonymous data, are treated as personal). Sensitive personal data (i.e., genetic data, biometric data). Individually identifiable health information (PHI and EPHI). Fines 20 million Euros or 4% of total global revenues — whichever is larger. Civil penalties: $100 to $1.5M annual maximum. Criminal penalties: up to $250K, up to ten years imprisonment. Breach Notification Time Frame 72 hours. 60 days after breach. Figure 2 The GDPR is designed to protect the fundamen- tal rights and freedoms of data subjects, address data processing in the light of digital advances and streamline data protection laws across the EU. By contrast, HIPAA is designed to prevent unauthorized data access within a healthcare ecosystem vs. addressing broader digital trust and data ownership issues.
Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 6 HIPAA ensures the security and confidentiality of patients’ data and mandates standardization of data transfers regarding protected health infor- mation (PHI). HIPAA requires that PHI only be accessed and/or used for “treatment, payment, and operational” needs, including research, if that intent is disclosed at the time of collection and data is de-identified.5 However, HIPAA puts the onus on the patient to discover who has accessed health records and to inform organizations about who may not see health data. In comparison, GDPR requires more explicit and active consent and individuals can ask for in-depth descriptions of how their data is being processed, and receive the data in an electronic copy that they may then transfer to another party, among other rights. Due to these distinctions, systems and policies supporting HIPAA are narrower in scope and do not automatically ensure GDPR compliance. TECHNOLOGY FOR GDPR COMPLIANCE Any technology investments required to support GDPR also should help make PHI and other data more secure. That’s not a small consideration, given that the U.S. healthcare industry has a poor record of preventing data breaches, with more than three million records affecting more than 14 million individuals exposed in 2017 alone.6 Further, the GDPR requires breaches of such data to be reported in 72 hours; HIPAA allows up to 60 days. The GDPR specifically recommends two security techniques, encryption and pseudonymization.7 While HIPAA requires data in transmission to be encrypted, it calls encrypting data at rest (in stor- age) an “addressable” vs. “required” practice.8 The GDPR’s endorsement of this sound practice should give the industry more impetus to widely implement it. The GDPR specifically recommends two security techniques, encryption and pseudonymization. While HIPAA requires data in transmission to be encrypted, it calls encrypting data at rest (in storage) an “addressable” vs. “required” practice. The GDPR’s endorsement of this sound practice should give the industry more impetus to widely implement it.
Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 7 Pseudonymization is a procedure in which iden- tifying fields within a data record are replaced by one or more artificial identifiers, i.e., pseud- onyms, so that the data cannot be linked to an identity without additional information. A single pseudonym might replace a collection of data fields or a single field. The purpose is to render the data record owner less identifiable and therefore assuage customer or patient objec- tions to its use. The advantages under GDPR to pseudonymization: • Data in this form is suitable for extensive analytics and processing.9 • The GDPR relaxes several requirements on entities that use pseudonymization.10 Such organizations will be able to use personal data for secondary purposes such as “general analysis” more easily if they pseudonymize the data — as long as the processing organi- zation has specific, fully informed and active consent; neither prefilled boxes nor silence is to be taken as assent.11 Data subjects also have the right to refuse or withdraw consent. Pseudonymization can be weak against inference attacks. Protecting statistically useful pseud- onymized data from re-identification requires a sound informational security base and minimiz- ing the risk that analysts, researchers or other data workers can cause a privacy breach. The GDPR also recommends using encryption, a technique that encodes data so that only authorized individuals holding an encryption key generated by an algorithm may decrypt it. Encryption vs. Tokenization ENCRYPTION TOKENIZATION Mathematically transforms plain text into cipher text using an encryption algorithm. Randomly generates a token value for plain text and stores the mapping in a database. Scales to large data volumes with just the use of a small encryption key to decrypt data. Difficult to scale, secure and maintain performance as database size increases. Used for structured fields, as well as unstructured data such as entire files. Used for structured fields such as payment card or Social Security numbers. Ideal for exchanging sensitive data with third parties who have the encryption key. Difficult to exchange data because it requires direct access to a token vault mapping token values. Format-preserving encryption schemes come with a tradeoff of lower security strength. Format can be maintained without diminished security strength. Original data leaves the organization but in encrypted form. Original data never leaves the organization, satisfying some compliance requirements. Figure 3
The DPO will establish governance and oversight for the implementation of GDPR across the enterprise. The role requires a person with a solid data management and security background, business acumen and human capital development abilities to build and grow an effective cross-functional and interdisciplinary GDPR team. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 8 That said, tokenization may be a better alter- native than encryption because after files have been encrypted, it is nearly impossible for employees to work with them.12 (See Figure 3, previous page, for a comparison of the key features of encryption and tokenization.) Tokeni- zation replaces personal identifiers with random codes; employees work with data anonymized with tokens much more easily than encryption. It does require a master table that maps codes to identifiers; the security downside is that the master table could be captured in a data breach. Tokenization is now being used to protect data to maintain the functionality of back-end systems without exposing personally identifiable informa- tion to attackers. Blockchain is another potential solution.13 Block- chain creates a continuously growing list of records, or blocks, which are linked and secured using cryptography. Each block typically contains a cryptographic hash of the previous block, a time stamp and transaction data. The fact that a blockchain is a permanent ledger makes it inherently resistant to data modification. Once recorded, the data in any given block cannot be altered retroactively without altering all the sub- sequent blocks, which would require the collusion of most or all the participants in the blockchain. (For more on blockchain’s healthcare potential, read “Healthcare: Blockchain’s Curative Potential for Healthcare Efficiency and Quality.” WHAT TO DO RIGHT NOW The time to deal with the GDPR from policy, pro- cess and system perspectives is now, not when an EU regulator announces an investigation into how U.S. healthcare companies are gathering data on EU citizens. Here are some steps to take right away: • Identify why your organization needs to align with GDPR. Consult your organization’s compliance department and/or legal counsel about the areas in which the organization could already be noncompliant, or do so as it rolls out different business ventures focused on EU nations. • Next, an enterprise must evaluate organi- zational change. This starts with identifying roles, responsibilities and skills needed to form a GDPR compliance team. Having a data protection officer (DPO) to spearhead the initiative is mandatory. The DPO will establish governance and oversight for the implementation of GDPR across the enter- prise. The role requires a person with a solid data management and security back- ground, business acumen and human capital development abilities to build and grow an effective cross-functional and interdisciplin- ary GDPR team.
Cognizant 20-20 Insights • The GDPR team first must plan the GDPR initiative and create the implementation roadmap. During this process, it is criti- cal to develop a standard toolkit of prebuilt methods, tools and templates to launch the initiative. Clear problem-solving, accountabil- ity and decision-making systems must be put in place at this point for successful program execution. • The project team must evaluate the organi- zation’s current data architecture, including pseudonymization, anonymization, obfus- cation, data masking and encryption capabilities. It must also develop the future state vision to identify gaps in GDPR compli- ance readiness. • The GDPR team must inventory IT plat- forms (important for large organizations) and their economic life. Ineffective platforms that don’t meet security and privacy levels for data must be either upgraded or replaced. • Finally, the team must design business pro- cesses that need to be embedded in current workflows to ensure GDPR compliance. For healthcare organizations, GDPR compliance will mean revisiting data collection, processing and storage strategies with a fresh approach. While no simple task, the effort will yield improve- ments in protection of personal data and privacy, faster and more effective responses if breaches occur and an overall increase in patient trust. All healthcare organizations will require these qualities as healthcare becomes increasingly digital; it’s not farfetched to assume healthcare consumers will rate healthcare organizations on trust and data security as healthcare transac- tions become digitized. GDPR compliance will mean revisiting data collection, processing and storage strategies with a fresh approach. While no simple task, the effort will yield improvements in protection of personal data and privacy, faster and more effective responses if breaches occur and an overall increase in patient trust. The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 9
Vanessa Pawlak Practice Leader, Regulatory Compliance and Government Programs, Healthcare Practice, Cognizant Consulting Vanessa Pawlak is the Regulatory Compliance and Government Programs Practice Leader in Cognizant Consulting’s Healthcare Practice. She has more than 15 years of consulting experience and has worked with all 10 of the largest U.S. payers, 17 Blues organiza- tions, state health agencies and more than 70 health organizations across the country. Vanessa is board certified in health compliance and health data privacy. She specializes in government-sponsored health programs, with experience directing large-scale trans- formation and turnarounds across governance/administration, operations, financial and clinical domains. Vanessa may be reached at Vanessa.Pawlak@cognizant.com. ABOUT THE AUTHORS Octavia Costea Manager, Regulatory Compliance and Government Programs, Healthcare Practice, Cognizant Consulting Octavia Costea is a Manager in the Regulatory Compliance and Government Programs Practice within Cognizant Consulting’s Healthcare Practice. She has 15 years of experience in payer, provider and government programs, focusing on payment and reimbursement reform and compliance. Octavia is scaled Agile-cer- tified (SA) and has an MBA from Babson College, and an MA and JD from “P. Andrei” University, Romania. She is also Board Certified in Radiology Technology (Nuclear), RT(N). Octavia can be reached at Octavia.Costea@cognizant.com. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 10 ACKNOWLEDGMENTS The authors would like to thank Steve Rounds, a Senior Consultant in Cognizant Consulting’s Healthcare Practice, for his contributions to this white paper.
Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 11 FOOTNOTES 1 Information Commissioner’s Office, October 5, 2016, https://ico.org.uk/about-the-ico/news-and-events/news-and- blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/. 2 NCC Group, April 28, 2017, www.nccgroup.trust/us/about-us/newsroom-and-events/press-releases/2017/april/last-years-ico- fines-would-soar-to-69-million-post-gdpr/. 3 “GDPR FAQs” EU GDPR Compliant, www.eugdpr.org/gdpr-faqs.html. 4 Dr. Detlev Gable and Tim Hickman, Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law; Chapter 3, White & Case LLP, July 22, 2016, www.whitecase.com/publications/article/chapter-3-sub- ject-matter-and-scope-unlocking-eu-general-data-protection. 5 Office for Civil Rights, December 18, 2017, www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html. 6 HIPAA Journal, January 4, 2018, www.hipaajournal.com/largest-healthcare-data-breaches-2017/. 7 Gabe Maldoff, International Association of Privacy Professionals, February 12, 2016, https://iapp.org/news/a/top-10-opera- tional-impacts-of-the-gdpr-part-8-pseudonymization/. 8 “HIPAA Compliance Checklist 2017-2018,” HIPAA Journal, www.hipaajournal.com/hipaa-compliance-checklist/. 9 “Pseudonymization,” Wikipedia, https://en.wikipedia.org/wiki/Pseudonymization. 10 ibid, https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/. 11 Dr. Detlev Gable and Tim Hickman, Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law; Chapter 8, White & Case LLP, July 22, 2016, www.whitecase.com/publications/article/chapter-8-con- sent-unlocking-eu-general-data-protection-regulation. 12 Laura Vugh, “Encryption vs. Tokenization. Which is better and when to use them?” EU GDPR Compliant, January 30, 2017, https://eugdprcompliant.com/knowledgebase/encryption-vs-tokenization/. 13 “Blockchain,” Wikipedia, https://en.wikipedia.org/wiki/Blockchain.
World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 European Headquarters 1 Kingdom Street Paddington Central London W2 6BD England Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 India Operations Headquarters #5/535 Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 © Copyright 2018, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechan- ical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. TL Codex 3542 ABOUT COGNIZANT Cognizant (NASDAQ-100: CTSH) is one of the world’s leading professional services companies, transforming clients’ business, operating and technology models for the digital era. Our unique industry-based, consultative approach helps clients envision, build and run more innova- tive and efficient businesses. Headquartered in the U.S., Cognizant is ranked 205 on the Fortune 500 and is consistently listed among the most admired companies in the world. Learn how Cognizant helps clients lead with digital at www.cognizant.com or follow us @Cognizant.

Recommended

Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRImogenRutherford
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 

Recommended

Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRImogenRutherford
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewDVV Solutions Third Party Risk Management
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Protection of patient data in EU vs. US
Protection of patient data in EU vs. USProtection of patient data in EU vs. US
Protection of patient data in EU vs. USErik R. Ranschaert, MD, PhD
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key ChangesCraig Clark ITIL, CIS LI,EU GDPR P
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training) Elizabeth Baker, JD, CRCMP
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR OverviewGydeline Ltd
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshellMatthew Butler
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .ClinosolIndia
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018Altimeter, a Prophet Company
 

More Related Content

What's hot

Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR OverviewGydeline Ltd
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 

What's hot (20)

Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service Overview
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Protection of patient data in EU vs. US
Protection of patient data in EU vs. USProtection of patient data in EU vs. US
Protection of patient data in EU vs. US
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance booklet
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 

Similar to The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation

Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .ClinosolIndia
 
Data Privacy and Security in Clinical Trials: Safeguarding Patient Information
Data Privacy and Security in Clinical Trials: Safeguarding Patient InformationData Privacy and Security in Clinical Trials: Safeguarding Patient Information
Data Privacy and Security in Clinical Trials: Safeguarding Patient InformationClinosolIndia
 
Master thesis defence Merve Şimşek
Master thesis defence Merve ŞimşekMaster thesis defence Merve Şimşek
Master thesis defence Merve ŞimşekMIPLM
 
Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationN N
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)Erik Vollebregt
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security Erik Vollebregt
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
Information governance
Information governanceInformation governance
Information governanceGerardo Medina
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 

Similar to The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation (20)

Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
Data Privacy and Security in Clinical Trials: Safeguarding Patient Information
Data Privacy and Security in Clinical Trials: Safeguarding Patient InformationData Privacy and Security in Clinical Trials: Safeguarding Patient Information
Data Privacy and Security in Clinical Trials: Safeguarding Patient Information
 
Master thesis defence Merve Şimşek
Master thesis defence Merve ŞimşekMaster thesis defence Merve Şimşek
Master thesis defence Merve Şimşek
 
Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulation
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ?
 
Data protection
Data protectionData protection
Data protection
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
GDPR
GDPRGDPR
GDPR
 
GDPR Whitepaper
GDPR WhitepaperGDPR Whitepaper
GDPR Whitepaper
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
Information governance
Information governanceInformation governance
Information governance
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 

More from Cognizant

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 

More from Cognizant (20)

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition Engineered
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 

The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation

  • 1. The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations Domestic healthcare organiza- tions must brush up on the EU’s General Data Protection Regulation (GDPR) compliance or risk heavy fines; here’s how to get started. Executive Summary Effective May 25, the European Union’s General Data Protection Regulation (GDPR) promises to levy business-crushing fines on companies that fail to protect consumers’ personal data. A wide array of U.S. healthcare organizations that market to, serve and/or employ EU residents will find themselves subject to the GDPR’s provisions. In our view, many organizations may have to go beyond their Health Insurance Portability and Accountability Act (HIPAA)-compliant mea- sures to meet GDPR requirements. Investing in GDPR-approved technologies, such as pseud- onymizing, will enhance healthcare organizations’ overall data security and privacy, as this white paper recommends. Cognizant 20-20 Insights | April 2018 COGNIZANT 20-20 INSIGHTS
  • 2. GDPR: HIPAA ON STEROIDS The U.S. healthcare industry is well acquainted with privacy and security regulations, mainly in the form of HIPAA. Yet the GDPR, designed to protect the data and privacy of individual Euro- pean Union citizens, makes HIPAA look tame in comparison. U.S. healthcare organizations that collect data on EU citizens, whether they are customers or employees, are likely to face strict GDPR enforcement — and not just for health data. The GDPR replaces older EU privacy legislation (see Figure 1). It applies to all companies that collect, store and process information about indi- viduals in EU countries, even if the companies themselves are not headquartered in Europe. The regulation sets much higher penalties for corporate noncompliance than previous statutes — up to 4% of a company’s total global revenues. To put that 4% into context: In 2016, the UK’s Information Commissioners Office (ICO) fined Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 2 Evolving EU Personal Data Protection Legislation 1984 MAY 2018 1995 DATA PROTECTION DIRECTIVE (EU) 2000 INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES ESTABLISHED 2015 INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES OVERTURNED 2016 GDPR IS APPROVED BY EU PARLIAMENT DATA PROTECTION ACT OF 1998 (UK) 1998 EU COMMISSION ANNOUNCES PLAN TO DEVELOP GDPR 2012 EU-U.S. PRIVACY SHIELD REPLACES THE INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES 2016 DATA PROTECTION ACT (UK) GDPR TAKES EFFECT Figure 1
  • 3. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 3 Talk Talk, a British communications provider, £400,000 ($560,000) after it determined secu- rity failings allowed a cyber-attack to access the company’s customer data “with ease.”1 Under GDPR, Talk Talk’s fine would have been £59 mil- lion ($82.7 million) — a nearly 1,500% increase. Overall, fines against UK companies in 2016 would have skyrocketed from £880,500 ($1.23 million) to £69 million ($96.7 million) if GDPR had applied that year.2 Fines like these, and EU member countries show- ing a willingness to investigate the privacy and security practices of U.S.-based companies oper- ating physically or virtually within their borders, should create some urgency among domestic healthcare organizations for ensuring they are GDPR compliant. Industry organizations affected include international healthcare, medical supply and life sciences companies; health analytics companies; international pharmacy benefit managers; payers; and healthcare providers. Broader and Deeper than HIPAA The GDPR calls for higher protection standards for health data and delineates a variety of defini- tions and conditions that apply to such data (see sidebar, page 4). The regulation creates three main categories for health data: • Data concerning health: This is defined as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.” • Genetic data: The regulation defines this as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natu- ral person in question.” • Biometric data: The GDPR definition is “per- sonal data resulting from specific technical processing relating to the physical, physiolog- ical or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or [fingerprint] data.” Under GDPR, this health data may be processed only under three specific conditions: • The subject must give “explicit consent” to the data processing. Explicit consent must be unambiguous — a clear affirmative state- ment or action of the subject to agree to the processing. • Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, for a medical diagnosis, the pro- vision of health or social care or treatment, or the management of health or social care systems and services. • Processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. The GDPR clearly differs from HIPAA in its scope and intent, with GDPR designed to help individ- uals gain more control over how their complete digital data trails are used, by whom and for how long (see Figure 2, page 5) vs. regulating a single industry.
  • 4. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 4 QUICK TAKE What GDPR Requires In addition to basic conditions for data collection and processing, the GDPR spells out other requirements companies handling data on EU citizens must meet. These include: • Data protection officer (DPO): Organizations that engage in large-scale moni- toring and processing of sensitive personal data must appoint DPOs (Art. 37).3 • Right to data portability: Requires entities to send personal data back to the data subjects for them to transmit it elsewhere more easily. • Right to be forgotten: Requires entities to erase personal data without “undue delay.” • Subject access right (SAR): Allows subjects to gain access to their personal data free of charge and within a month of the request. • Right to not be subject to profiling: Allows subjects to opt out of profiling activities. • Right not to use data beyond its original purpose: Data must not be accessed for any purpose other than the intended use. • 72-hour breach reporting: Breaches including health data are automatically considered “likely to result in high risk” and must be reported within 72 hours. • Contract/agreement renegotiations: Existing vendor contracts and state- ments of work must be renegotiated before May 2018 to incorporate the provisions required by the GDPR. New contracts must include the required provisions. • Data privacy impact assessments (DPIAs): Will be required when using new technologies and for any data deemed “high risk” to the rights and freedoms of individuals. • Compliance: Companies must demonstrate compliance with its GDPR obliga- tions. They need to maintain extensive records and documentation, as ongoing monitoring and audits will be required. • Training: All associates involved in data processing, potentially including clini- cians, must be educated as they share the responsibility of the law.
  • 5. GDPR is designed to protect the fundamental rights and freedoms of data subjects, address data processing in the light of digital advances and streamline data protection laws across the EU. By contrast, HIPAA is designed to prevent unauthorized data access within a healthcare ecosystem vs. addressing broader digital trust and data ownership issues. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 5 A Study in Compliance: Comparing GDPR to HIPAA GDPR HIPAA Intent Protect the fundamental rights and freedoms of data subjects. Enable the free movement of personal data within the EU. Contribute to economic and social progress and trade. Address the processing of personal data in light of technological progress. Harmonize data protection laws across the EU.4 Ensure the security and confidentiality of patient data and information. Mandate uniform standards for electronic data transmission of administrative and financial data relating to patient health information. Scope Legislation applies to all industry sectors. Healthcare sector. Geography Protects EU residents. It applies to goods and services offered to EU residents or when the behavior of EU residents is monitored. Protects US residents’ health information. Scale Same rules apply to all types and sizes of organizations. Health plans, healthcare clearinghouses, health providers. Type of Data Personal data (i.e., name, date of birth, pseudonymous data, are treated as personal). Sensitive personal data (i.e., genetic data, biometric data). Individually identifiable health information (PHI and EPHI). Fines 20 million Euros or 4% of total global revenues — whichever is larger. Civil penalties: $100 to $1.5M annual maximum. Criminal penalties: up to $250K, up to ten years imprisonment. Breach Notification Time Frame 72 hours. 60 days after breach. Figure 2 The GDPR is designed to protect the fundamen- tal rights and freedoms of data subjects, address data processing in the light of digital advances and streamline data protection laws across the EU. By contrast, HIPAA is designed to prevent unauthorized data access within a healthcare ecosystem vs. addressing broader digital trust and data ownership issues.
  • 6. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 6 HIPAA ensures the security and confidentiality of patients’ data and mandates standardization of data transfers regarding protected health infor- mation (PHI). HIPAA requires that PHI only be accessed and/or used for “treatment, payment, and operational” needs, including research, if that intent is disclosed at the time of collection and data is de-identified.5 However, HIPAA puts the onus on the patient to discover who has accessed health records and to inform organizations about who may not see health data. In comparison, GDPR requires more explicit and active consent and individuals can ask for in-depth descriptions of how their data is being processed, and receive the data in an electronic copy that they may then transfer to another party, among other rights. Due to these distinctions, systems and policies supporting HIPAA are narrower in scope and do not automatically ensure GDPR compliance. TECHNOLOGY FOR GDPR COMPLIANCE Any technology investments required to support GDPR also should help make PHI and other data more secure. That’s not a small consideration, given that the U.S. healthcare industry has a poor record of preventing data breaches, with more than three million records affecting more than 14 million individuals exposed in 2017 alone.6 Further, the GDPR requires breaches of such data to be reported in 72 hours; HIPAA allows up to 60 days. The GDPR specifically recommends two security techniques, encryption and pseudonymization.7 While HIPAA requires data in transmission to be encrypted, it calls encrypting data at rest (in stor- age) an “addressable” vs. “required” practice.8 The GDPR’s endorsement of this sound practice should give the industry more impetus to widely implement it. The GDPR specifically recommends two security techniques, encryption and pseudonymization. While HIPAA requires data in transmission to be encrypted, it calls encrypting data at rest (in storage) an “addressable” vs. “required” practice. The GDPR’s endorsement of this sound practice should give the industry more impetus to widely implement it.
  • 7. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 7 Pseudonymization is a procedure in which iden- tifying fields within a data record are replaced by one or more artificial identifiers, i.e., pseud- onyms, so that the data cannot be linked to an identity without additional information. A single pseudonym might replace a collection of data fields or a single field. The purpose is to render the data record owner less identifiable and therefore assuage customer or patient objec- tions to its use. The advantages under GDPR to pseudonymization: • Data in this form is suitable for extensive analytics and processing.9 • The GDPR relaxes several requirements on entities that use pseudonymization.10 Such organizations will be able to use personal data for secondary purposes such as “general analysis” more easily if they pseudonymize the data — as long as the processing organi- zation has specific, fully informed and active consent; neither prefilled boxes nor silence is to be taken as assent.11 Data subjects also have the right to refuse or withdraw consent. Pseudonymization can be weak against inference attacks. Protecting statistically useful pseud- onymized data from re-identification requires a sound informational security base and minimiz- ing the risk that analysts, researchers or other data workers can cause a privacy breach. The GDPR also recommends using encryption, a technique that encodes data so that only authorized individuals holding an encryption key generated by an algorithm may decrypt it. Encryption vs. Tokenization ENCRYPTION TOKENIZATION Mathematically transforms plain text into cipher text using an encryption algorithm. Randomly generates a token value for plain text and stores the mapping in a database. Scales to large data volumes with just the use of a small encryption key to decrypt data. Difficult to scale, secure and maintain performance as database size increases. Used for structured fields, as well as unstructured data such as entire files. Used for structured fields such as payment card or Social Security numbers. Ideal for exchanging sensitive data with third parties who have the encryption key. Difficult to exchange data because it requires direct access to a token vault mapping token values. Format-preserving encryption schemes come with a tradeoff of lower security strength. Format can be maintained without diminished security strength. Original data leaves the organization but in encrypted form. Original data never leaves the organization, satisfying some compliance requirements. Figure 3
  • 8. The DPO will establish governance and oversight for the implementation of GDPR across the enterprise. The role requires a person with a solid data management and security background, business acumen and human capital development abilities to build and grow an effective cross-functional and interdisciplinary GDPR team. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 8 That said, tokenization may be a better alter- native than encryption because after files have been encrypted, it is nearly impossible for employees to work with them.12 (See Figure 3, previous page, for a comparison of the key features of encryption and tokenization.) Tokeni- zation replaces personal identifiers with random codes; employees work with data anonymized with tokens much more easily than encryption. It does require a master table that maps codes to identifiers; the security downside is that the master table could be captured in a data breach. Tokenization is now being used to protect data to maintain the functionality of back-end systems without exposing personally identifiable informa- tion to attackers. Blockchain is another potential solution.13 Block- chain creates a continuously growing list of records, or blocks, which are linked and secured using cryptography. Each block typically contains a cryptographic hash of the previous block, a time stamp and transaction data. The fact that a blockchain is a permanent ledger makes it inherently resistant to data modification. Once recorded, the data in any given block cannot be altered retroactively without altering all the sub- sequent blocks, which would require the collusion of most or all the participants in the blockchain. (For more on blockchain’s healthcare potential, read “Healthcare: Blockchain’s Curative Potential for Healthcare Efficiency and Quality.” WHAT TO DO RIGHT NOW The time to deal with the GDPR from policy, pro- cess and system perspectives is now, not when an EU regulator announces an investigation into how U.S. healthcare companies are gathering data on EU citizens. Here are some steps to take right away: • Identify why your organization needs to align with GDPR. Consult your organization’s compliance department and/or legal counsel about the areas in which the organization could already be noncompliant, or do so as it rolls out different business ventures focused on EU nations. • Next, an enterprise must evaluate organi- zational change. This starts with identifying roles, responsibilities and skills needed to form a GDPR compliance team. Having a data protection officer (DPO) to spearhead the initiative is mandatory. The DPO will establish governance and oversight for the implementation of GDPR across the enter- prise. The role requires a person with a solid data management and security back- ground, business acumen and human capital development abilities to build and grow an effective cross-functional and interdisciplin- ary GDPR team.
  • 9. Cognizant 20-20 Insights • The GDPR team first must plan the GDPR initiative and create the implementation roadmap. During this process, it is criti- cal to develop a standard toolkit of prebuilt methods, tools and templates to launch the initiative. Clear problem-solving, accountabil- ity and decision-making systems must be put in place at this point for successful program execution. • The project team must evaluate the organi- zation’s current data architecture, including pseudonymization, anonymization, obfus- cation, data masking and encryption capabilities. It must also develop the future state vision to identify gaps in GDPR compli- ance readiness. • The GDPR team must inventory IT plat- forms (important for large organizations) and their economic life. Ineffective platforms that don’t meet security and privacy levels for data must be either upgraded or replaced. • Finally, the team must design business pro- cesses that need to be embedded in current workflows to ensure GDPR compliance. For healthcare organizations, GDPR compliance will mean revisiting data collection, processing and storage strategies with a fresh approach. While no simple task, the effort will yield improve- ments in protection of personal data and privacy, faster and more effective responses if breaches occur and an overall increase in patient trust. All healthcare organizations will require these qualities as healthcare becomes increasingly digital; it’s not farfetched to assume healthcare consumers will rate healthcare organizations on trust and data security as healthcare transac- tions become digitized. GDPR compliance will mean revisiting data collection, processing and storage strategies with a fresh approach. While no simple task, the effort will yield improvements in protection of personal data and privacy, faster and more effective responses if breaches occur and an overall increase in patient trust. The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 9
  • 10. Vanessa Pawlak Practice Leader, Regulatory Compliance and Government Programs, Healthcare Practice, Cognizant Consulting Vanessa Pawlak is the Regulatory Compliance and Government Programs Practice Leader in Cognizant Consulting’s Healthcare Practice. She has more than 15 years of consulting experience and has worked with all 10 of the largest U.S. payers, 17 Blues organiza- tions, state health agencies and more than 70 health organizations across the country. Vanessa is board certified in health compliance and health data privacy. She specializes in government-sponsored health programs, with experience directing large-scale trans- formation and turnarounds across governance/administration, operations, financial and clinical domains. Vanessa may be reached at Vanessa.Pawlak@cognizant.com. ABOUT THE AUTHORS Octavia Costea Manager, Regulatory Compliance and Government Programs, Healthcare Practice, Cognizant Consulting Octavia Costea is a Manager in the Regulatory Compliance and Government Programs Practice within Cognizant Consulting’s Healthcare Practice. She has 15 years of experience in payer, provider and government programs, focusing on payment and reimbursement reform and compliance. Octavia is scaled Agile-cer- tified (SA) and has an MBA from Babson College, and an MA and JD from “P. Andrei” University, Romania. She is also Board Certified in Radiology Technology (Nuclear), RT(N). Octavia can be reached at Octavia.Costea@cognizant.com. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 10 ACKNOWLEDGMENTS The authors would like to thank Steve Rounds, a Senior Consultant in Cognizant Consulting’s Healthcare Practice, for his contributions to this white paper.
  • 11. Cognizant 20-20 Insights The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulations | 11 FOOTNOTES 1 Information Commissioner’s Office, October 5, 2016, https://ico.org.uk/about-the-ico/news-and-events/news-and- blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/. 2 NCC Group, April 28, 2017, www.nccgroup.trust/us/about-us/newsroom-and-events/press-releases/2017/april/last-years-ico- fines-would-soar-to-69-million-post-gdpr/. 3 “GDPR FAQs” EU GDPR Compliant, www.eugdpr.org/gdpr-faqs.html. 4 Dr. Detlev Gable and Tim Hickman, Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law; Chapter 3, White & Case LLP, July 22, 2016, www.whitecase.com/publications/article/chapter-3-sub- ject-matter-and-scope-unlocking-eu-general-data-protection. 5 Office for Civil Rights, December 18, 2017, www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html. 6 HIPAA Journal, January 4, 2018, www.hipaajournal.com/largest-healthcare-data-breaches-2017/. 7 Gabe Maldoff, International Association of Privacy Professionals, February 12, 2016, https://iapp.org/news/a/top-10-opera- tional-impacts-of-the-gdpr-part-8-pseudonymization/. 8 “HIPAA Compliance Checklist 2017-2018,” HIPAA Journal, www.hipaajournal.com/hipaa-compliance-checklist/. 9 “Pseudonymization,” Wikipedia, https://en.wikipedia.org/wiki/Pseudonymization. 10 ibid, https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/. 11 Dr. Detlev Gable and Tim Hickman, Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law; Chapter 8, White & Case LLP, July 22, 2016, www.whitecase.com/publications/article/chapter-8-con- sent-unlocking-eu-general-data-protection-regulation. 12 Laura Vugh, “Encryption vs. Tokenization. Which is better and when to use them?” EU GDPR Compliant, January 30, 2017, https://eugdprcompliant.com/knowledgebase/encryption-vs-tokenization/. 13 “Blockchain,” Wikipedia, https://en.wikipedia.org/wiki/Blockchain.
  • 12. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 European Headquarters 1 Kingdom Street Paddington Central London W2 6BD England Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 India Operations Headquarters #5/535 Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 © Copyright 2018, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechan- ical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. TL Codex 3542 ABOUT COGNIZANT Cognizant (NASDAQ-100: CTSH) is one of the world’s leading professional services companies, transforming clients’ business, operating and technology models for the digital era. Our unique industry-based, consultative approach helps clients envision, build and run more innova- tive and efficient businesses. Headquartered in the U.S., Cognizant is ranked 205 on the Fortune 500 and is consistently listed among the most admired companies in the world. Learn how Cognizant helps clients lead with digital at www.cognizant.com or follow us @Cognizant.