U.S. health providers who treat foreign patients may want to take a closer look at their privacy policies to make sure they comply with new European Union data protection rules.
May 25 heralds the enforcement of the European Union’s General Data Protection Regulation (GDPR), a set of rules designed to strengthen and harmonize record protection for EU citizens and tighten how their data privacy is managed. The regulations protect various forms of electronic data including basic identity information, health and genetic data, and biometric information.
Cynthia J. Larose
Treating a vacationing EU patient who needs unplanned treatment in the states is not likely to subject physicians to the GDPR, said Cynthia J. Larose, a privacy and data security attorney based in Boston.
“In general, the GDPR should not impact U.S. doctors who may incidentally treat an EU patient while that patient is here in the U.S.,” Ms. Larose said in an interview … If the EU patient presents at a U.S. health care provider for treatment, then the GDPR does not apply to her personal data in the possession of the U.S. health care provider – HIPAA applies. While the [GDPR] does have extraterritorial reach, you have to be doing something in the EU for the GDPR to apply.”
But other scenarios that could prove problematic, such as U.S. researchers studying patients in the EU, U.S. physicians providing telemedicine care to EU patients, and doctors who continue to monitor EU patients following treatment in the United States once patients return to their home country.
About 200,000 international visitors fly to the United States yearly for health treatment, of whom about 25% are from Europe, according to a 2015 report by the United States International Trade Commission.