GDPR and HIPAA: Should Your Aesthetic Practice Should Be Worried?

/GDPR and HIPAA: Should Your Aesthetic Practice Should Be Worried?

GDPR and HIPAA: Should Your Aesthetic Practice Should Be Worried?

In May 2018, the European Union introduced the General Data Protection Regulation, also known as GDPR, which has transformed European data security. GDPR is a legal framework that establishes guidelines for websites on the Internet and how they collect and process personal information.

GDPR was implemented in response to companies collecting large amounts of data to potentially profile customers. GDPR builds off of the principle of the “right to be forgotten,” which in the Internet era often refers to unsavory information or images of an individual on a website or in search results. In 2012, the EU introduced Article 12 of the Directive 95/46/EC. The following excerpt is from Wikipedia:

“To exercise the right to be forgotten and request removal from a search engine, one must complete a form through the search engine’s website. Google’s removal request process requires the applicant to identify their country of residence, personal information, a list of the URLs to be removed along with a short description of each one, and attachment of legal identification.[17] The applicant receives an email from Google confirming the request but the request must be assessed before it is approved for removal. If the request is approved, searches using the individual’s name will no longer result in the content appearing in search results. The content remains online and is not erased.[18] After a request is filled, their removals team reviews the request, weighing “the individual’s right to privacy against the public’s right to know”, deciding if the website is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed”.[19] Google has formed an Advisory Council of various professors, lawyers, and government officials from around Europe to provide guidelines for these decisions.[20] However, the review process is still a mystery to the general public. Guidelines set by EU regulators were not released until November 2014, but Google began to take action on this much sooner than that, allowing them to “shape interpretation to [their] own ends”.[20] In May 2015, eighty academics called for more transparency from Google, in an open letter.[21]”

By May of 2014, Google had removed over a million URLs, and in July of 2015, according to The Guardian, Google accidentally revealed that “95% of Google privacy requests are from citizens out to protect personal and private information – not criminals, politicians and public figures.”

Ultimately, the goal of GDPR is to simplify the regulatory environment for businesses and protect the personal data, privacy, and consent of EU citizens.

To be GDPR compliant means that your business must:

  • Appoint a Data Protection Officer (DPO)
  • Deliver a breach report, whether it be from human error, a cyber attack or anything else, to immediately notify all affected within 72 hours
  • Ensure all website traffic and email lists gather and store personal information (name, photos, address, email address, and even IP address) under the terms of GDPR to protect from misuse. Even genetic and biometric data used to identify an individual is covered by GDPR

Who Exactly Does GDPR Apply to in the US?

The U.S. businesses that are most likely to fall under the GDPR’s scope are hospitality, travel, software services and e-commerce companies that draw traffic from countries in Europe. However, any U.S. company that has identified a market in an EU country or offers goods or services to EU citizens must be compliant. If you run re-marketing campaigns, for example, you may inadvertently be targeting European visitors. In this case, you’d need to be GDPR compliant.

I Run a Local Practice, Does This Concern Me?

Probably not at the moment, unless you’re targeting patients in Europe (or re-marketing, as noted in the last paragraph). However, you should be paying attention to the ever-evolving legal landscape, as US privacy laws may change in the coming years.

This is an opportunity to ensure that:

1) Your website is fully secured with SSL

2) Your email list consists of only patients who have willingly opt-ed in

3) Your website privacy policy and terms & conditions exist (and are up-to-date)

4) Your securely storing patient information (and not violating HIPAA law)

Does GDPR Have Any Correlation to HIPAA?

HIPAA law differs from GDPR, but there is some overlap. Ultimately, GDPR offers more far-reaching, broader coverage, businesses that use or disclose health information internationally need to understand the nuances of both HIPAA and GDPR. Details from the graph below are from iapp.org.

GDPR vs HIPAA

Click or tap to enlarge image

If you have any questions about GDPR or HIPAA and how they influence your practice then drop Turbo a note here or give us a call at 877-673-7096 x2.

 

*Disclaimer: Turbo Medical Marketing is not a law firm and does not provide any legal advice. Your practice will need to consult your legal counsel for specifics on HIPAA, GDPR, AND patient privacy.

By | 2018-07-24T10:04:12+00:00 July 23rd, 2018|News|0 Comments

About the Author:

Tom joined Matt in 2010, helping co-found Turbo Medical Marketing. As COO, Tom oversees all production and works directly with both the executive team and the Account Managers. Tom has helped to formulate systems and processes for sales, business development, internal marketing, service offerings, client intake, and employee hiring and training. You can get a sense of Tom's marketing knowledge, as well as pick up some marketing tips and insights, by checking out the Turbo blog that he contributes to weekly. Tom has also spoken at several aesthetic conferences in the past about topics ranging plastic surgery technology to mobile marketing. Tom received his B.A. in Business Management Economics from the University of California at Santa Cruz. He is a former collegiate rugby player and he enjoys golfing, snowboarding, hiking, and playing with his dog Yogi in his spare time. He's also a mentor with the Big Brothers, Big Sisters program in Charleston. Tom lives with his wife Lindsay in Mt. Pleasant, SC.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Call Email Portfolio Reviews
  • This field is for validation purposes and should be left unchanged.