Is the sky falling? GDPR implications in the US

Adam H. Greene (adamgreene@dwt.com) is a Partner in the Washington DC office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group. Lyra Correa (lyracorrea@dwt.com) is an Associate in the Washington DC office of Davis Wright Tremaine LLP.

Pop quiz: An injured Belgian tourist appears at your door for treatment. Do you:

  1. Pay to medevac her across the Atlantic and unceremoniously dump her on the shores of Achill, Ireland (the closest spot to the U.S. in the European Union (EU)

  2. Handwrite all her medical notes on the back of napkins and burn them at discharge

  3. Shutdown the facility for a week while you scramble to come into compliance with the EU’s General Data Protection Regulation (GDPR)[1]

  4. Treat her like a regular patient and protect her information in accordance with the Health Insurance Portability and Accountability Act (HIPAA)[2]

If you answered A, B, or C, then it’s time to take a deep breath and relax. And possibly revisit your Emergency Medical Treatment and Active Labor Act (EMTALA) compliance.

The most reasonable answer is D. Although there are many frantic headlines regarding GDPR, it will likely have limited impact on most US healthcare providers. US healthcare providers should carefully review whether they fall under GDPR, including through marketing efforts and website information collection. If GDPR is applicable, then it is not too late to begin compliance, and HIPAA is a very good place to start.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field