Healthcare data is among the most sensitive and innately personal information that exists. Recent reports indicate that hackers now find this intelligence more valuable than financial data. For this reason, data privacy and information security are vital components of our nation’s efforts to improve our healthcare system.
U.S. healthcare companies must comply with many forms of regulation, however, as the regulatory landscape around compliance and privacy continues to advance, companies of all sizes will need to safeguard personal data more than ever. This is evident with the European Union’s (EU) General Data Protection Regulation (GDPR), which became effective May 25, 2018. GDPR is generally regarded as the most comprehensive privacy regulation in the world. In the U.S., similar efforts are also underway. California, for example, recently passed new wide-ranging privacy legislation that is modeled after GDPR.
The 411 on GDPR
GDPR aims to create consistent protection of consumer and personal data across all EU nations. The law was driven in part by European regulators' concern and scrutiny of company practices, such as Google and Facebook, and increasing worries over the buying and selling of personally identifiable information (PII). The regulation applies to any organization providing or offering goods and services to anyone located in the EU. This includes international companies that have customers in the EU, or those that conduct sales and marketing there. Maximum fines for egregious violations can be significant, ranging between 2-4% of the offending company’s annual global revenue.
The main components of GDPR are strengthened individual rights and increased obligations on companies to create more accountability. For example, individuals have the right to erase their data from a company’s system, the right to request their data in a shareable format so they can change service providers, and the right to be fully informed of all data processing activities. GDPR also requires companies to build systems based on privacy considerations at the outset. Additionally, there are strict requirements for breach notification, privacy impact assessments (PIAs), and staff dedicated to privacy accountability, among others.
While these requirements are considerable, organizations compliant with the Health Insurance Portability and Accountability Act (HIPAA) will be well positioned if they apply a similar approach to safeguarding not just protected health information (PHI), but all personal data. By adopting a more holistic approach to data protection, companies can reduce the burden of adjusting to this new era of compliance and privacy.
The Effect in the U.S.
In the U.S., the California legislature recently passed the groundbreaking new California Consumer Privacy Act of 2018 (CaCPA). The law takes effect on January 1, 2020, but can be amended prior to that date. Parts of the new regulation closely mirror GDPR and give consumers extensive control over their personal data. California consumers have the right to request a copy of any data that a U.S. organization might be storing about them, as well as the right to request that it be deleted.
While CaCPA does include an exemption for some laws, such as HIPAA, businesses should be cautious in determining the applicability of the new law. The definitions of protected data are broad and create many compliance challenges for healthcare companies that fall outside of HIPAA’s scope. Companies are exempt if they have annual revenue below $25 million, don’t obtain personal information for more than 50,000 California residents, and don’t make 50% or more of their annual revenue from selling California residents’ personal information.
There are many healthcare companies that will face an enormous set of new compliance challenges as a result of the California law. For example, the CaCPA gives consumers the right to know how much of their personal data is being collected by companies and applies tough new parameters for what data is protected. The CaCPA also provides consumers a private right of action for data-breach violations, something previously unavailable under HIPAA and related healthcare privacy laws. This includes situations where data has been stolen somehow or exposed without having been encrypted or redacted.
What Are the Next Steps?
Healthcare organizations, including pharmacy benefit managers (PBMs), should embrace these new regulations because the shift toward enhanced privacy protections is not going away. Modern technological advancements have created unprecedented opportunity for companies in various sectors to collect, use and sell valuable personal data. GDPR and CaCPA are only the beginning, and these laws are having a global impact.
While these regulations can seem daunting, a proactive approach to implementing cutting-edge privacy and security programs is critical. If an organization is already strongly compliant with HIPAA, and has good risk management operations, it will be well positioned to successfully adapt to these new regulatory frameworks.
The best approach to compliance in these areas is to create systems that are customer-centric and driven by fundamental values. Companies should begin by organizing stakeholders, including IT, sales, marketing, compliance, legal, and others, to assess current processes and create action plans for building improved system capabilities. Developing a clear picture of how data is collected and processed across an organization is a great first step. From there, the required infrastructure and support can be developed and implemented. This will make it much easier to adapt to the requirements of these new regulations.
An Active and Evolving Privacy and Data Management Program
Existing in a highly regulated space is not new for PBMs and healthcare companies. EnvisionRx is actively working toward practical solutions to tackle this new world of data management. For example, we have a team of compliance experts with extensive knowledge of the regulatory landscape from both a clinical and pharmaceutical perspective. We also have well-developed systems that enhance our ability to inventory, track, and classify data, and we continuously update our privacy policies to align with these capacities and any new regulatory requirements. This comprehensive approach embraces industry best practices while always keeping patients’ rights a central priority as we work toward quality care.
From a data security perspective, EnvisionRx creates the necessary infrastructure for compliance with new privacy laws. We have an established Security Governance program in which Privacy, Security and Internal Audit divisions work together to support the protection of member PHI and PII from physical, technical and operational security incidents using the ISO 27002 standard. The program partners with IT and the Compliance and Ethics departments, as well as operational business units to maintain industry defined, leading practices for effective data protection standards and procedures. Qualified, independent security resources are also utilized for testing the integrity of data protection.
While the rapidly evolving legal landscape will continue to pose significant challenges, companies with robust compliance programs that make privacy a top priority will be well positioned to embrace the ever-increasing shift toward individual data control and protection.
 Koontz, Linda. Information Privacy in the Evolving Healthcare Environment, 2nd Edition.
 Kirk, Jeremy (2018). California’s New Privacy Law: It’s Almost GDPR in the US. Bank Info Security. July 2, 2018. https://www.bankinfosecurity.com/californias-new-privacy-law-its-almost-gdpr-in-us-a-11149
 Bloomberg Law (2018). California’s Dreaming of Tougher Health-Care Privacy. Aug 2, 2018. https://news.bloomberglaw.com/health-law-and-business/californias-dreaming-of-tougher-health-care-privacy
 Landi, Heather (2018). One Consultant’s Take on GDPR and How It Raises the Stakes for U.S. Healthcare Organizations. Healthcare Informatics. April 23, 2018. https://www.healthcare-informatics.com/article/privacy/one-consultant-s-take-gdpr-and-how-it-raises-stakes-us-healthcare-organizations?page=2