General Data Protection Regulation: What does this mean to the US


By Aris Medical Solutions


You may have already heard about the GDPR (General Data Protection Regulation) from the EU (European Union) that will affect many organizations here in the United States.

Our personal information has been being sold for years. Some with and some without our knowledge. Many organizations require a person to “accept” their terms and conditions with long legal agreements that we must agree to before using their software, joining their network, or downloading an app to name a few. Most people do not read this very important disclosure because it is simply too long and too legal. They collect data from us in order to enter a sweepstakes, win a prize, or simply to gain access to a forum. This information can be sold to other organizations so they can market their good and services to us. I will be explaining in my next notification how to poison this information and make it useless. For now we need to concentrate on how to understand this new regulation.

With the GDPR from the EU becoming effect May 25, 2018, organizations must become compliant by May 25, 2018.

Here is a basic summary of what you need to know:

  1. Organizations that provide goods or services to anyone located within the European Union regardless of where the company is located must adhere to this new regulation. This also includes companies that process and store personal data of an EU citizen. This is similar to our individual state laws we currently have in the United States.
  2. Personal data is anything that can be used to identify a person, directly or indirectly. This includes name, photo, email address, bank details, medical information, computer IP address, and even posts on social media.
  3. You must have clear full consent to use a person’s information. No lengthy vague legal forms; just clear plain language. Nothing short of an opt-in will be acceptable.
  4. Just like HIPAA, there is a tiered sanction policy. Organizations can be fined up to 4% of annual global income for breaching the GDPR. This is for severe violators. Organizations can be fined up to 2% for not having their records in order, not notifying a supervising authority, not notifying the person that is affected by a data breach, or not conducting an impact assessment.
  5. These rules will apply to both cloud data controllers and processors and will not be exempt from GDPR enforcement.
  6. Data breaches must be reported within 72 hours.

What do you need to do to prepare:

  1. Review your client/patient database.
  2. Do you have any european clients/patients?
  3. Review where all of your data is stored.
  4. Do you use a cloud system?
  5. Do you have a BA agreement in place with the data processor/center?
  6. Update your breach notification plan.

For more information on the GDPR:

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”


About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

How well do you trust your compliance efforts?

April 10, 2018

State law data breach notification updates

June 7, 2018
©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC