Health travel professionals must redesign their security risk strategies in view of a new privacy law known as General Data Protection Regulation, or GDPR, which takes effect across the EU of May 25, and establishes the conditions under which personal data on EU patients may be collected and processed by healthcare providers.
In view of steep penalties, health travel industry stakeholders are now required to establish a GDPR compliance program which will assess the organization’s current level of compliance and detect loopholes; conduct audits of all personal data processed by the organization and review data-protection policies providing a clear understanding of what types of health data are collected, the purpose for which each is collected, how it is stored, and how long it is retained; and document these audit results and if required engaging a Data Protection Officer (DPO) who will be responsible for compliance with the new standards for data security.
Under the new regulation, EU patients now have the right to access, amend, and restrict or withdraw personal data or consent to its use, which also applies to post-discharge patient engagement as well as data collection for EU nationals who receive medical care outside the Union. This means that US providers are also subject to the new rule in so much as they have data on medical tourists from the EU.
The GDPR rule protects genetic data, biometric data, and all data concerning health.
Third party processors hired by medical tourism suppliers are also liable to data breach. Indicatively, should a medical tourism agent share personal data with a vendor such as a hotel, the vendor must provide a Data Processing Agreement (DPA) with the supplier confirming the vendor’s compliance to the GDPR and dictating the purposes for which such data is to be processed.
The report was published in the Medical Tourism Association’s Medical Tourism Magazine. The MTA is a global non-profit association for the medical tourism and international patient industry working with healthcare providers, governments, insurance companies, employers and other buyers of healthcare with a focus on providing the highest quality transparent healthcare.