Health Information Compliance Alert

Published on Wed May 16, 2018 PDF

If your practice engages in medical research, you may want to review international privacy guidelines before the European Union's General Data Protection Regulation (GDPR) goes live on May 25, 2018.

Why: Stiff penalties may ensue for researchers and providers who don't follow the GDPR rules, which are significantly more restrictive about safeguarding patients' data than HIPAA, suggests the HHS Secretary's Advisory Committee on Human Research Protections (SACHRP) guidance. "A U.S.-based clinical study could be subject to the GDPR if it uses digital technology, such as wearables, mobile phones, or other personal electronic devices, to track subjects' heart rate, blood pressure, levels of physical activity, or other data points," explains the SACHRP.

Warning: And even though U.S.-led research may only use American patients, they may still fall under the GDPR. For example, if those subjects travel abroad to EU nations with their mobile devices and wearables, transferring data back to the U.S., that information may fall under the jurisdiction of the EU and therefore be privy to GDPR protocols.

Resource: For a closer look at the HHS Office of Human Research Protections guidance, visit www.hhs.gov/ohrp/sachrp-committee/recommendations/attachment-b-implementation-of-the-european-unions-general-data-protection-regulation-and-its-impact-on-human-subjects-research/index.html.