3rd Party Risk Management , Compliance , General Data Protection Regulation (GDPR)
Analysts: GDPR Case in Portugal Offers Lessons for U.S. Healthcare Entities(HealthInfoSec) • January 9, 2019 Centro Hospitalar Barreiro Montijo, which was recently fined in a GDPR enforcement case in PortugalAn EU General Data Protection Regulation enforcement action against a hospital in Portugal demonstrates for U.S. healthcare entities that complying with GDPR may be even tougher than complying with HIPAA.
See Also: Live Webinar | Sunset of Windows Server 2008: Migrate with Docker
Portugal's supervisory authority Comissão Nacional de Protecção de Dados levied fines totaling 400,000 euros ($458,000) against a hospital, Centro Hospitalar Barreiro Montijo, for three violations of GDPR. That enforcement action - which was reportedly levied last July but only recently made public - apparently was Portugal's first since GDPR's compliance deadline on May 25, 2018.
For U.S. healthcare entities, "this case demonstrates that there is significant overlap between HIPAA and GDPR, such as expectations for appropriate policies and documentation and expectations for role-based access and appropriate authorization and termination of accounts with access to medical information," notes privacy attorney Adam Greene of the U.S. law firm Davis Wright Tremaine.
"But it also shows that GDPR enforcers may expect more stringent privacy and security controls than are typically practiced under HIPAA."
Who Must Comply?
Most U.S. healthcare entities, however, don't need to comply with GDPR.
—Steven Teppler, Mandelbaum Salsburg P.C .
Those that must comply with the European regulation include organizations that operate offices in the EU, are involved with clinical studies in the EU, market their services to EU residents or track online behavior of EU residents on their websites, Greene notes in an interview with Information Security Media Group.
GDPR "doesn't apply broadly" to U.S. healthcare entities, he says.
Three Main Violations
The Portuguese hospital's GDPR infractions included allowing indiscriminate access to patient's clinical information to an excessive number of users, according to a report about the enforcement case by the International Association of Privacy Professionals.
Another infraction was a violation of integrity and confidentiality as a result of failing to apply technical and organizational measures to prevent unlawful access to personal data, the IAPP notes.
A third violation was the failure of the hospital to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the failure to implement technical and organizational measures to ensure a level of security adequate to the risk, according to IAPP. That included the lack of having a process to regularly test, assess and evaluate technical and organizational measures to ensure the security of the processing.
Access Issues
When it came to the access-related violations by the Portuguese hospital, regulators found the existence of access credentials that allowed any doctor, regardless of specialty, to access at any time the data of the clients of the hospital. This was considered a violation of the GDPR principle of "need to know" and the principle of "minimization of data," IAPP reports.
This should ring warning bells for U.S. healthcare entities that must comply with GDPR, some regulatory experts note.
"It is typical in the U.S. for doctors to have access to all patients' records, not just those who they are treating," Greene says. "Hospitals generally find it unreasonable to apply more granular access controls. But the Portuguese data authority faulted the hospital for allowing all doctors to have such a level of access."
Media Account
The GDPR noncompliance investigation of issues at the hospital appears to have come as the result of a news media report, which was then investigated and confirmed by Portuguese regulators - rather than being spurred by a data breach report or formal complaint.
Those circumstances are similar to some HIPAA enforcement cases in the U.S., notes privacy attorney Iliana Peters of the law firm Polsinelli.
"Regarding the [Portugal] investigation not resulting from a security incident or breach of some sort ... it is important to note that OCR [Department of Health and Human Services' Office for Civil Rights] has also investigated entities, and entered into settlement agreements with them, as a result of news reports," Peters notes.
Emerging Lessons
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, notes that the report about the Portuguese GDPR case reads much like an OCR investigation conducted into allegations that an organization has failed to comply with the HIPAA privacy and security standards.
"The report provides details of the thorough and extensive investigation of how the Portuguese managed its information systems as well as administrative policies setting access controls, role-based access, and minimum necessary standards," he says. "The regulator provided an extensive discussion of the weight given affirmative defenses and mitigation in making the determination of the appropriate monetary penalty."
Holtzman says it's not surprising to see striking similarities between GDPR and the HIPAA privacy and security standards "because their shared foundation lies in the principles of organizations' implementing reasonable administrative and technical safeguards to protect personal information from unauthorized use or disclosure."
The enforcement action in Portugal highlights the GDPR requirements for performing an information security risk analysis to identify and mitigate threats to protected information; setting account access controls that include policies for establishing user's role-based access that considers need to know and applying a minimum necessary standard; and terminating account access when users' have left the organization or changed roles, Holtzman says.
Other Details of Case
Attorney Elizabeth Harding of law firm Polsinelli highlights a few other noteworthy aspects to this GDPR case.
For instance, Portuguese authorities found that the hospital had 985 users associated with the profile "doctor," but in the entity's official human resources charts there are only 296 doctors in that hospital, according to the IAPP report.
"The hospital allowed access to its [patient information] to a broad range of personnel without proper access profile management. This resulted in access being granted via false profiles, and access being granted to all patient files, regardless of the doctor's specialty," she says.
Harding notes that it appears that the hospital had failed to properly review and document its access controls.
"The lesson here is the importance of putting in place appropriate internal policies and procedures. The controller is responsible for demonstrating compliance with the data protection principals under GDPR - this is known as the accountability principal," she says.
Harding notes that the issues in the Portugal case arose as a result of the implementation of a third-party software system.
"U.S. healthcare entities that are subject to GDPR need to ensure that they undertake proper diligence when using third-party products and services to ensure that they do not cause them to be in violation of their GDPR obligations," she says.
"The hospital in this case argued that it was using a system provided by the Portuguese healthcare authorities, but the regulators pushed back on this argument on the basis that the hospital could, and should, have known that its use was in violation of GDPR."
More Than Meeting HIPAA
Attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., notes: "The findings that the security measures were so lax as to present a threat to the maintenance of integrity and confidentiality of the PHI itself - although no PHI was referred to as having been compromised from either a integrity or confidentiality perspective - would in my opinion be sufficient to trigger an investigation."
GDPR compliance "facilitates meeting or exceeding HIPAA security requirements," he says.
"Merely being HIPAA compliant may not serve as a competent defense in a GDPR proceeding; the opposite may not be true."