October 15-16, 2018 | Boston, 2018 x2, MA

GDPR: Different Galaxy, Different Security & Privacy Rules

For decades, we’ve imagined the different life forms we might encounter while traveling in space.  The series Star Trek has entertained generations by imagining how things might be different in another galaxy.  Likewise, in healthcare; Europe’s newly revised security and privacy directives under the General Data Protection Regulation (GDPR) have us feeling like we need to update security and privacy programs to meet the standards of another galaxy.  Many CISOs and Privacy executives are asking the questions, “Does GDPR apply to us?” or “How will GDPR be enforced for US-based healthcare organizations?”

On May 25, 2018, the European Commission mandated that organizations operating within the European Union countries must comply with the newly revised GDPR requirements. The GDPR data protection requirements are a long-awaited update to the 1995 EU Data Protection Directive established before the era of remote medicine/telemedicine, cloud data storage or smart mobile devices such as tablets and smartphones.

The takeaway for U.S.-based firms (healthcare, health plans and business associates servicing health care) is to determine if your organization is required to meet GDPR compliance requirements. There are two conditions which require your organization to comply with GDPR[1]:

  1. The organization operates in a European Union state;
  2. The organization actively markets or delivers services to European patients.

Organizations need to evaluate GDPR requirements.  For many healthcare and health plans, GDPR compliance may not apply.  However, GDPR becomes a bigger issue for business vendors servicing healthcare, many of which may be based or do business within the European Union.  In these cases, the business associates must address GDPR requirements, which may require a significant level of effort to achieve compliance. 

GDPR casts a wide net for the types of information that must be protected including any personal data of EU residents. This extends beyond Protected Health Information (PHI) to personal phone numbers, political opinions, sexual orientation, IP addresses, screen names, and more.

U.S. healthcare data security frameworks, such as HITRUST, are including GDPR as part of the certifications options for organizations that operate or interface with European Union members and patients. Privacy requirements in GDPR have also been substantially ramped up beyond HIPAA and US state-level regulations.


Even though it may seem like an unknown galaxy where the regulations are branching into uncharted territory, GDPR compliance is manageable for most U.S.-based health organizations.  With an effective date of May 25, 2018, organizations in the US should perform a GDPR risk assessment and determine if they need to engage warp engines to get their enterprise in compliance with these new requirements.


Brian Selfridge leads Meditology’s IT Risk Management Services practice which is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare. He advises the federal government including OCR and HHS and is a frequent presenter and sought-after leader in the healthcare security and compliance industry.  Contact Brian directly at or follow him on LinkedIn.


[1] Goodchild, J.  InfoRisk Today, “Is Healthcare Ready to Comply With GDPR?” January 16, 2018.

Learn more about the 2020 Event


Subscribe for updates