The way in which a person’s individual health information will be treated if a traveler is hospitalized or seeks medical attention outside of the United States can vary greatly depending on where the medical care is provided. While no one should avoid seeking medical care in an emergency, all tourists should be aware that their privacy may receive more or less protection depending on where they are. Depending on where patients are coming from and where they are going, privacy law could be far more stringent or virtually non-existent compared to the protections of their home country.
Adding to the complexity of national variation is the fact that some countries or regions have laws that are intended to limit the transfer of personal information outside of their borders. Factors like these make the explanation of privacy protection abroad a complicated endeavor.
This column will attempt to sort through some of the complexity by focusing on individual countries or regions of the world and the different ways in which medical and other personal information is protected. In this first article, we illustrate the diversity of the approach to privacy protection with an overview of three different regulatory schemes: those of the United States, Canada and the European Union.
The relevant national privacy law for the protection of health information in the United Sates is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA protects health information that is “individually identifiable” or that can be tied to the subject of the information. For example, “a positive glaucoma test” is not information that is protected by HIPAA, but “Jane Doe’s positive glaucoma test” is protected. It is important to note that individually identifiable health information is only protected by HIPAA when it is in the hands of certain persons or entities: health care providers, health plans or health care clearinghouses who engage in certain electronic transactions (such as billing). These entities are called “covered entities.” If individually identifiable information is not in the hands of a covered entity, it is not subject to HIPAA protection.
HIPAA requires covered entities to notify individuals about their uses and disclosures of protected health information, to grant individuals a variety of rights in their information, such as the right to review and correct information, and prohibits certain uses of patient information without the patient’s express, written consent or “authorization.” In additional to privacy provisions, HIPAA has security provisions as well, that require information in all forms - electronic or otherwise - to be protected from unauthorized access.
HIPAA does not protect other types of personal information, such as financial, consumer credit or criminal history, and HIPAA does not apply to medical information that is obtained outside of the United States. However, someone who needs medical care in the United States from someone who is not his or her usual medical provider may find that HIPAA may adversely impact the sharing of medical information unless it is clear that the subject of that information has clearly authorized its disclosure.
Canada has two federal privacy laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act (or “PIPEDA”). The Privacy Act applies to Canadian government agencies and places limitations on their ability to collect, use and disclose personal information. PIPEDA applies to the private sector and similarly regulates the collection, use or disclosure of personal information in connection with commercial activities. PIPEDA also applies to “trade in personal information that occurs internationally.”
Personal information that is protected under PIPEDA includes the type of information that is protected under HIPAA, but is broader than health or medical information. For example, income, purchasing and spending habits, marital status and religion, education, genetic make up and ethnic origin are all protected when the information identifies the individual.
Organizations that are covered by PIPEDA must obtain an individual’s consent when they collect, use or disclose the individual’s personal information and are only allowed to use the information for the purposes for which it was collected. PIPEDA, like HIPAA, also has security requirements. For example, personal information must be maintained in locked cabinets or protected by computer passwords or encryption when maintained electronically.
The relevant law in the European Union is Directive 95/46/EC (the “EU Data Directive”) on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive protects a broad spectrum of information, including medical information and other types of “personal data,” such as bank statements, credit card numbers, address, criminal record, employment and virtually any type of information that can be linked to an identified person.
The EU Data Directive applies to “controllers,” meaning individuals or entities of all types, government or private, who alone or in cooperation with others “process” data. Processing means collecting, using, disclosing, retrieving, transmitting, disseminating or other operations utilizing the data. The use of the term ‘processing” is intended to be a very broad category.
The Data Directive’s data protection rules apply to data controllers within the EU, and also controllers outside of the EU who are processing data within the EU. For example, an on-line retailer who receives personal data from a customer in the EU is considered to be processing data within the EU (via the customer’s computer). Note, however, that applicable penalties if a violation were involved are not completely clear since the issue has not been litigated.
One key component of the EU Data Directive is that it prohibits the transfer of data from the EU to a recipient outside of the EU unless the recipient country (referred to as the “third country”) provides protection that is comparable to the EU’s. So far, only a handful of countries, including Switzerland, Canada and Argentina, have been recognized as countries with adequate safeguards. The United States is not considered a safe repository for EU data, which means that additional measures, such as obtaining the “unambiguous” informed consent of the subject of the information, are required before data may be transferred. This means that a medical professional providing follow up medical care in the United States may not be able to obtain the patient’s treatment history from the European health care provider unless that provider has an unambiguous consent of the patient.
As this article has indicated, the sharing of medical information for treatment while traveling can be difficult. While it is probably unreasonable to always travel with complete medical records, it makes good sense to request copy of treatment records anytime that someone is treated outside of the United States.
Linda Bentley is a Member in the Corporate Section and Life Sciences Practice Group of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. in Boston, Mass. She has extensive experience representing pharmaceutical, biotechnology and medical device companies and insurers on corporate and regulatory matters.
Dianne J. Bourque is an associate in the Boston office of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. in Boston, Mass., where she practices in the Health Section. Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, risk management matters and patient care.