Advertising medical services in the European Union is another way that U.S. physicians could be subject to the GDPR. For example, if a practice or hospital markets their specialty care on websites or other materials in the EU, this could fall under the GDPR umbrella, according to security experts.
“If you are advertising services to patients in the EU, and then they decide to obtain such services, that could trigger GDPR because the data subjects are in the EU and you are offering services to them,” said Elaine C. Zacharakis Loumbas, a health and security law attorney based in Chicago. “It becomes very fact specific.”
John Barchie
Like HIPAA, the GDPR requires that health providers disclose information to patients about where and how their data may be used. Mr. Barchie notes that in the United States, patient consent forms may generally include two or three potential uses for patient data such as marketing and medical research. The GDPR specifies that each potential usage of patient data requires its own separate consent form, he said.