Data Processing Agreements: What is a DPA?Danielle Kelvas, MD
Starting in the 1960s, healthcare providers slowly shifted from documenting on rudimentary paper to using electronic health records. Today, 9 in 10 physicians use electronic health records (EHR).1 Many industries followed suit by moving online, with the world seeing a massive shift during the COVID-19 pandemic.
Never before has medicine seen such enormous amounts of data being transferred online. But how is patient information protected? Who and what regulates our privacy? This article will briefly describe the who, what, where, and why of data processing agreements and how you can comply.
Why is a DPA Contract Required?
A data processing contract, or agreement, stems from a privacy and human rights law written by the European Union. The General Data Protection Regulation (GDPR) was adopted in 2016 and became enforceable in 2018, providing the framework for other countries worldwide, including the United States.2 The GDPR applies to anyone sharing information online regarding people within the EU, whether the entity is established in the EU or not. This law critically secured the internet for numerous reasons.
First, it facilitated an easier way to transfer information online by supporting the free flow of personal data. Second, and most importantly, as a human rights law, the GDPR served to protect the fundamental rights of individuals, stating that “Everyone has the right to protection of personal data concerning him or her.” Third, it set the stage for the rest of the world regarding how online information, and people, should be protected.3
A data processing agreement is a legally binding contract between entities (groups) that ensures everyone follows the GDPR and protects someone’s privacy. Before proceeding, it’s essential to define a few key terms.
- Subject: Any person for whom private information is being collected (within healthcare, this is the patient).
- Processing: Refers to anything that could be done with private information, such as collecting, storing, monetizing, destroying, transferring, duplicating, printing, etc.
- Personally identifiable information (PII): Any data that could be used to discover someone’s identity.
Who Must Sign a DPA contract?
Any organization or business that handles and transfers personal data must sign a DPA. Due to the complexity within medicine (hospital EHRs, billing, insurance, emails, sales management, cloud storage, etc.), hiring a third party to handle and manage patient information is required.
This bears the most responsibility and liability for safeguarding privacy and information. They collect it, determine how data is used, when and why it’s shared, and who else can access it. Examples include a public authority, association, incorporated partnership, an LLC, or self-employed professional.4
As defined by the GDPR: “Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”4,5,6
As defined by the GDPR: “A legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.” While they can make their own operational decisions, they are still required by law to act under the authority of the data controller. An employee who works for a data controller is not considered a data processor.
The processor does not decide what or why information is collected, how long it will be retained/stored, what the data will be used for, or the overall purpose or result of the processing.4 Both of these entities are quired to follow GDPR guidelines, which are outlined in a data processing agreement (DPA).4,5,6
For example, a clinic is running a special on cosmetic treatments and hires an advertising company to create marketing emails and fliers. The clinic provides the marketing group with the names, addresses, and emails of their currently enrolled patients (something the clinic must have obtained permission to do from each patient when they joined the clinic). The clinic is the data controller, and the marketing company is the processor, bound by GDPR and HIPAA laws.
What Must Be Included in a DPA?
This contract legally binds and protects the controller and processor regarding personally identifiable information (PII). DPA’s are required between customer relationship (CRM) platforms, customer data platforms (CDP), and analytics.
A data processing agreement:4,5,6
- Outlines and delineates the chain of command and responsibility.
- Sets roles and liabilities.
- Shows proof of compliance in the event of an audit.
- Describes the scope and purpose of data processing.
- Lists in great detail what data is being processed, how, why, and for how long.
- Describes the specifics of the relationship between the controller and processor.
- Includes what safeguards and quality assurance steps both parties use.
All details regarding PHI’s information, purpose, transfer, and storage must be clearly and thoroughly explained. It’s essential to have a professional and attorney review this document so that no language can be left up to interpretation.
How Can I Stay Compliant?
Most large organizations hire a data protection officer (DPO) or security group to monitor, enforce, and run quality assurance tests. The internet, sadly, is rife with phishing, hackers, and crime, making a DPO a full-time job.
If a controller fails to comply, companies can be fined up to 20 million euros or 4% of total worldwide turnover, whichever is higher.2,3,4 This is not to mention additional HIPAA violation fees, which can be millions of U.S. dollars. The company will lose trust in stakeholders and patients, which could result in expensive lawsuits for those wanting retribution from the company that leaked their information.
Everyone has 72 hours to notify all subjects and governing authorities if a breach occurs.
GDPR vs. HIPAA
While the GDPR applies to only EU residents, it sets the standard for the rest of the world regarding safe data processing guidelines. This includes any kind of data online across all industries, from credit card companies to real estate. HIPAA, the Health Insurance Portability and Accountability Act, applies to protect healthcare-related data specifically and was signed into law in the United States. While the GDPR refers to personally identifiable information (PII), HIPAA targets protected health information (PHI).7
According to HIPAA, some information about patients can be sent without consent, like when transferring data between doctors, and medical records can never be deleted. Under GDPR, however, permission must always be given, even for patient care, and subjects have the right to be forgotten or have their personal information deleted.7
- Electronic Health Records: A Comprehensive History of the EHR. Net Health. Published Sept 16, 2021. Retrieved Jan 3, 2023 from https://www.nethealth.com/the-history-of-electronic-health-records-ehrs.
- Lucarini, Francesca. The differences between the California Consumer Privacy Act and the GDPR. Advisera. Retrieved Jan 3, 2023 from https://advisera.com/articles/gdpr-vs-ccpa-what-are-the-main-differences.
- Crutzen, Rik; et al. (2019). Why and how we should care about the General Data Protection Regulation. Psychology & Health, 34(11) 1347-1357. Retrieved Jan 3, 2023 from https://doi.org/10.1080/08870446.2019.1606222.
- Data Controllers and Processors. GDPR. Retrieved Jan 3, 2023 from https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors.
- What is a Data Processing Agreement (DPA)? Accountable. Published Dec 2, 2021. Retrieved Jan 3, 2023 from https://www.accountablehq.com/post/what-is-a-data-processing-agreement-dpa.
- What is a GDPR data processing agreement? GDPR.eu. Retrieved Jan 3, 2023 from https://gdpr.eu/what-is-data-processing-agreement/?cn-reloaded=1.
- HIPAA vs. GDPR Compliance: What’s the difference? Onetrust. Retrieved Jan 3, 2022 from https://www.onetrust.com/blog/hipaa-vs-gdpr-compliance.