The European Union's General Data Protection Regulation (GDPR) goes in effect on May 25, 2018, and Healthcare Blocks has reviewed its operational controls to ensure it is compliant. This post describes how GDPR applies to our platform.

The scope of the GDPR is applicable to patient data in the E.U. Therefore, if you are deploying an application to our platform that only services U.S. patients and you are not shipping the data to any external services in the E.U., then the GDPR does not apply, and you are only regulated by HIPAA rules.

If you are deploying an application that services patients based in the E.U., we recommend that you request an E.U.-based environment when provisioning your Healthcare Blocks services. In this case, all data and audit logs are isolated in the E.U., but the uptime and health of your environment will continue to be monitored by our DevOps team based in the U.S.

If you are deploying an application that services patients in both the U.S. and E.U., then we recommend you architect your system to be able to handle dual regions. Not only does this simplify compliance-related activities but it decreases network latency between users in each geographic region and your applications.

In certain circumstances, we will process personal data that originates from the EU in the United States. We provide a level of protection of privacy that complies with the EU rules under the Privacy Shield.

When GDPR is triggered, Healthcare Blocks acts as both a data processor and a data controller. When customers use our products and services to process EU personal data, we act as a data processor. We act as a data controller for the EU customer information we collect to provide our products and services and to provide timely customer support. This customer information includes things such as customer name and contact information.

Healthcare Blocks protects data generated by its customers by leveraging security features provided by our underlying infrastructure provider, Amazon Web Services (AWS), and other proprietary solutions. Data is encrypted at rest using EBS volume encryption. Data transmitted from the Internet and between internal services is encrypted via TLS/SSL. Access to virtual machines housing customer systems is audited. An intrusion detection system is used to protect virtual machines against real-time threats, and periodic vulnerability scans help protect the integrity of Healthcare Blocks managed systems.

Amazon Web Services is also GDPR compliant. Additional information can be found on this external page.

Customers have the ability to delete data they have generated in our platform. If a customer's E.U. user requests data to be deleted, it is the customer's responsibility to identify the location (e.g. server, database table) of that data and to remove it. When a customer needs to remove user data from database backup archives, a customer has two options: (a) retrieve one or more database backup files, remove the data, and upload the updated version to the archive; or (b) request Healthcare Blocks to remove all prior backups containing the data. Other archived data sources such as audit logs can have their data removed upon request from Healthcare Blocks.

If you have any questions about the GDPR with regard to our platform, please contact us.