Healthcare organizations that treat patients from the EU or target EU residents and collect their data are required to comply with the EU’s General Data Protection Regulation.

The EU regulation came into force on May 25, 2018. Any healthcare organization that is required to comply with GDPR and fails to do so faces a substantial financial penalty for noncompliance.

The fines for noncompliance with GDPR are far in excess of those for HIPAA violations. The maximum penalty for a HIPAA violation is $1.5 million per violation category, per year. The fine for noncompliance with GDPR is up to €20 million ($23 million) or 4% of global annual turnover, whichever is the greater.

The final text of GDPR was adopted on April 14, 2016, giving all entities more than two years to implement the appropriate privacy and security controls and develop policies and procedures in line with GDPR. Even so, many organizations put GDPR compliance on the back burner until 2018 and have run out of time. Many organizations in the United States are still on the road to compliance even though the deadline has passed.

A survey conducted by Netsparker in the fall of 2017 revealed 14% of healthcare organizations surveyed had only achieved a quarter of what was necessary to comply with GDPR requirements, and 7% were only minimally aware of what was required. A survey conducted by Clearswift in October suggested healthcare was the least likely industry to be prepared for GDPR.

How Have Healthcare Organizations Fared with Their GDPR Compliance Efforts?

Recent data on the state of healthcare industry GDPR compliance are limited, although a survey conducted by Harvey Nash and KPMG provides some insight into how healthcare organizations have fared with their compliance efforts. The survey was conducted between December 20, 2017 and April 3, 2018 on 3,958 IT leaders from a wide range of industries.

In North America, 59% of companies had completed or mostly completed their GDPR compliance efforts ahead of the May 25, 2018 deadline, with 40% of companies reporting that they still expected to be on the road to compliance by the time GDPR came into effect.

Healthcare organizations fared better than average, with 67% saying they were already in compliance with GDPR or were mostly compliant, broken down as 14% compliant and 53% mostly compliant. However, a third of healthcare companies (33%) said they would still be on the road to compliance by the May 25 deadline.

The survey also revealed that 40% of healthcare companies did not have a clear digital business vision and strategy, although 35% of were currently working on one. 13% of healthcare firms said they were not well prepared to deal with cyberattacks, which could see them experience problems complying with GDPR reporting requirements. Under HIPAA, healthcare organizations have up to 60 days to report security breaches involving PHI. GDPR requires reports of breaches of personal data to be issued within 72 hours of the discovery of a breach.

The Privacy Rule requires healthcare organizations to respond to patients requests for copies of their data within 30 days, the same time frame as required by GDPR. However, in contrast to HIPAA, GDPR requires copies of all personal information to be provided, not just a limited data set. That requirement could well prove problematic if healthcare organizations have not performed a full audit to determine where all copies of data are located. The same applies to honoring requests to have all data erased when consent to process and store data is revoked.

The time that organizations have had to devote to compliance has been considerable and compliance has come at great cost, although far less than the potential fines for noncompliance. Fortunately for many healthcare companies, IT budget increases will have helped cover the cost of compliance. 49% of healthcare firms have increased their IT budgets in 2018. For the 51% of healthcare organizations with static budgets or budget cutbacks, compliance will have been a major struggle.

The post A Third of Healthcare Organizations Expected to Miss GDPR Deadline appeared first on HIPAA Journal.

What are the rights of data subjects under GDPR? Find out more about what GDPR means to data subjects, data controllers, and data processors.

The EU’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. The main purposes of the directive are to ensure data protection laws are standardized across all member states and to expand the rights of data subjects. Under GDPR, data subjects have greater control over who collects their data, how the information is used, and for how long.

GDPR: Rights of Data Subjects

The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR.

1.      Right to Access Personal Data

Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15).

2.      Right to Rectification

Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16).

3.      Right to Erasure

The right to erasure – also referred to as the right to deletion or the right to be forgotten – allows a data subject to stop all processing of their data and request their personal data be erased (Article 17).

4.      Right to Restrict Data Processing

Data subjects, under certain circumstances, can request that all processing of their personal data be stopped (Article 18).

5.      Right to be Notified

Data subjects must be informed about the uses of their personal data in a clear manner and be told the actions that can be taken if they feel their rights are being impeded. Data subjects must also be informed of any rectification or erasure of their personal data under articles 16, 17, and 18 (Article 19).

6.      Right to Data Portability

A data subject can request that their personal data file be sent electronically to a third party. Data must be provided in a commonly used, machine readable format, if doing so is technically feasible (Article 20).

7.      Right to Object

If a request to stop data processing is rejected by a data controller, the data subject has the right to object to their Article 18 right being denied (Article 21).

8.      Right to Reject Automated Individual Decision-Making

Data subjects have the right to refuse the automated processing of their personal data to make decisions about them if that significantly affects the data subject or produces legal effects – profiling for example (Article 22).

Rights of Data Subjects under GDPR are Not Absolute

There is a common misconception that the rights of data subjects under GDPR are absolute, and under no circumstances can those rights be lost. While it is true that data subjects have the above rights under GDPR, in certain situations those rights cannot be granted.

For example, the right to restrict data processing does not apply is when data are processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences. The same applies to the processing of personal data in the prevention of threats to public security.

Data subjects have the right to access their personal data file, although not if that access adversely affects the rights and freedoms of others.

While data controllers must be aware of the rights of data subjects, they should also be aware of the circumstances under which those rights can be denied, and when charges can be applied for granting data subjects’ rights.

The post Rights of Data Subjects Under GDPR appeared first on HIPAA Journal.

Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for processing that information.

GDPR Special Category Data

GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.

GDPR special category data includes the following information:

• Race and ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union memberships
• Biometric data used to identify an individual
• Genetic data
• Health data
• Data related to sexual preferences, sex life, and/or sexual orientation

Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or processing these data unless:

• Explicit consent has been obtained from the data subject; or,
• Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
• Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent; or,
• Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
• For purposes of preventive or occupational medicine; or,
• Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes; or,
• Processing relates to personal data which are manifestly made public by the data subject; or,
• Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

The processing of all personal data must only occur if there is a lawful reason for using the information, as detailed in Article 6 of the GDPR. Any company that needs to process special category data must check the requirements laid down in Article 9 of GDPR. Personal data related to criminal convictions and offenses are also particularly sensitive and dealt with separately in Article 10 of GDPR.

If special category data are collected, stored, processed, or transmitted data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded.

The GDPR Compliance Date has Now Passed

The compliance data for the General Data Protection Regulation (GDPR) has now passed and companies are required to comply with all GDPR regulations. There are stiff financial penalties now applicable for any company that is not in compliance with GDPR.

To avoid financial penalties, ensure that appropriate resources are devoted to your GDPR compliance program and you are documenting your compliance efforts and can demonstrate to regulators that you are in the process of complying with the GDPR.

The post What is GDPR Special Category Data? appeared first on HIPAA Journal.

Under the General Data Protection Regulation (GDPR), data subjects can object to certain uses of their data, but what exactly is the GDPR right to object, what can data subjects legitimately object to, and what must companies do when an objection is received from a data subject?

The GDPR Right to Object

The GDPR right to object is detailed in Article 21 of the GDPR. From May 25, 2018 – the compliance date for the GDPR – businesses must have developed policies and procedures for dealing with objections from data subjects.

The GDPR right to object allows data subjects to object to certain types of data processing and stop a company from continuing to process their personal data. There are only certain situations when a legitimate right to object can be sent to a company.

These are:

1. Direct marketing
2. The processing of personal data for statistical purposes related to historical or scientific research
3. The processing of data for tasks in the public interest
4. The exercising of official authority invested in you
5. Objections to data processing in yours or a third party’s legitimate interest
6. Objections to data processing based on their own beliefs and situations

Individuals must be informed of the GDPR right to object at the first point of contact. They must be told they have a right to object to the processing of their data, the lawful basis for you processing their personal data, and when data are being processed for public tasks, legitimate interests, or for research or statistical purposes.

Data subjects should be allowed to make objections verbally or in writing. While not all objections will be valid, individuals do have an absolute right to stop their personal data from being used for direct marketing.

Responding to Objections from Data Subjects

All companies covered by the GDPR must develop policies and procedures for assessing objections from data subjects. An official at the company must be assigned responsibility for checking objections received from data subjects and determining their validity.

When the GDPR right to object is exercised, the data subject must supply a specific reason why they are objecting to the processing of their data, apart from objections related to direct marketing. Not all objections will require action, although each must be carefully considered.

All objections must be assessed and dealt with promptly. Companies only one calendar month to assess and process objections from data subjects.

If an objection is received related to the use of personal data for direct marketing, a company must stop using personal data for direct marketing immediately. That includes any profiling related to direct marketing to that individual. If an objection is received, it does not mean an individual’s data must be immediately deleted, only suppressed to prevent them from receiving any future direct marketing.

Not all objections will be valid. For instance, if a company collects data for legal claims, and can prove that to be the case, the objection can be overridden.  If an objection is received from a data subject relating to the use of personal information for research purposes, issues relating to public safety, public health, or uses that are in the public interest, it may not be necessary to comply with the objection. If an objection is determined to be valid, the company must stop processing the personal data of a data subject for the reasons outlined in the objection.

It is important for businesses to maintain records of any objections received and the action taken in response to those objections.

A data subject cannot be charged for resolving the objection, although in cases where objections are unfounded or excessive, a fee could be charged for processing the request or a company could simply refuse to deal with the request.

The post The GDPR Right to Object Explained appeared first on HIPAA Journal.

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail?

GDPR Data Retention Rules

Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection.

Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained.

When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed.

GDPR data retention is covered in Article 5(e), which explains that data should only be retained for as long as is required to achieve the purpose for which data were collected and are being processed. The exceptions to this are when data need to be retained “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Recital 39 of GDPR explains that when data are retained, strict time limits should be established by the data controller to ensure data are not retained for longer than is strictly necessary. The data controller is required to conduct periodic reviews and ensure that data are securely erased when no longer required.

GDPR applies to personal data that could be used to identify an individual. If data are required to be kept for longer, the information should be de-identified to prevent individuals from being identified from the data.

There are good reasons for the rules on data retention. The longer data are kept, the greater the chance that data will become out of date and the harder it becomes to ensure data are accurate. In the event of a data breach, the more data that are stored on individuals, the greater the potential for harm.

Developing a Compliant GDPR Data Retention Policy

You should already have developed a GDPR data retention policy, although if you have yet to do so now is the time to conduct a review of your data retention policies and update them accordingly. Now is also the time to ensure that any personal data of EU residents that are currently stored are deleted if the original purpose for which they have been collected has been achieved.

To help with the creation of a GDPR data retention policy use the checklist below:

GDPR Data Retention Policy Checklist

• Stipulate what data are covered by your policies
• Set strict time limits on how long data are retained
• Cover the methods that should be used to delete physical and digital data
• Ensure it is explained, at the time of collection, how long data will be retained or how the decision will be made to delete data that are no longer required
• Schedule regular reviews of stored data to determine whether the information is still required
• Some types of data may need to be retained for longer than others. This should be detailed in your policy
• It is particularly important to ensure that sensitive data are deleted promptly and are not stored for longer than is strictly necessary – Sensitive data includes sexual orientation, race, beliefs, and health information
• Ensure your policy covers deletion of personal data if an EU resident exercises their right to be forgotten
• Stipulate exceptions to general rules on data retention – federal and state laws, litigation holds etc.
• Make sure that all employees are aware of your GDPR data retention policy.
• A GDPR data retention policy must be documented. It may need to be provided to regulators in the event of an audit or investigation of a complaint.

GDPR Compliance Deadline

The General Data Protection Regulation becomes effective on May 25, 2018, after which severe financial penalties can be issued to companies and individuals who fail to meet the requirements of GDPR. The penalty for non-compliance with GDPR is up to 20 million Euros or 4% of global annual turnover, whichever is the greater.

If you are not yet compliant with GDPR requirements or have yet to start your compliance program, it is unlikely you will be able to comply with all aspects of GDPR ahead of the deadline. It is therefore essential that you have documentation that proves you have at least made an attempt to comply with the requirements of the GDPR and that your efforts are ongoing.

The post Do You Have a GDPR Data Retention Policy? appeared first on HIPAA Journal.

The General Data Protection Regulation comes into force on May 25, 2018 and companies that collect or process the personal data of EU residents are required to comply with the GDPR, although there are limited GDPR exemptions and derogations.

Who Must Comply with the Requirements of GDPR

GDPR is concerned with ensuring the privacy and data rights of EU residents are protected. GDPR may be an EU law, but GDPR applies to all companies. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is mandatory.

There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small businesses, individuals, or companies whose websites are accessible in the EU. Apart from limited GDPR exemptions, all companies – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents or monitor their behavior.

Who is Exempt from GDPR?

There are limited GDPR exemptions related to the processing of personal data as detailed below:

• When data are processed during the course of an activity that falls outside of the law of the European Union
• GDPR does not apply to individuals that process data for personal or household activity
• GDPR does not apply to government agencies and law enforcement when data are collected and processed for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety
• GDPR does not apply to the processing of personal data by Member States for activities under the scope of Chapter 2, Title V, of the Treaty on European Union.

GDPR Article 23: Derogations

While one of the aims of the GDPR is to harmonize data protection laws across all EU Member States, it is possible for Member States to introduce derogations and supplemental laws for country-specific purposes, as detailed in Article 23 – Restrictions.

When derogations are introduced it is still necessary for the rights of EU residents to be respected and for their data to be protected. Derogations are acceptable in the following areas:

• A country’s security, defense, and public security
• Enabling and securing judicial independence
• The detection, investigation, and prosecution of crime and the prevention of criminal activity
• To enable enforcement of civil law claims
• The protection of subjects critical to national interests such as budgetary, social, and health matters.

GDPR Articles 85-91: Derogations

Articles 85-91 of GDPR also cover situations were derogations may be appropriate for individual Member States. These relate to:

• Freedom of expression and information
• Public access to official documents
• National Identification Numbers
• Personal data of employees
• Data for scientific or historical research
• Archiving in the public interest
• Obligations of secrecy
• Churches and other religious associations

In all cases, it is still necessary to ensure data are protected.

The post GDPR Exemptions: Who is Exempt from GDPR Requirements? appeared first on HIPAA Journal.

The term ‘European Union citizen’ is often used when explaining General Data Protection Regulation (GDPR) requirements, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living in the US or in other non-EU countries? Does GDPR apply when EU citizens vacation in non-EU countries?

What happens when Americans visit an EU country? They are clearly not EU citizens but are temporarily located in the EU. How does GDPR apply to US citizens living in an EU country or visiting on vacation or for business.

Does GDPR Apply to EU Citizens Living in the US?

Use of the phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU.

GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR.

If an EU citizen travelled to the United States and interacted with an EU business, which required the collection of their personal data, their data rights and freedoms would be dictated by US federal and state laws. GDPR would not apply.

Does GDPR Apply to US Citizens Living in an EU Country?

GDPR is not concerned with whether or not an individual is an EU citizen. Anyone located in an EU country is protected by GDPR. If an American travelled to Germany, walked into a store, made a purchase and was required to provide their name and address for an invoice, their personal information would need to be protected in line with GDPR requirements and they be given the same rights and freedoms under GDPR as an EU citizen.

Does it Matter Where a Business Is Located?

GDPR applies to individuals and gives them certain rights and freedoms. GDPR places certain restrictions on what businesses can do with the personal data of individuals residing in the EU. It does not matter where the business is located and whether or not a business has a base in an EU country. GDPR rules apply if the business collects or processes the personal data of an individual residing in the EU.

Unfortunately, there is no law that protects the privacy of all individuals in the United States, only specific groups of individuals. The Health Insurance Portability and Accountability Act (HIPAA) requires safeguards to be implemented to protect the privacy of patients and health plan members, but only in relation to protected health information (PHI) and only if PHI is collected, stored, used, or transmitted by a HIPAA-covered entity.

For HIPAA-covered entities, compliance with GDPR will be more straightforward if they apply the same requirements for safeguarding PHI to all individuals and all personal data. Taking a more holistic approach to data protection makes compliance with GDPR easier.

If that approach is taken, then it is likely that EU citizens residing in the US will be given the same protections as those living in an EU country.

The post Does GDPR Apply to EU Citizens Living in the US? appeared first on HIPAA Journal.

As the introduction of the General Data Protection Regulation on May 25, 2018, draws nearer, many are realizing the cost of bringing their organizations into compliance with the GDPR. A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While not everyone will need to spend as much, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR.

Two of the major areas that are likely to dictate the overall cost to organizations related to the GDPR are their current processes and the nature and scale of the data they manage.

How Will GDPR Compliance Cost Money?

Arguably, the most significant cost related to GDPR compliance will be the cost of auditing and classifying the data that is held. This is an incredibly important step to take, as it will lead to the identification of the data types being stored or processed; it should identify the risks which need to be addressed in any new procedures; and it should facilitate information relating to individual data subjects being grouped together. Consent must also be evaluated for each piece of data.

Following the audit, any data that is erroneous should either be corrected or deleted; action must be taken to put appropriate technical and organizational measures into place to reduce or mitigate the identified risks; and all the information relating to individual data subjects must be grouped or at least made easily retrievable to comply with individuals’ rights to request copies of their data or to exercise their “right to be forgotten” – to have their data deleted. The previous processes for requesting consent to process data must be examined to check whether they were compliant with the new rules; if not, consent to continue holding or processing data must be sought again.

Click to view Infographic

There will no doubt be a considerable number of hours spent completing the audit, writing the procedures, training staff, and verifying information, even for companies that only hold smaller amounts of data.

In addition to this, groups employing over 250 members of staff will be required to hire or train a Data Protection Officer, if such a position does not already exist in the organization. It should not be forgotten that employees are also protected by the GDPR, so any employee data and contracts should be reviewed by HR.

How Will GDPR Non-Compliance Cost Money?

While introducing all the necessary elements to comply with the GDPR will undoubtedly be expensive in terms of time and money, non-compliance will certainly cost more. Fines have been approved as part of enforcing the GDPR and the maximum financial penalty is a fine of €20 million or 4% of global annual turnover, whichever is higher.

Crippling financial sanctions could later be compounded by image and reputational damage, with consumers possibly avoiding an organization that does not take the necessary steps to protect their information. Whether the fault is discovered following a fine levied by the supervisory authority or following a data breach, people are likely to take note.

Compliance with the GDPR must now be seen as a cost of doing business. It is a necessary legal hurdle and will also reduce some costs by introducing a harmonious approach to processing data belonging to individuals within the EU. Organizations that fail to take the necessary steps to ensure compliance, or that only implement superficial changes, run the risk of severe monetary and reputational costs.

The post The Cost of GDPR Compliance appeared first on HIPAA Journal.

The imminent introduction of the Genera Data Protection Regulation (GDPR) on May 25, 2018, has many questioning what types of data or data processing are considered high risk or very high risk under the new law. As one of the main goals of the GDPR is to legislate data protection procedures concerning individuals within the European Union (EU), the concept of levels of risk may be of great importance to ensuring compliance.

The GDPR should harmonize how the data of those located within the EU is collected, stored, and processed. These new rules will not just concern organizations located in EU member states, but also organizations located anywhere across the globe that manage data collected within the EU.

To ensure compliance, groups will need to review their procedures and modify them to meet the criteria of the regulations. A first step for many will be a Data Protection Impact Assessment to audit and assess the personal data that they currently possess. Indeed, this is a required measure under the GDPR which states “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.

Identifying High Risk Processing Activities

The GDPR will create the European Data Protection Board. In the text of the law, it is noted that guidance on high risk processing activities may be available from this Board – “guidance on the implementation of appropriate measures and on the demonstration of compliance […] especially as regards the identification of the risk […] and the identification of best practices to mitigate the risk, could be provided […] by the Board”. Organizations should seek out and follow these recommendations if they are available.

Click to view Infographic

There is no definition given on what exactly constitutes high risk under the GDPR, only that it should be able to be determined following assessment. Processing of large amounts of data or sensitive data are given as examples that are likely to result in high risk in the law. The assessment should evaluate “the origin, nature, particularity and severity of […] risk”. Areas that should also be assessed include data security, potential for breaches of security, privacy concerns, extent of data held or collected, and the type of processing activity carried out.

The guidance provided within the regulations on risky processing activities states “such types of processing operations may be those which, in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing”. Any one of these criteria on its own, such as a new technology being used, does not automatically mean that the processing is high risk; everything should be considered in the overall context.

Following the assessment, organizations are obliged to take action to reduce the risks identified. Appropriate organizational and technical measures should be put in place to address weaknesses. Should a controller be concerned that they cannot adequately mitigate a risk, they should consult with their supervisory authority before processing occurs.

The GDPR requires that risks be assessed, identified, and addressed in so far as possible. When determining the severity of risk, account should be taken of the nature, scope, context and purposes of the processing, as well as the sources of the risk. All actions to reduce risks must be documented for review by supervisory authorities. Failure to assess, address, or record risk reduction measures will most likely be considered a violation of the GDPR and could result in penalties and financial sanctions.

The post GDPR High Risk Data Processing appeared first on HIPAA Journal.