HIPAA Updates

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019.

The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol.

Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired.

While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they require. That includes sharing some health information with friends, family members and other individuals directly involved in a patient’s care.

The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities are waived for the following aspects of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

“We are working closely with state health and emergency management officials to anticipate the communities’ healthcare needs and be ready to meet them,” said Secretary Azar. The HHS emergency declaration and limited HIPAA waiver can be viewed on this link (PDF).

The post HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.


You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.


The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability


The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000


The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare.

OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers.

HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records.

Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve patients’ access to their health data and to make it easier for that information to be shared with other healthcare providers and research organizations. Currently, aspects of the HIPAA Privacy Rule are discouraging providers from sharing data and patients are still have difficulty accessing their health information in a format that allows them to easily use and reuse their data.

OCR is encouraging the public to submit their comments to help OCR identify problem areas and remove regulatory obstacles that are hampering the transformation to value-based healthcare as well as aspects of HIPAA Rules that place an unnecessary burden on covered entities and their business associates which impede their ability to conduct care coordination and case management. However, changes can only be made to HIPAA Rules if they do not jeopardize the privacy and security of protected health information.

Specifically, OCR is seeking feedback on the following aspects of HIPAA Rules:

  • Changes to the HIPAA Privacy Rule to promote information sharing for treatment, care coordination, and/or case management which encourages, incentivizes, or requires HIPAA-covered entities to disclose PHI to other covered entities.
  • Changes to the HIPAA Privacy Rule to encourage healthcare providers and other covered entities to share treatment information with patients, their loved ones, and caregivers of adults in health emergencies, especially related to opioid misuse.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Changes to the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices.

Comments are also being sought from healthcare providers, business associates, and other covered entities along with answers to 54 questions detailed in the RFI.

The RFI will be published on December 14, 2018 and comments will be accepted for 60 days after the publication date. The RFI can be downloaded on this link.

The post OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing appeared first on HIPAA Journal.

AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) have called for changes to HIPAA to be made to improve patients’ access to their health information, make health data more portable, and to better protect health data in the app ecosystem.

At a Wednesday, December 5, 2018, Capitol Hill briefing session, titled “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” leaders from AMIA and AHIMA joined other industry experts in a discussion about the impact federal policies are having on the ability of patients to access and use their health information.

Currently, consumers have access to their personal information and integrate and use that information to book travel, find out about prices of products and services from different providers, and conduct reviews and comparisons. However, while many industries have improved access to consumer information, the healthcare industry is behind the times and has so far failed to implement a comparable, patient-centric system.

“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President and CEO Douglas B. Fridsma. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”

AHIMA CEO Wylecia Wiggs Harris said, “AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape… the language in HIPAA complicates these efforts in an electronic world.”

The P in HIPAA does stand for portability, yet patients are still struggling to obtain their health data in a usable form that allows them to share that information with other entities. Health data should be portable, as is the case with other types of consumer information. Changes to HIPAA legislation will help the healthcare sector catch up with other industries.

Changes to HIPAA Required to Support Access and Portability of Health Data

Both AMIA and AHIMA suggest HIPAA needs to be modernized to improve patient access to health data and two options were suggested. One option is the establishment of a new term – “Health Data Set” – that incorporates all data about a patient that is held by a HIPAA-covered entity or business associate, including clinical, biomedical, and claims information.

Alternatively, the definition of a Designated Record Set that is currently used in HIPAA legislation could be updated and for certified health IT to be required to provide that data set in electronic form and in a way that allows patients to use and reuse their data.

Both options would serve as a solution to the problem – The former would support a patient’s right to access their health data and also support the development of the ONC’s certification program in the future to allow patients to view, download, and electronically transmit their health data to third parties through an Application programming interface (API). The update to current record set definition would help to clarify rules for both providers and patients.

HIPAA Right of Access Should be Extended

AMIA and AHIMA also support the extension of the HIPAA individual right of access and amendment to entities that are not covered by HIPAA but manage individual health data: Entities such as companies that develop mHealth apps and health social media applications.

Similar data is created, stored, and transmitted by HIPAA-covered and non-HIPAA-covered entities, yet data access policies differ for both groups. There should be greater uniformity of data access, regardless of what type of entity collects and stores health data.

AMIA and AHIMA also suggest federal regulators should clarify current guidance related to third-party legal requests. “Health Information management (HIM) professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” explained AHIMA’s Wylecia Wiggs Harris. “AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”

The post AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data appeared first on HIPAA Journal.

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

In addition to a general request for information, the HHS will specifically be seeking information on:

  • The methods of accounting of all disclosures of a patient’s protected health information
  • Patients’ acknowledgment of receipt of a providers’ notice of privacy practices
  • Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
  • Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
  • The minimum necessary standard/requirement.

While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

The post Do HIPAA Rules Create Barriers That Prevent Information Sharing? appeared first on HIPAA Journal.

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations.

The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology.

These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce healthcare costs.

That process has already commenced with the Centers for Medicare & Medicaid Services (CMS) already having proposed one of the most fundamental changes to Medicare in recent years – A change to how physicians are paid for basic evaluation visits.

At present there are currently five tiers of payments for visits, with payments increasing for visits of increasing complexity. While this system makes sense, in practice in involves a considerable administrative burden on physicians, requiring them to justify why they are claiming for a visit at a higher tier. The CMS has proposed reducing the five tiers to two. That simple change is expected to save physicians more than 50 hours a year – more than a week’s work – with that time able to be diverted to providing better care to patients.

The CMS has also submitted a request for information of issues with Stark’s Law, which prevents physicians from referring patients to other physicians/practices with which they have a financial relationship, except in certain situations. Requests for information on HIPAA, Part 2, and the Anti-Kickback Statute will follow.

Healthcare providers that wish to voice their concerns about issues with HIPAA, Part 2, and the Anti-Kickback Statute should consider preparing comments and suggestions for policy updates to address those issues, ready for submission when the HHS issues its requests for information.

The post HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules appeared first on HIPAA Journal.

Legislation Changes and New HIPAA Regulations in 2018

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.

OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.

As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.

The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.

Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.

Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.

OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.

One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.

One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.

Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.

While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.

While these HIPAA changes are being considered, it could take until 2019 before they are implemented.

The post Legislation Changes and New HIPAA Regulations in 2018 appeared first on HIPAA Journal.

“To-do list” for GDPR Compliance

The goal of this short piece is to provide a checklist for companies or businesses who are concerned with GDPR compliance. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more so a few “rules of thumb” to take into account in order to get started.

Preparing for GDPR

Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed upon in 2016, it seems that few organisations are ready for it. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given that correct compliance is a necessity for companies which wish to avoid fines and other penalties.

In order to comply with the GDPR, companies should begin by ensuring that the following actions are taken:

Inform yourself about the GDPR

The majority of business people possess some knowledge about the GDPR. The most obvious thing about the GDPR is that it will replace the Data Protective Directive (DPD). The difference between an EU Regulation and an EU directive means that the new law should improve the level of uniformity concerning how personal data is managed across the entire European Union.

Under the GDPR, individuals will possess greater control over how their personal data is to be used. This is applicable to every person who resides within one of the member states of the European Union. They retain the right to access the data, the right to have data corrected in case of data together with the right to have the data erased (save for a small number of specific circumstances). It is important to note that companies throughout the entire world will be impacted by GDPR, and not only those based within the EU. Any organisation which processes the personal data of individuals who live in a European Union member state are obliged to respect the new regulation.

Companies must ensure that their employees are briefed on this information, and receive training on how the GDPR functions and its impact on the way the company will henceforth deal with data.

Perform an audit of stored data

As soon a company is aware of what is needed in order to comply with the GDPR, it must carry out an audit of the personal data that it presently holds. It should take the following into account:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is retention of the data still necessary?

Perhaps the key thing to consider is whether or not it is at all necessary to still retain the data. The GDPR states that data should be used only for the purpose it was originally obtained for. Should that purpose no longer exist, the data should be deleted or destroyed, save in circumstances where there is a legally sound reason to retain it. As a general rule, it is worth noting that the less data any particular company holds, the less significant the impact of any data breach or misuse is likely to be.

Pinpoint risks

Any high risk data or activities should be identified. In order to do so, it is advisable that Data Protection Impact Assessments (DPIAs) be used. As soon as risks have been identified, steps to mitigate against them need to be taken. If, on the available evidence, it seems as that mitigation is impossible, a the relevant Data Protection Authority (DPA) should be consulted in order to discuss how to best keep and process the data. This type of discussion, is should be noted, is anticipated to be relatively rare. That said, if circumstances arise whereby it appears that no mitigation is possible, a company is obliged to contact the authority to discuss the issue in order to be compliant with the GDPR.

Put GDPR compliance policies and procedures in place

Any company which wishes to comply with the GDPR needs to be able to answer the following:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is the data still relevant and is retention of it still necessary?
  • What security measures are is place to protect the data?
  • Can the data be accessed and furnished to the individual concerned should they make a System Access Request (SAR)?

Significantly, every company must also be able to demonstrate that is possesses all of this knowledge. In order to do so it is essential processes and procedures be put in place.

Keep a record of all compliance processes

As noted above, companies are required to demonstrate that they are GDPR compliant. For this reason it is essential to accurately document each process and procedure. A company which is revealed to be non compliant may be faced with a fine of up to €20 million, or 4% of its annual turnover (whichever is greater). In all probability the DPA will initially concentrate on addressing issues with companies which are obviously non-compliant, it is still extremely important for every company to have its own processes, procedures and documentation in place.

Prepare for the risk of data breaches

As soon as the GDPR has been introduced, it will become obligatory for every data breach to be reported to the relevant authority within 72 hours. It is for this reason that it is essential that each company has its own procedures in place for dealing with data breaches if and when they occur. Aside from failing to comply with the GDPR and therefore exposing the company to a costly fine, a lack of contingency plans might also lead to a damaged reputation. This could prove to be even more costly in the long term, should it have a significant impact on custom.

Employ an in-house Data Protection Officer (DPO)

Following activation of the GDPR, any business or organisation which monitors the personal data of individuals (including IP addresses) on a significant scale will be obliged to engage the services of a DPO, in either an internal capacity or by means of an external provider. This also applies where companies process voluminous amounts of special category data, e.g. genetic data or criminal information. Public bodies which deal with the personal data of individuals will also need to have a DPO in place.

It is very probable that, initially, there will be a lack of qualified Data Protection Officers available. That said, there is no clear definition of what qualifications a DPO is required to hold. What is necessary, however, is that a DPO be fully acquainted with what the GDPR covers, and its impact upon the business. Furthermore, they must be able to initiate and oversee the running of data protection systems and processes. It is feasible for a company to internally recruit an existing staff member as its DPO provided that they possess the skill set required, and have received sufficient training in every aspect of the GDPR.

Development of monitoring and reporting processes

As soon as it has ensured that GDPR compliance systems are in place, a company must also develop processes of monitoring and performance. This is so that, firstly, each company is capable of checking at any time that its processes are functioning and fully GDPR compliant. And, secondly, because every company must be able to demonstrate that it is compliant in the event that it be audited by the relevant Data Protection Authority. A company can demonstrate that it is compliant only if everything it does concerning data management and protection is accurately documented. Furthermore, it will need to be able to show that a functional checking regime is in place.

The importance of being prepared

As noted above DPAs will be able to impose a variety of fines for non-compliance with the GDPR. The precise amount of the various fines, aside from the maximum in each category, remains undefined. It appears that DPAs will have some flexibility when it comes to making decisions about this matter. The imposition of other sanctions will also be subject to a certain amount of leeway. What those other available sanctions will be has not yet been defined.

Despite the fact that DPAs will possess some leeway in their imposition of sanctions and fines, it is anticipated that they will discuss these questions with each other so that a level of uniformity is achieved.

Step one for any company should be to make itself aware of the scope of the GDPR. A large number of companies which operate worldwide appear to think that the GDPR does not affect them in any way. If, however, they have any role in the processing of the data of people who live within the European Union, they might be in for quite a shock. This does not only apply to data that has been received directly from the subject; it could also apply to data that was received from a 3rd party. Being informed about the GDPR, and its consequences for them, is a company’s essential first step on the way to compliance.

After that initial step has been taken, it is then a matter of assessing present data and practices, and ensuring that any data being held is being done so in compliance with the GDPR. Companies must also enact processes and procedures in order to ensure that continuing data collection and management is GDPR compliant. The management of data must also be monitored and reported on. Risks must be identified and mitigated against. While companies should do everything within their capabilities to guarantee the security of data, they should also be ready to report any breaches of data within 72 hours of occurrence. In order to avoid the potential penalties under the GDPR and to protect their good reputations, companies should ensure that all of the above is in place by the 25th May 2018.

The post “To-do list” for GDPR Compliance appeared first on HIPAA Journal.