GDPR & HIPAA: How to Keep Sensitive Personal Data Safe
Media reports about cybercrime are creating an awareness of the need for businesses to protect personal data that they collect during the course of business. Cybersecurity Ventures states in this article that cyber-crime damages could rise to $6 trillion annually by 2021, adding that this figure is larger than the global distribution of all major illegal drugs. Cybercrime has hit companies before many of them can adequately protect against it. In the interest of protecting private citizens, the European Union and the United States have taken some clear steps to encourage companies to make data security a top priority.
Companies across the globe need to pay attention not only to the laws of their own countries, but also to the laws of other countries of people whose data they collect. GDPR and HIPAA are the two major mandates that regulate personal data.
What Is GDPR?
GDPR is an acronym for General Data Protection Regulation, which is a law of the European Union that mandates businesses to protect the personal data of EU citizens. The law, which replaces the data protection law from 1995, was adopted in April 2016. The European Union included a transition period so that companies would have time to bring their security protocols into compliance. GDPR goes into full effect on May 25, 2018. GDPR provisions will be applied consistently across all 28 EU member states. The law also applies to transactions that occur within the European States, and regulates the exportation of personal data outside of the EU.
Exactly how GDPR will be applied is unclear, although the EU states that it will take a broad view of the definition of personal identification information. The law is equally unclear about what will be considered adequate protection. The language merely states that companies must use a “reasonable level of protection.” We do know that companies will need to protect such information as name, address, Social Security number, cookie data and IP address. It’s possible that the authorities will have a lot of latitude for determining fines over data breaches or non-compliance.
Companies worldwide fear that the soon-to-be-effective law will cost them large sums to meet and administer. To start with, some companies will need to hire a data protection officer, particularly if they store lots of data. According to CSO, about two-thirds of U.S. companies are going back to the drawing board to re-plan their marketing strategies in Europe. About 85% of U.S. companies said that the GDPR would make it difficult to compete with EU companies.
What Is HIPAA?
HIPAA represents the Health Information Portability and Accountability Act, which is a United States national mandate that was signed into law by former President Bill Clinton in 1996. HIPAA has two main purposes. The first is to provide health insurance coverage without a lapse for workers who change jobs. The second purpose was to reduce the cost of healthcare, along with the costs to administer it, by standardizing how companies transmit administrative and financial transactions. At the same time, lawmakers hope to combat health insurance waste, fraud and abuse and improve access to long-term care services.
One of the most important parts of HIPAA is the Privacy Rule. The Privacy Rule allows relevant patient health information to flow through the proper channels for billing and healthcare (digital, paper or oral), while limiting the use and disclosure of sensitive protected health information, which is commonly called PHI. Under HIPAA, upon request, patients have the right to receive their own PHI from healthcare providers, along with a list of any other people or entities for which the provider disclosed PHI.
Protected information under HIPAA includes name, address, birth date, Social Security number, health condition, care provided and any information that could be used to identify the patient.
Fines for not complying with HIPAA, either knowingly or unknowingly, range from $100 to over $1 million. Intentionally falsifying information may result in jail time.
Complying with GDPR and HIPAA: Keeping Data Safe
While the laws in both countries were passed with slightly different intent, companies can take many of the same measures to be in compliance with both laws.
The first thing that companies should do is to hire or appoint a Data Protection Officer (DPO). Smaller organizations may not need to hire a DPO, but they may need to hire outside consultants. The DPO should conduct a company-wide risk assessment. Using the information gained from the assessment, the DPO will need to create a data protection plan.
Since so much information gets transmitted by mobile devices, the protection plan should include assessing mobile apps to make sure they are GDPR and HIPAA compliant.
The overall assessment should reveal specific areas where the DPO can make recommendations to the board to implement measures to reduce data compliance risk.
Boards of directors will want to make sure that the company has a plan to report their progress on GDPR and HIPAA compliance in case they receive complaints or allegations.
Unlike GDPR, where the rules are somewhat vague, HIPAA outlines national standards for storing and transferring data electronically in the HIPAA Security Rule. The rule requires companies to identify the sources of electronic PHI and other forms of PHI within the organization, including the data that the provider creates, receives, maintains and transmits. In addition, the rule requires companies to identify external sources of PHI. Companies must also be able to identify threats to systems that contain electronic PHI or PHI in other forms.
Healthcare organizations may receive federal incentive payments, and if so, they must agree to follow the privacy and security procedures outlined by the HIPAA Privacy Rule. This includes ensuring that physical and electronic safeguards are in place so that PHI moves securely through all channels.
No data protection system is complete without testing incidence response plans. This step will also demonstrate to regulatory authorities that the company is doing all it can to protect data. Finally, companies will need to set up a process for ongoing testing and assessment.