When healthcare companies treat patients located in the European Union and gather information from EU locals, they should follow the General Data Protection Regulation (GDPR).
The European Union began implementing the GDPR on May 25, 2018. Noncompliant healthcare companies have got to pay huge financial charges.
The fine that GDPR imposes on violators is far more pricey than for HIPAA violations. The highest possible fine that HIPAA violators might pay is $1.5 million per violation category per year. The penalty for GDPR violation is up to €20 million ($23 million ) or 4% of global annual proceeds, whichever is bigger.
All organizations had over 2 years to apply the required adjustments in privacy and security measures, policies and processes to conform to the GDPR considering that the new regulation was adopted on April 14, 2016. Even with the reasonable length of time given, numerous organizations delayed working on compliance until it was 2018. Now that the due date has passed, a lot of companies still have not yet complied.
Netsparker performed a study in the fall of 2017 which revealed 14% of healthcare companies surveyed have just realized 1/4 of the prerequisites for GDPR compliance and 7% had minimal information about the GDPR requirements. In October, Clearswift performed a survey demonstrating that the healthcare sector is quite unlikely to be ready for GDPR.
There’s insufficient information to exhibit the status of the healthcare industry with regards to GDPR compliance. Harvey Nash and KPMG carried out a survey beginning December 20, 2017 to April 3, 2018 to learn how healthcare companies fared with GDPR compliance. Approximately 3,958 IT specialists from various industries took part in the survey.
In North America, 59% of the organizations previously completed or nearly completed the requirements of GDPR way ahead of May 25, 018. Whereas 40% of organizations are still implementing their compliance when GDPR is enforced.
Healthcare companies had a greater percentage – 67% – which have already completed or nearly completed GDPR compliance. That figure is additionally broken down to 14% as 100% compliant and 53% as nearly compliant. Whilst only 33% are still implementing compliance.
The survey furthermore revealed that 40% of healthcare companies do not have distinct digital business vision and system, although 35% had been preparing one. 13% of healthcare companies confess that they aren’t prepared to deal with cyberattacks, which may be a likely issue with respect to complying with GDPR.
With HIPAA, healthcare companies need to report security breaches involving protected health information within 60 days from discovery of the breach. Under the GDPR, personal data breaches must be reported within 72 hours of knowing about a breach.
The GDPR and the HIPAA Privacy Rule have the same rule when patients request for copies of data. The healthcare provider must respond to the request within 30 days. But the GDPR requires the healthcare provider to give copies of all personal data and not only a limited information set. It would be difficult to comply with this requirement if the healthcare company did not perform a full audit to know the location of all copies of data. The same is applicable when patients request the deletion or erasure of all their data.
Companies had to allocate a large amount of time and money to adhere to the GDPR, although that is more desirable than paying a big fine. 49% of healthcare companies are lucky to have more allocated IT budget this 2018 to pay for the cost of complying. 51% of companies have a problem with compliance because of their unchanging budget or a more frustrating budget cutback.