Share this article on:
Healthcare organizations that treat patients from the EU or target EU residents and collect their data are required to comply with the EU’s General Data Protection Regulation.
The EU regulation came into force on May 25, 2018. Any healthcare organization that is required to comply with GDPR and fails to do so faces a substantial financial penalty for noncompliance.
The fines for noncompliance with GDPR are far in excess of those for HIPAA violations. The maximum penalty for a HIPAA violation is $1.5 million per violation category, per year. The fine for noncompliance with GDPR is up to €20 million ($23 million) or 4% of global annual turnover, whichever is the greater.
The final text of GDPR was adopted on April 14, 2016, giving all entities more than two years to implement the appropriate privacy and security controls and develop policies and procedures in line with GDPR. Even so, many organizations put GDPR compliance on the back burner until 2018 and have run out of time. Many organizations in the United States are still on the road to compliance even though the deadline has passed.
A survey conducted by Netsparker in the fall of 2017 revealed 14% of healthcare organizations surveyed had only achieved a quarter of what was necessary to comply with GDPR requirements, and 7% were only minimally aware of what was required. A survey conducted by Clearswift in October suggested healthcare was the least likely industry to be prepared for GDPR.
How Have Healthcare Organizations Fared with Their GDPR Compliance Efforts?
Recent data on the state of healthcare industry GDPR compliance are limited, although a survey conducted by Harvey Nash and KPMG provides some insight into how healthcare organizations have fared with their compliance efforts. The survey was conducted between December 20, 2017 and April 3, 2018 on 3,958 IT leaders from a wide range of industries.
In North America, 59% of companies had completed or mostly completed their GDPR compliance efforts ahead of the May 25, 2018 deadline, with 40% of companies reporting that they still expected to be on the road to compliance by the time GDPR came into effect.
Healthcare organizations fared better than average, with 67% saying they were already in compliance with GDPR or were mostly compliant, broken down as 14% compliant and 53% mostly compliant. However, a third of healthcare companies (33%) said they would still be on the road to compliance by the May 25 deadline.
The survey also revealed that 40% of healthcare companies did not have a clear digital business vision and strategy, although 35% of were currently working on one. 13% of healthcare firms said they were not well prepared to deal with cyberattacks, which could see them experience problems complying with GDPR reporting requirements. Under HIPAA, healthcare organizations have up to 60 days to report security breaches involving PHI. GDPR requires reports of breaches of personal data to be issued within 72 hours of the discovery of a breach.
The Privacy Rule requires healthcare organizations to respond to patients requests for copies of their data within 30 days, the same time frame as required by GDPR. However, in contrast to HIPAA, GDPR requires copies of all personal information to be provided, not just a limited data set. That requirement could well prove problematic if healthcare organizations have not performed a full audit to determine where all copies of data are located. The same applies to honoring requests to have all data erased when consent to process and store data is revoked.
The time that organizations have had to devote to compliance has been considerable and compliance has come at great cost, although far less than the potential fines for noncompliance. Fortunately for many healthcare companies, IT budget increases will have helped cover the cost of compliance. 49% of healthcare firms have increased their IT budgets in 2018. For the 51% of healthcare organizations with static budgets or budget cutbacks, compliance will have been a major struggle.