The GDPR (General Data Protection Regulation) was passed by the European Union (EU) in 2018 to control data privacy and security within the EU. GDPR extends to any country which collects data related to people in the EU. Not complying with GDPR, will impose high fines and reputational damage.
HIPAA (Health Insurance Portability and Accountability Act) has a much narrower scope and only extends to confidential protected health information (PHI) from HIPAA.
In early 2014, there were healthcare IT news stories from the US Department of Health & Human Services about major HIPAA settlements, such as the $4.8 million HIPAA fines against Columbia University and New York-Presbyterian Hospital. PHI was simply uploaded to the public Internet in the case of Columbia University, with patient files available directly via search engines.
The Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) are allowed to impose HIPAA, and the reach of settlements, including civil and criminal decisions, can be very terrifying. The stimulus bill called the American Recovery and Reinvestment Act (ARRA), adopted in 2009, outlined the basic minimum and maximum thresholds for privacy and security breaches of health care.
HIPAA-Civil sanctions for non-compliance with HIPAA
The following are instances of penalties for going against the HIPAA laws.
- The first case scenario is when despite functioning soundly, the company or employee did not know that they violated the law. For each non-compliance, $100, up to $25,000 overall
- Not because of purposeful negligence, but because of unintended reasons, the company was not compliant. There was purposeful negligence, but the company took corrective measures within a reasonable time window. You get to pay $10,000 for each instance, up to $250,000 total
- There was purposeful negligence, and the company did not implement the steps of a corrective plan. You pay $50,000 for each instance, up to $1.5 million total.
Sentencing can, however, be more serious. Breaking the law due to fraud carries a maximum jail of five years and/or a fine of $100,000. Violations that arise when a person plans to use the information for their benefit or malevolent purposes are punishable by judgments of up to $250,000, followed by sentences of up to 10 years in jail.
The effects of breaching HIPAA can be severe indeed as you see above. The risk of being non-compliant with HIPAA is, apart from financial risk, reputational risk due to the damage that is caused by not complying with data governance.
That is why selecting a technology partner specializing in HIPAA Compliance Hosting for healthcare is extremely critical.
The serious implications of failing to comply with GDPR
The penalties for non-compliance with GDPR are eye-watering. Being in breach of GDPR can impose fines of up to EUR20 million or 4 % of the annual global turnover, whichever is greater. These fines demonstrate that complying with GDPR is necessary and that GDPR is not to be ignored.
Perhaps the biggest consequence of failing to comply with GDPR is the harm to the credibility of your business, which can often be beyond repair.
The five biggest GDPR fines in the year 2020 are
- Google EUR50mm – fined due to a lack of transparency on how data was harvested.
- H&M (Hennes & Mauritz) EUR35mm – a technical error caused the company’s network drive to be published to everyone in the company for a short while, which highlighted how the company collected sensitive personal data
- TIM (Italian Telecommunications operator) EUR27,800,000.00 – the company contacted non-customers in an aggressive marketing strategy while violating personal information
- BA (British Airways) EUR22,000,000.00 – the company did not process personal data with sufficient security measures was not protected sufficiently against cyber attacks
- Marriott International EUR20,450,000.00 – sufficient security measures not in place and was the target of a cyber attack.
What is the Compensation for Damages?
Individuals are also entitled, under the GDPR, to seek compensation for any material and/or non-material harm arising from a violation of the regulation. A high volume of lawsuits, which can be extremely expensive, could result in the most serious data breaches. Take, for example, the Ashley Madison data breach.
In 2015, the extramarital relations website fell victim to a cyber-attack that leaked the data of 36 million user accounts. Some victims of the hack requested compensation because of the sensitive nature of the website and the potential detrimental effects on the personal relationships of those users whose data was released.
Although there are a variety of consequences associated with failure to comply with GDPR, perhaps the most important are the above. The overarching message from the ICO (Information Commissioner’s office) itself is to ensure that you take the appropriate measures to show compliance, but that you are not unduly concerned about significant financial penalties.
Complying with data protection regulations can be overwhelming as it has many specific guidelines and rules that should be followed by every business dealing with personal sensitive data.
In addition, if any business deals with personal information from users from different jurisdictions, such a company has to comply with the regulations of the user’s jurisdiction.
What can be done?
Using secure and encrypted storage and file transfer system like Fortknoxster is the alternative solution to in-house sensitive data and documents storage and management.
Fortknoxster guarantees full compliance with document requests made from business to clients and also guaranteeing integrity and preventing any form of unauthorized access to sensitive data.
Providing peace of mind for compliance officers, Fortknoxster is the right tool for requesting, transferring, and storing any sort of sensitive data.
Request your 7-day FREE trial, NO CREDIT CARD NEEDED.