Healthcare providers that provide services to patients from the European Union, or market their services to EU citizens, need to comply with the General Data Protection Regulation (GDPR).
The EU started enforcing the GDPR on May 25, 2018. Healthcare organizations that do not comply can face substantial financial penalties.
The penalty for noncompliance with GDPR is far higher than the penalties for HIPAA violations. The maximum fine that HIPAA violators could pay is $1.5 million per violation category per year whereas the fine for noncompliance with GDPR is up to €20 million ($23 million ) or 4% of global annual turnover, whichever is higher.
All entities had more than two years to implement the necessary changes to privacy and security controls and policies and procedures to comply with the GDPR, since the new regulation was adopted on April 14, 2016. Despite the long time given, many organizations put GDPR compliance on hold until 2018 only to discover compliance was much ore involved that was initially thought. Consequently, they have missed the compliance deadline.
Netsparker conducted a survey in the fall of 2017 that showed 14% of healthcare organizations surveyed have only achieved 1/4 of the requirements for GDPR compliance and 7% had little knowledge about the GDPR requirements. In October, Clearswift conducted a survey showing that the healthcare industry was least likely to be prepared for GDPR.
There’s limited data available that shows the current state of compliance in the healthcare industry, although Harvey Nash and KPMG conducted a survey from December 20, 2017 to April 3, 2018 to find out how organizations were faring with their GDPR compliance efforts. 3,958 IT experts from different industries participated in the survey.
In North America, 59% of surveyed companies had already completed or had almost completed their GDPR compliance efforts before the May 25 deadline. 40% of companies were still working on compliance by the time GDPR became effective.
In healthcare, 67% of surveyed companies has already completed or almost completed their compliance efforts. That figure is further broken to 14% believing they were 100% compliant and 53% saying they were almost compliant. 33% were still working on compliance and did not think they would make the deadline.
The survey likewise showed that 40% of healthcare organizations have no clear digital business vision and program, although 35% were working on one. 13% of healthcare organizations admitted that they’re not prepared to deal with cyberattacks, which could be a potential problem with respect to GDPR compliance.