KEMBAR78
GDPR in the Healthcare Industry | PPTX
EMMAIntl, profile picture
Uploaded byEMMAIntl
PPTX, PDF295 views

GDPR in the Healthcare Industry

The document outlines the implications of GDPR for the healthcare industry, emphasizing the importance of data protection and compliance to avoid costly data breaches. It describes personal data types, GDPR principles, and the necessary preparations for organizations, including auditing data usage and appointing a data protection officer. Overall, the document stresses the need for robust systems to manage personal information responsibly and comply with regulations to avoid significant penalties.

Download to read offline
www.emmainternational.com GDPR in Healthcare Industry Need, Strategy, Implementation and continuous monitoring Joseph Yammine, EMEA Director Joseph.Yammine@emmainternational.com
Leaders in Compliance Consulting and Enterprise Quality Management Software • EMMA International Consulting Group, Inc. is a global leader in management consulting services, with headquarters in Farmington Hills, MI, as well as offices in Grand Rapids, MI, FL, PA, and Beirut, Lebanon. We focus on quality, regulatory, and compliance services for the medical device industries.
Data, Data, Data, Data, … • 1992 – 100 GB of data generated on daily basis • 1997 – 100 GB of data generated on hourly basis • 2002 – 100 GB of data generated on per second basis • 2018 – 50,000 GB per second 90% of all the data in the world today has been created in the past few years
Data, Data, Data, Data, … 2018 This is what happens in an INTERNET MINUTE
Data, Data, Data and Data According to the 2017 Ponemon Institute Study, What Is the Cost of a Data Breach in the Healthcare Industry? A. $2.2 Billion B. $3.6 Billion C. $4.0 Billion D. $6.2 Billion The Answer is D
Healthcare Data Breaches are Costly… • When a healthcare organization experiences a breach, forensics costs added up to $610,000. • Breach notification costs $560,000 on average. • Costs affiliated with lawsuits average $880,000. • For each data breach, healthcare organizations average $3.7 million in lost revenue. • Healthcare organizations average $500,000 in lost brand value after a breach. • The average HIPAA settlement fine is approximately $1.1 million. • Post-breach cleanup costs average $440,000.
Healthcare Data Breaches in Q3: 2018 • The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). • Those breaches have impacted more than one million patients and health plan members • Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. • Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.
What we will cover today? • What is personal data – and why it’s important for us • What is Data Protection • GDPR - what’s changing and what it’s all about • GDPR Principles • Who this will affect • How to be ready • What support is available
What we will cover today?
What is Personal Data? • Personal data is defined as: • Any information about a living individual which is capable of identifying that individual. • Sensitive personal data is defined as: • Any information relating to an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, alleged or actual criminal activity and criminal record. Under GDPR sensitive personal data is referred to as “special categories of personal data”)
What is Personal Data?
What is Personal Data?  Special Categories:  Race / Ethnic origin  Political opinions  Religious or similar beliefs  Union  Physical / Mental health  Sexual life  Alleged / Actual offences / Information
What is Data Protection? Data Protection is about avoiding harm to individuals by misusing or mismanaging their personal data. So if you collect, use, or store personal data then the Data Protection Act applies to you. It sets out eight principles you have to adhere to, which include: • Only collect information for specific purposes and don’t then use it for other purposes • Only collect what you need for the specific purpose • Keep it accurate and up to date; and safe and secure • Process information lawfully and allow subject access in line with the Act.
What is GDPR? It is the General Data Protection Regulation, which supersedes the Data Protection Act on 25th May 2018. The key changes from the current law are to strengthen rights of individuals and place more obligations on organisations in looking after personal data. In order to comply with the new law: • You must have a legitimate reason for processing data – this will cover much processing we undertake (see later slide) • Consent must be freely and unambiguously given and can be just as easily withdrawn • Data Processing activities must start with “privacy by design and default”.
What is GDPR?... continued • Subject Access Requests – will include how you process and share data not just what you hold and you’ll have less time to respond • Subjects can request data deletion – “the right to be forgotten”, though only in certain circumstances • There will be mandatory breach reporting • Data processors will be held liable • You must be able to demonstrate compliance with GDPR • While the ICO say it is a last resort, the potential fines are much greater than at present – up to 4% of annual global turnover or €20m • And finally – it’s happening regardless of Brexit!
Why the GDPR? • We care - we are responsible for handling people’s most personal information • This is an opportunity to make privacy central to what we do • By not handling personal data properly we could put individuals at risk and the company / organization reputation at stake • Getting it wrong could result in significant fines • We need robust systems and processes in place to make sure we use personal information properly and comply
Who does this affect? • All of us - we all have a responsibility to keep people’s information safe; main industries are healthcare, banking and educational organizations • Particularly those involved in: • Human Resources • Research & Development • Research involving personal data and/or human participants • Finance • Information Technology
Who does this affect?
GDPR Principles • Lawfulness, fairness and transparency – as with Data Protection • Purpose limitation – only collect for specific purposes and then don’t use it for other purposes • Data minimisation – only collect the data you need for the purpose you are using it • Accuracy – as now, keep it up to date! • Storage limitation – don’t keep it for longer than you need to fulfil the purpose • Integrity and confidentiality – keep it safe and secure e.g. encrypted if on a laptop or mobile phone. • Accountability – you must be able to prove you have complied with the above.
GDPR Principles Examples of Processing  Staff management and payroll administration  Access to/consultation of a contacts database containing personal data  Sending promotional emails  Shredding documents containing personal data  Posting a photo of a person on a website  Storing IP addresses or MAC addresses  Video recording (CCTV)
GDPR Principles Subjects’ rights  Confirmation of processing  Purposes of processing  Rectification  Erasure (Right to be forgotten)  Restriction of processing  Portability  Access to data
GDPR Stakeholders
Data Control Viewer
Data Control Viewer
Preparation for GDPR 1. Audit Data Usage  What?  Why?  Where?  Who?  How
Preparation for GDPR 1. Audit Data Usage  Legal Basis for processing personal data:  Legal obligation  Contract  Consent  Vital interests (of data subject)  Necessary in public interest  Legitimate interests (of the Controller
Preparation for GDPR 1. Audit Data Usage  Data Security:  Of paper records  Physical access to data  Locks / doors  Security guards  Etc.  Technological security  Firewall  Anti-virus  Software updates  Etc.
Preparation for GDPR 1. Audit Data Usage  Data Security:  Data protection policy  IT Security policy  Breach procedure / Log  Subject access request procedure  Privacy notice(s) / collection notices (mandatory)  Training programme and log  Data protection impact assessments (mandatory)
Preparation for GDPR 1. Audit Data Usage  Data Security: Check your contracts with data processors  Contracts include data protection clauses  Compliance with GPDR  Security is up-to-date / in place  Procedures and policies are to your satisfaction  Will alert you to problems  Right to audit?
Preparation for GDPR 2. Data Protection Officer  Do you need one?  Public authority or body  Large scale processing operations which by their nature require regular systematic monitoring of data subjects  Core activities involves large scale processing of special categories of personal data and data relating to criminal convictions and offences  The Role:  To be involved in issues relating to protection of personal data  Expert knowledge of data protection  Not be instructed
Preparation for GDPR 2. Data Protection Officer  Important Notes  It’s all important!  Security –  IT / technology  Physical  Basis for processing  Data protection impact assessments  Breach notifications  Subject access requests  Register with the ICO (Information Commissioner)
Preparation for GDPR 3. Data Processing (Article 4.2)  Collecting  Recording  Organising  Structuring  Storing  Adapting  Altering  Retrieving  Consulting  Using  Disclosing  Disseminating  Aligning or combining  Restricting  Erasing  Destroying
Preparation for GDPR 3. Data Processing (Article 4.2)
Preparation for GDPR 4. Consenting Process “the data subject has given consent to the processing of his or her personal data for one or more specific purposes  Consent  must be freely given, specific, informed and unambiguous;  by a statement or a clear affirmative action;  cannot be inferred by silence, pre-ticked boxes or inactivity  can be withdrawn and it must be easy to do so  Processing of sensitive personal data requires “explicit consent”  Records must be kept of how and when consent was given
Preparation for GDPR 5. Demonstrating Accountability  Internal policies and procedures (data protection / retention policy; security and data breach; data subject rights)  External privacy notice(s)  Internal compliance measures and external controls  Maintain records of data processing activities  Steps when engaging data processors  Undertake regular staff training  Review and update policies and procedures on ongoing basis  Internal audit of processing activities  Appoint a Data Protection Officer (DPO), where appropriate.  Data Protection Impact Assessments, where appropriate  Data protection by design and by default
Preparation for GDPR 6. Data Breach Reporting  Personal data breach – a security breach leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”  Data controller must notify a personal data breach to the supervisory authority (DPC) within 72 hours of becoming aware of it.  If notified later, must give reasons for the delay.  Notification requires certain minimum information.  In “high-risk” cases may have to inform affected individuals.  Notification not required where the breach is unlikely to result in a risk to the rights of individuals.  Data controller must document any personal data breach, including the facts, its effects and remedial action taken
What do I and my team need to do?
Key GDPR Take Away  Requires a shift in culture and mindset about people’s data privacy  It’s principles-based and risk-based  Collecting, using and securing personal data has a cost  Individuals have more control, with new and enhanced rights  Privacy notices need more information and must be clear and concise  Processing requires a legal basis and must comply with the 6 principles  Data controllers must be able to demonstrate their accountability  Review how you get, record and manage consent  Data processor contracts and liability issues  Decide if a DPO required, and document this. At minimum, appoint a lead.  Be aware of increased regulatory sanctions and powers.  Review your IT systems and security  Everyone needs a data breach plan
Thank You For further information, please do not hesitate to contact us Joseph.Yammine@emmainternational.com
Farmington Hills, MI: Headquarters 27600 Farmington Rd., Suite 100 Farmington Hills, MI 48334 Phone (248) 987-4497 York, PA: 320 Busser Road., Suite 200 Emigsville, PA 17318 Phone (717) 429-6875 Clearwater, FL: 28870 US HWY 19 North, Suite 300 Clearwater, FL 33761 Phone (727) 614-8851 Lebanon 7TH Floor, Le Mall Building, Dbayeh Highway, Northern Metn, Lebanon Grand Rapids, MI: 250 Monroe NW Suite 400 Grand Rapids, MI 49503 (616) 219-0510

More Related Content

PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PDF
LGPD | FASE-2: ORGANIZAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD - SISTEMA DE GESTÃO ...
byWellington Monaco
 
PDF
GDPR and ISO27001 mapping EL
byEugene Lee
 
PPTX
Presentation on GDPR
byDipanjanDey12
 
PDF
GDPR Overview
byTrish McGinity, CCSK
 
PPTX
GDPR training
byASL
 
PPTX
Privacy and Data Protection
byDirectorate of Information Security | Ditjen Aptika
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
Introduction to GDPR
byPriyab Satoshi
 
LGPD | FASE-2: ORGANIZAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD - SISTEMA DE GESTÃO ...
byWellington Monaco
 
GDPR and ISO27001 mapping EL
byEugene Lee
 
Presentation on GDPR
byDipanjanDey12
 
GDPR Overview
byTrish McGinity, CCSK
 
GDPR training
byASL
 
Privacy and Data Protection
byDirectorate of Information Security | Ditjen Aptika
 

What's hot

PPTX
EU GDPR (training)
byElizabeth Baker, JD, CRCMP
 
PDF
LGPD | FASE-4: GOVERNANÇA | JORNADA DE ADEQUAÇÃO | SGPD - SISTEMA DE GESTÃO D...
byWellington Monaco
 
PDF
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
byWellington Monaco
 
PDF
GDPR infographic
byMarketing Team at Crown Worldwide Group
 
PPTX
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
PPTX
GDPR Presentation slides
byNaomi Holmes
 
PDF
GDPR Demystified
bySPIN Chennai
 
PPTX
GDPR
byGopi PD
 
PPTX
GDPR challenges for the healthcare sector and the practical steps to compliance
byIT Governance Ltd
 
PDF
LGPD | FASE-1: PREPARAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD - SISTEMA DE GESTÃO D...
byWellington Monaco
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PDF
LGPD | FASE-3: DEFINIÇÃO E IMPLEMENTAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD - SIST...
byWellington Monaco
 
PPTX
Data Protection in India
byHome
 
PPTX
An Overview of GDPR
byThe Pathway Group
 
PDF
LGPD | FASE-3: DESENVOLVIMENTO & IMPLEMENTAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD...
byWellington Monaco
 
PDF
Industrial_Cyber_Security
byWillianMachadoFonsec
 
PDF
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
EU GDPR (training)
byElizabeth Baker, JD, CRCMP
 
LGPD | FASE-4: GOVERNANÇA | JORNADA DE ADEQUAÇÃO | SGPD - SISTEMA DE GESTÃO D...
byWellington Monaco
 
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
byWellington Monaco
 
GDPR infographic
byMarketing Team at Crown Worldwide Group
 
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
GDPR Presentation slides
byNaomi Holmes
 
GDPR Demystified
bySPIN Chennai
 
GDPR
byGopi PD
 
GDPR challenges for the healthcare sector and the practical steps to compliance
byIT Governance Ltd
 
LGPD | FASE-1: PREPARAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD - SISTEMA DE GESTÃO D...
byWellington Monaco
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
LGPD | FASE-3: DEFINIÇÃO E IMPLEMENTAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD - SIST...
byWellington Monaco
 
Data Protection in India
byHome
 
An Overview of GDPR
byThe Pathway Group
 
LGPD | FASE-3: DESENVOLVIMENTO & IMPLEMENTAÇÃO | JORNADA DE ADEQUAÇÃO | SGPD...
byWellington Monaco
 
Industrial_Cyber_Security
byWillianMachadoFonsec
 
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 

Similar to GDPR in the Healthcare Industry

PDF
GDPR - Sink or Swim
byGuy Griffiths
 
PDF
Gdpr for business full
byFionnuala Hendrick
 
PPTX
How GDPR will change Personal Data Control and Affect Everyone
byThomas Goubau
 
PPT
GDPR webinar presentation | LawBite
byClive Rich
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR- GENERAL DATA PROTECTION REGULATION
bySaurabh Pandey
 
PPTX
GDPR- GENERAL DATA PROTECTION REGULATION
bySaurabh Pandey
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
PDF
Gdpr presentation
byIain Wicks MCIPR
 
PDF
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
PPTX
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
PDF
GDPR- The Buck Stops Here
byKellyn Pot'Vin-Gorman
 
PDF
mHealth Israel_EU General Data Protection Regulation_Simon Marks
byLevi Shapiro
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
PPTX
Vuzion Love Cloud GDPR Event
byVuzion
 
PDF
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
PPTX
Associates quick guide to gdpr v 1.0
byAaron Banham
 
GDPR - Sink or Swim
byGuy Griffiths
 
Gdpr for business full
byFionnuala Hendrick
 
How GDPR will change Personal Data Control and Affect Everyone
byThomas Goubau
 
GDPR webinar presentation | LawBite
byClive Rich
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR- GENERAL DATA PROTECTION REGULATION
bySaurabh Pandey
 
GDPR- GENERAL DATA PROTECTION REGULATION
bySaurabh Pandey
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
Gdpr presentation
byIain Wicks MCIPR
 
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
GDPR- The Buck Stops Here
byKellyn Pot'Vin-Gorman
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
byLevi Shapiro
 
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
Vuzion Love Cloud GDPR Event
byVuzion
 
Public sector breakfast club - October 2017, Exeter
byBrowne Jacobson LLP
 
Associates quick guide to gdpr v 1.0
byAaron Banham
 

More from EMMAIntl

DOCX
Cartilage Regeneration Techniques
byEMMAIntl
 
DOCX
Stability Testing of Pharmaceuticals and Supplements
byEMMAIntl
 
DOCX
Intolerance vs. Allergy
byEMMAIntl
 
DOCX
Material Science in MedTech
byEMMAIntl
 
DOCX
Investigating Ketamine for Parkinson’s Disease
byEMMAIntl
 
DOCX
Aduhelm, an Accelerated Approval for Alzheimer’s
byEMMAIntl
 
DOCX
World Blood Donor Day 2021
byEMMAIntl
 
DOCX
New COVID-19 Vaccine
byEMMAIntl
 
DOCX
Men’s Health Week: Depression
byEMMAIntl
 
DOCX
Celebrating Pride Month at EMMA International
byEMMAIntl
 
DOCX
Growth and Integration of ML/AI in Biotech
byEMMAIntl
 
DOCX
Using QFD for Medical Device Development
byEMMAIntl
 
DOCX
The Appeal and Fears of Digital Health
byEMMAIntl
 
DOCX
Immune Systems After the COVID-19 Pandemic
byEMMAIntl
 
DOCX
Stability Testing Requirements for Pharmaceuticals
byEMMAIntl
 
DOCX
Staying Healthy During COVID-19
byEMMAIntl
 
DOCX
A History of Reproductive Health
byEMMAIntl
 
DOCX
Electronic Signatures Under 21CFR§11
byEMMAIntl
 
DOCX
Considerations for Biocompatibility Evaluation
byEMMAIntl
 
DOCX
Restoring the Earth for a Healthier Future
byEMMAIntl
 
Cartilage Regeneration Techniques
byEMMAIntl
 
Stability Testing of Pharmaceuticals and Supplements
byEMMAIntl
 
Intolerance vs. Allergy
byEMMAIntl
 
Material Science in MedTech
byEMMAIntl
 
Investigating Ketamine for Parkinson’s Disease
byEMMAIntl
 
Aduhelm, an Accelerated Approval for Alzheimer’s
byEMMAIntl
 
World Blood Donor Day 2021
byEMMAIntl
 
New COVID-19 Vaccine
byEMMAIntl
 
Men’s Health Week: Depression
byEMMAIntl
 
Celebrating Pride Month at EMMA International
byEMMAIntl
 
Growth and Integration of ML/AI in Biotech
byEMMAIntl
 
Using QFD for Medical Device Development
byEMMAIntl
 
The Appeal and Fears of Digital Health
byEMMAIntl
 
Immune Systems After the COVID-19 Pandemic
byEMMAIntl
 
Stability Testing Requirements for Pharmaceuticals
byEMMAIntl
 
Staying Healthy During COVID-19
byEMMAIntl
 
A History of Reproductive Health
byEMMAIntl
 
Electronic Signatures Under 21CFR§11
byEMMAIntl
 
Considerations for Biocompatibility Evaluation
byEMMAIntl
 
Restoring the Earth for a Healthier Future
byEMMAIntl
 

Recently uploaded

PDF
Advanced Lung Disease: Prognostication and Role of Hospice
byVITASAuthor
 
PPTX
dr- Retina disease DIabetic Retinopathy.pptx
byussash4912
 
PPTX
The Role of Medical Practice Appraisal in Professional Development for Health...
byMedical Apprisal
 
PPTX
EMERGING ROLE OF AI IN DIAGNOSIS & TREATMENT PLANNING
byR Viswa Chandra
 
PPTX
Characterising_Trauma_Informed_Aged_Care_Presentation.pptx
bynabanevans
 
PPTX
Oesophagus digestive system.pptx micro teaching
byHerryPotter18
 
PPTX
trochlearnerve-180712145548.pptxwqqweqwe
byfatashurrehmansatti
 
PDF
Medicaid Changes 2025 and Beyond - ClaimAid
byJ Hopkins
 
PPTX
INTRALIPIDS anaesthesia presentation....
byKavyaSamuthiravelu1
 
PPTX
Educación sexual, estándares de Belleza. (1).pptx
byvictor casas medina
 
PDF
Umapathy Sundaram - A Respected Mentor
byUmapathy Sundaram
 
PPTX
culture of society fo bsc nursing students
byAltafBro
 
PPTX
ELBOW AND FOREARM.pptx5tttttttgtggffffggggggg
bygaliwangoh7
 
PPTX
Medical error lecture in hospital settings
byasmaajumaaf
 
PPTX
Unit # 01 History Of Nursing for studen.pptx
byMuhammadKamilKhan4
 
PDF
Gut Reset: Fix Bloating and Gas Fast Natural Techniques for Relief
bydrgooddeed03
 
PDF
Anesthesia-monitoring-in-OR-ICU (2).pdf1
byShahdHiary
 
PPTX
Hematuria lecture for MBBS students urology
byAyushyaGupta1
 
PPTX
Mental Health Awareness as effect of using phone too much
byikarosika62
 
PPTX
BRONCHIECTASIS.presentation..............
byRadhika kulvi
 
Advanced Lung Disease: Prognostication and Role of Hospice
byVITASAuthor
 
dr- Retina disease DIabetic Retinopathy.pptx
byussash4912
 
The Role of Medical Practice Appraisal in Professional Development for Health...
byMedical Apprisal
 
EMERGING ROLE OF AI IN DIAGNOSIS & TREATMENT PLANNING
byR Viswa Chandra
 
Characterising_Trauma_Informed_Aged_Care_Presentation.pptx
bynabanevans
 
Oesophagus digestive system.pptx micro teaching
byHerryPotter18
 
trochlearnerve-180712145548.pptxwqqweqwe
byfatashurrehmansatti
 
Medicaid Changes 2025 and Beyond - ClaimAid
byJ Hopkins
 
INTRALIPIDS anaesthesia presentation....
byKavyaSamuthiravelu1
 
Educación sexual, estándares de Belleza. (1).pptx
byvictor casas medina
 
Umapathy Sundaram - A Respected Mentor
byUmapathy Sundaram
 
culture of society fo bsc nursing students
byAltafBro
 
ELBOW AND FOREARM.pptx5tttttttgtggffffggggggg
bygaliwangoh7
 
Medical error lecture in hospital settings
byasmaajumaaf
 
Unit # 01 History Of Nursing for studen.pptx
byMuhammadKamilKhan4
 
Gut Reset: Fix Bloating and Gas Fast Natural Techniques for Relief
bydrgooddeed03
 
Anesthesia-monitoring-in-OR-ICU (2).pdf1
byShahdHiary
 
Hematuria lecture for MBBS students urology
byAyushyaGupta1
 
Mental Health Awareness as effect of using phone too much
byikarosika62
 
BRONCHIECTASIS.presentation..............
byRadhika kulvi
 
In this document
Powered by AI

Introduction to GDPR in the healthcare industry and EMMA International as a leader in compliance consulting.

Statistics on data generation from 1992 to 2018, emphasizing the immense data growth and healthcare data breach costs.

Detailed costs associated with healthcare data breaches and the significant impact on patient data exposure.

Outline of topics covered in the presentation regarding GDPR, including personal data importance and compliance.

Definitions and categories of personal data and sensitive personal data as per GDPR regulations.

Overview of data protection principles under GDPR and key changes in obligations for organizations.

Reasons for GDPR implementation emphasizing organizational responsibility and risk management.

Detailed principles of GDPR, including lawful processing, data minimization, and individuals' rights.

Identification of stakeholders affected by GDPR and the importance of data control.

Preparation strategies for GDPR, including audits, legal bases for processing, security measures, and breach reporting.

Summary of actions needed by teams for GDPR compliance and essential takeaways regarding data privacy.

Contact details for follow-up and inquiries regarding GDPR compliance consulting offered by EMMA International.

GDPR in the Healthcare Industry

  • 1.
    www.emmainternational.com GDPR in Healthcare Industry Need,Strategy, Implementation and continuous monitoring Joseph Yammine, EMEA Director Joseph.Yammine@emmainternational.com
  • 2.
    Leaders in Compliance Consultingand Enterprise Quality Management Software • EMMA International Consulting Group, Inc. is a global leader in management consulting services, with headquarters in Farmington Hills, MI, as well as offices in Grand Rapids, MI, FL, PA, and Beirut, Lebanon. We focus on quality, regulatory, and compliance services for the medical device industries.
  • 3.
    Data, Data, Data,Data, … • 1992 – 100 GB of data generated on daily basis • 1997 – 100 GB of data generated on hourly basis • 2002 – 100 GB of data generated on per second basis • 2018 – 50,000 GB per second 90% of all the data in the world today has been created in the past few years
  • 4.
    Data, Data, Data,Data, … 2018 This is what happens in an INTERNET MINUTE
  • 5.
    Data, Data, Dataand Data According to the 2017 Ponemon Institute Study, What Is the Cost of a Data Breach in the Healthcare Industry? A. $2.2 Billion B. $3.6 Billion C. $4.0 Billion D. $6.2 Billion The Answer is D
  • 6.
    Healthcare Data Breachesare Costly… • When a healthcare organization experiences a breach, forensics costs added up to $610,000. • Breach notification costs $560,000 on average. • Costs affiliated with lawsuits average $880,000. • For each data breach, healthcare organizations average $3.7 million in lost revenue. • Healthcare organizations average $500,000 in lost brand value after a breach. • The average HIPAA settlement fine is approximately $1.1 million. • Post-breach cleanup costs average $440,000.
  • 7.
    Healthcare Data Breachesin Q3: 2018 • The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). • Those breaches have impacted more than one million patients and health plan members • Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. • Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.
  • 8.
    What we willcover today? • What is personal data – and why it’s important for us • What is Data Protection • GDPR - what’s changing and what it’s all about • GDPR Principles • Who this will affect • How to be ready • What support is available
  • 9.
    What we willcover today?
  • 10.
    What is PersonalData? • Personal data is defined as: • Any information about a living individual which is capable of identifying that individual. • Sensitive personal data is defined as: • Any information relating to an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, alleged or actual criminal activity and criminal record. Under GDPR sensitive personal data is referred to as “special categories of personal data”)
  • 11.
  • 12.
    What is PersonalData?  Special Categories:  Race / Ethnic origin  Political opinions  Religious or similar beliefs  Union  Physical / Mental health  Sexual life  Alleged / Actual offences / Information
  • 13.
    What is DataProtection? Data Protection is about avoiding harm to individuals by misusing or mismanaging their personal data. So if you collect, use, or store personal data then the Data Protection Act applies to you. It sets out eight principles you have to adhere to, which include: • Only collect information for specific purposes and don’t then use it for other purposes • Only collect what you need for the specific purpose • Keep it accurate and up to date; and safe and secure • Process information lawfully and allow subject access in line with the Act.
  • 14.
    What is GDPR? Itis the General Data Protection Regulation, which supersedes the Data Protection Act on 25th May 2018. The key changes from the current law are to strengthen rights of individuals and place more obligations on organisations in looking after personal data. In order to comply with the new law: • You must have a legitimate reason for processing data – this will cover much processing we undertake (see later slide) • Consent must be freely and unambiguously given and can be just as easily withdrawn • Data Processing activities must start with “privacy by design and default”.
  • 15.
    What is GDPR?...continued • Subject Access Requests – will include how you process and share data not just what you hold and you’ll have less time to respond • Subjects can request data deletion – “the right to be forgotten”, though only in certain circumstances • There will be mandatory breach reporting • Data processors will be held liable • You must be able to demonstrate compliance with GDPR • While the ICO say it is a last resort, the potential fines are much greater than at present – up to 4% of annual global turnover or €20m • And finally – it’s happening regardless of Brexit!
  • 16.
    Why the GDPR? •We care - we are responsible for handling people’s most personal information • This is an opportunity to make privacy central to what we do • By not handling personal data properly we could put individuals at risk and the company / organization reputation at stake • Getting it wrong could result in significant fines • We need robust systems and processes in place to make sure we use personal information properly and comply
  • 17.
    Who does thisaffect? • All of us - we all have a responsibility to keep people’s information safe; main industries are healthcare, banking and educational organizations • Particularly those involved in: • Human Resources • Research & Development • Research involving personal data and/or human participants • Finance • Information Technology
  • 18.
  • 19.
    GDPR Principles • Lawfulness,fairness and transparency – as with Data Protection • Purpose limitation – only collect for specific purposes and then don’t use it for other purposes • Data minimisation – only collect the data you need for the purpose you are using it • Accuracy – as now, keep it up to date! • Storage limitation – don’t keep it for longer than you need to fulfil the purpose • Integrity and confidentiality – keep it safe and secure e.g. encrypted if on a laptop or mobile phone. • Accountability – you must be able to prove you have complied with the above.
  • 20.
    GDPR Principles Examples ofProcessing  Staff management and payroll administration  Access to/consultation of a contacts database containing personal data  Sending promotional emails  Shredding documents containing personal data  Posting a photo of a person on a website  Storing IP addresses or MAC addresses  Video recording (CCTV)
  • 21.
    GDPR Principles Subjects’ rights Confirmation of processing  Purposes of processing  Rectification  Erasure (Right to be forgotten)  Restriction of processing  Portability  Access to data
  • 22.
  • 23.
  • 24.
  • 25.
    Preparation for GDPR 1.Audit Data Usage  What?  Why?  Where?  Who?  How
  • 26.
    Preparation for GDPR 1.Audit Data Usage  Legal Basis for processing personal data:  Legal obligation  Contract  Consent  Vital interests (of data subject)  Necessary in public interest  Legitimate interests (of the Controller
  • 27.
    Preparation for GDPR 1.Audit Data Usage  Data Security:  Of paper records  Physical access to data  Locks / doors  Security guards  Etc.  Technological security  Firewall  Anti-virus  Software updates  Etc.
  • 28.
    Preparation for GDPR 1.Audit Data Usage  Data Security:  Data protection policy  IT Security policy  Breach procedure / Log  Subject access request procedure  Privacy notice(s) / collection notices (mandatory)  Training programme and log  Data protection impact assessments (mandatory)
  • 29.
    Preparation for GDPR 1.Audit Data Usage  Data Security: Check your contracts with data processors  Contracts include data protection clauses  Compliance with GPDR  Security is up-to-date / in place  Procedures and policies are to your satisfaction  Will alert you to problems  Right to audit?
  • 30.
    Preparation for GDPR 2.Data Protection Officer  Do you need one?  Public authority or body  Large scale processing operations which by their nature require regular systematic monitoring of data subjects  Core activities involves large scale processing of special categories of personal data and data relating to criminal convictions and offences  The Role:  To be involved in issues relating to protection of personal data  Expert knowledge of data protection  Not be instructed
  • 31.
    Preparation for GDPR 2.Data Protection Officer  Important Notes  It’s all important!  Security –  IT / technology  Physical  Basis for processing  Data protection impact assessments  Breach notifications  Subject access requests  Register with the ICO (Information Commissioner)
  • 32.
    Preparation for GDPR 3.Data Processing (Article 4.2)  Collecting  Recording  Organising  Structuring  Storing  Adapting  Altering  Retrieving  Consulting  Using  Disclosing  Disseminating  Aligning or combining  Restricting  Erasing  Destroying
  • 33.
    Preparation for GDPR 3.Data Processing (Article 4.2)
  • 34.
    Preparation for GDPR 4.Consenting Process “the data subject has given consent to the processing of his or her personal data for one or more specific purposes  Consent  must be freely given, specific, informed and unambiguous;  by a statement or a clear affirmative action;  cannot be inferred by silence, pre-ticked boxes or inactivity  can be withdrawn and it must be easy to do so  Processing of sensitive personal data requires “explicit consent”  Records must be kept of how and when consent was given
  • 35.
    Preparation for GDPR 5.Demonstrating Accountability  Internal policies and procedures (data protection / retention policy; security and data breach; data subject rights)  External privacy notice(s)  Internal compliance measures and external controls  Maintain records of data processing activities  Steps when engaging data processors  Undertake regular staff training  Review and update policies and procedures on ongoing basis  Internal audit of processing activities  Appoint a Data Protection Officer (DPO), where appropriate.  Data Protection Impact Assessments, where appropriate  Data protection by design and by default
  • 36.
    Preparation for GDPR 6.Data Breach Reporting  Personal data breach – a security breach leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”  Data controller must notify a personal data breach to the supervisory authority (DPC) within 72 hours of becoming aware of it.  If notified later, must give reasons for the delay.  Notification requires certain minimum information.  In “high-risk” cases may have to inform affected individuals.  Notification not required where the breach is unlikely to result in a risk to the rights of individuals.  Data controller must document any personal data breach, including the facts, its effects and remedial action taken
  • 37.
    What do Iand my team need to do?
  • 38.
    Key GDPR TakeAway  Requires a shift in culture and mindset about people’s data privacy  It’s principles-based and risk-based  Collecting, using and securing personal data has a cost  Individuals have more control, with new and enhanced rights  Privacy notices need more information and must be clear and concise  Processing requires a legal basis and must comply with the 6 principles  Data controllers must be able to demonstrate their accountability  Review how you get, record and manage consent  Data processor contracts and liability issues  Decide if a DPO required, and document this. At minimum, appoint a lead.  Be aware of increased regulatory sanctions and powers.  Review your IT systems and security  Everyone needs a data breach plan
  • 39.
    Thank You For furtherinformation, please do not hesitate to contact us Joseph.Yammine@emmainternational.com
  • 40.
    Farmington Hills, MI: Headquarters 27600Farmington Rd., Suite 100 Farmington Hills, MI 48334 Phone (248) 987-4497 York, PA: 320 Busser Road., Suite 200 Emigsville, PA 17318 Phone (717) 429-6875 Clearwater, FL: 28870 US HWY 19 North, Suite 300 Clearwater, FL 33761 Phone (727) 614-8851 Lebanon 7TH Floor, Le Mall Building, Dbayeh Highway, Northern Metn, Lebanon Grand Rapids, MI: 250 Monroe NW Suite 400 Grand Rapids, MI 49503 (616) 219-0510

Editor's Notes

  • #11 A Quick reminder - What is personal data? This often causes confusion – often people think it is simply a name and address. The law defines personal data as - Any information about a living individual which is capable of identifying that individual. The law additionally defines an extra data set which need more and better protection - Sensitive personal data  And that is - Any information relating to an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, alleged or actual criminal activity and criminal record. It doesn’t matter if that data is already in the public domain – you still have to comply with the DPA in the way in which you collect, use and store it. GDPR stretches this further and for example says that an IP address can be personal data – for the less technical among us (and that includes me) an IP address is Internet Protocol address and it is used to identify computers communicating via the internet. So if you’ve ever wondered why the ads around web pages you view are so closely related to what you recently searched for (a new sofa, flights to Italy….). Of course they may be related to what another family member has been searching for…. In summary – the definition is far broader than “name and address”.
  • #12 Name and surname Home address Email address such as name.surname@company.com Identification card number Location data (i.e., the location data function on a mobile #) Internet Protocol (IP) address: 10.10.103.456 Cookie ID* The advertising identifier of your phone Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
  • #14 So, a quick re-cap of the Data Protection Act – Data Protection is about preventing harm to individuals by misusing or failing to look after their personal data. It applies to ALL organisations in the UK through the Data Protection Act (DPA). So, if you collect, use, store personal data then the law applies to you. There are eight governing principles but I have summarised them here as: Only collect personal data for specific purposes and then only use it for those purposes. Collect just the data you need for the purpose and keep it accurate and up to date; and don’t keep it for longer than is necessary for the completion of the purpose for which it was collected. You will need consent from data subjects to process their data. You will also have to register with the Information Commissioner’s Office (ICO) as a data controller – whether you know it or not you already have ! Typically dioceses have registered in the name of the DBF; Bishops in the name of the Bishop in his or her corporate capacity and Cathedrals, the Dean and Chapter. This is a public register – you can search it via the ICO Keep the data securely whether paper or electronic. Avoid storing it outside the European Economic Area – might be an issue if your electronic data is in the cloud.  Finally, be aware of the rights of subjects to access certain data you hold about them through a Subject Access Request (SAR). Note that this does NOT necessarily mean that they can see everything you hold about them – seek advice from your registrar whenever you get a SAR.
  • #15 The GDPR is the most significant overhaul of data protection law in 20 years. The GDPR replaces the Data Protection Directive (Directive 95/46/EC) and thus the DPA 1998 and subordinate legislation under it. The GDPR came into force on 24 May 2016. However, due to its two-year implementation period, the GDPR will only be applicable from 25 May 2018. Builds on existing data protection rules and principles, with significant changes - increased compliance obligations for businesses and organisations - new and enhanced rights for individuals - increased regulatory powers and sanctions - Privacy by design and default
  • #16  173 Recitals (not having force of law) 11 Chapters 99 Articles (having full force of law)
  • #18 Human Resources: All function including screening, recruitment, employment, healthcare management, assessment, personnel, etc.
  • #31 The law requires that in certain circumstances organisations must have a named Data Protection Officer (DPO). One of these is where there is large scale processing of “special categories of personal data”. The DPO has an education and compliance role regarding GDPR and is the first point of contact for the wider world. They must report to a senior level in the organisation and be independent – so similar to Internal Audit.
  • #38 First of all don’t panic! If you are complying with the Data Protection Act then you are well on the way to GDPR compliance – few steps are needed! Secondly, dust off your departmental Information Directory (which was compiled a few years ago Lists all the sensitive and confidential data you hold Check that it is up to date The Records Management team will be in touch in the new year to start working through what you and your team will need to do to prepare for GDPR compliance.