Ever since the emergence of HIPAA over 20 years ago, the healthcare industry and practitioners are well aware of the cost, the unprotected private medical information can cause. If the truth is told, over 171,000 privacy rule complaints had been filed since 2003, causing millions upon millions of financial penalties. In 2013 three data breaches caused a famous healthcare organization to pay $5.5 million financial penalties, while in 2010 two healthcare organizations also had to pay a total of $4.8 million fines to compensate the data breaches and yet the list continues.

Since the world has gone global, and the confidential data is now internationally available through the cloud and web servers in every corner of the world, healthcare providers are no longer the only institutions to be held responsible for personal data they have stored. Where the federal authorities are getting more and more concerned about securing the confidentiality of the citizens’ personal data, the new General Data Protection Regulation (GDPR) is the most recent protection law to emerge along with the universally increasing privacy protection concerns.

From 25th of May, 2018, the European Union (EU) had begun to enforce huge financial penalties on the organizations that were non-compliant with GDPR, ensuring the security of EU citizens’ private data. This new data protection law not only covers the institutions in the EU, but other institutions too which are outside of the EU yet offer their goods or services to, or screen the backgrounds of the EU citizens.

Contrasting to HIPAA, which imposes the highest penalty of $1.5 million annually for the infringements of an identical provision, GDPR financial penalties can reach up to $ 24 million or 4% of the offender’s total annual income, and in either case, it is higher. In more simple words, GDPR can have an immense effect on the different business fields including the healthcare IT industry, internationally. Indeed, the experts are of the same opinion that GDPR can be much more important and functional that HIPAA, not only in penalties but also in its capacity.

Being prepared in advance is the solution, but, it is disclosed in a survey carried out by a well-known information security organization that the healthcare industry is the least one of all the business fields to be prepared for GDPR as only 17% healthcare providers indicated to have their systems in place to deal with new regulations.

Virtelligence Data Protection Policy

Being GDPR compliant is a liability that is not limited to geographical boundaries particularly for a business field that includes the physical and emotional security of the individuals. Virtelligence with the sources and skills is GDPR compliant and can help healthcare providers on their journey of GDPR compliance. While completing our goal, we intend to reasonable and evident in our work. We have trust in privacy by design, by default and authorize a high-profile care when dealing with personal and confidential data.

Hence, it is our policy to:
  • Guarantee the privacy of the company and customer data
  • Offer protection to personal and susceptible data against illegal access
  • Ensure the data security at a satisfactory level
  • Sustain the integrity of the data
  • Serve the privacy-related legal requirements including General Data Protection Regulations
  • Guide and prepare the staff members on Data Protection and the right to Privacy
  • Inspect and document the Data Protection breaches

To endorse our privacy policy, we have agreed to the following:

  • All company documents must be created on company templates and data categorization will be used to verify the private information
  • The systems must be password protected and screensavers will be activated when the desks are left unattended
  • Access rights must be authorized by the relevant team manager
  • In order to complete an obligatory job function, access to the personal data must be set to the lowest level
  • Private data must not be transferred or saved without a pre-approval of the relevant authority
  • Private data is not be taken out of the office locations without a pre-approval of the relevant authority
  • The personal data must not be distributed without the relevant person’s permission
  • The private data must be in a restricted volume
  • Data breaches and all such incidents must be reported to the relevant authorities
  • Make sure that the data is not compromised due to any important changes to the IT systems or processes
  • Make it certain that the private data stored, is correct and that any incorrect, unnecessary and irrelevant data is either deleted or submitted as anonymous at the earliest convenience
  • Must establish a retention policy for all clients and related parties while ensuring that the private data is retained for as long as necessary
  • Must take an action for the subject access rights according to the time frames fixed by the General Data Protection Regulation
  • Must keep an appropriate record of all the data subject requests
  • Must do documentation of all the facts related to Privacy, Confidentiality and Data Protection
  • Must set up data processing and data sharing agreements with the clients and related parties

All information given under the GDPR Compliance Section is for informational uses only and Virtelligence, Inc. is not liable for its legal implications. Any information or facts from us are the outcome of internal research and should not be deemed as legal advice. Corporations must get their own legal advice concerning GDPR compliance.

BizJournal Fast 50