With General Data Protection Regulation (GDPR) coming into force, it becomes essential that get clarity on the data protection officers’ roles and responsibilities. So here is what all we need to know about the role of a Data protection officer under the GDPR. The Data Protection Officer’s role is broadly categorized into four categories:

1. Inform and Advice
2. Monitor Compliance
3. Provide Advice
4. Cooperation

These categories further encompasses different roles and responsibilities which are given below:

• Giving proper training to the employees of the organization to comply with the data protection laws.
• To train employees so that they can conduct audits and assessments
• Serving as the point of contact between the company and the relevant supervisory authority
• To maintain all records of data processing activities.
• Responding to data subjects to inform them about how their personal data is being used and what measures are implemented or adopted by the company to safeguard the data.
• A DPO ensures the smooth operationalization of all data protection policies through all organizational units and makes sure the organization processes personal data of data subjects (employees, customers, and other individuals) in a compliant way.

• A DPO’s role also requires looking into the arena of the personal data acquired or used by the company or the organization to check if it is GDPR compliant.
• A DPO not only oversees that the data is compliant with the data protection policies but also cooperates with the data protection authority. The cooperation should be extended to other organizational units that indulge in processing and transmitting data, like Marketing, HR or Legal.
• Maintain the records of processing information.
• So the overall role of a DPO is to monitor, supervise and ensure that the organization completely complies with the GDPR and there is no breach of any security when it comes to processing or transmitting of the personal data.

A DPO is generally from an IT background, should have expertise in the subject and professional qualities so that he/she can fulfill the requirement of fitting in the shoes of a Data Protection Officer’s role.

The Health Insurance Portability and Accountability Act (HIPAA) establishes and regulates national standards for electronic health care transactions. According to the website of the U.S. Department of Health and Human Services: 

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information…. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. 

HIPAA Encryption Requirements are still considered as being vague and a matter of contention. The main part of confusion lies in the encryption of the Protected Health Information (PHI) that falls under the definition of addressable requirements.

When we talk about addressable, it implies that the data protection regulation should be implemented and taken seriously or any other measure that produces the desired equal result or effect should be enforced. The Practice Management Center of the American Medical Association points out, is to “…render electronic personal health information (ePHI) unusable, unreadable or indecipherable to unauthorized individuals…”. Some of the best practices of HIPAA Encryption are:

1. The encryption should be certified by the National Institute of Standards and Technology (NIST)
2. Using an encryption key management appliance that is FIPS 140-2 certified. Federal information processing standards codes (FIPS codes) are a standardized set of numeric/alphabetic codes issued by the National Institute of Standards and Technology (NIST).  They are designed to establish uniform identification of geographic entities through all federal government agencies. 
3. Encrypting all details and records that deal with ePHI, for example, , medical records, emails and files.
4. Any data or information published online should be encrypted.
5. The encryption of data on laptops, or systems.
6. Encryption of data that goes outside the organization’s premises.
7. Best practices also demand that any session during which that data was accessed should be encrypted and be taken with utmost seriousness. All the above best practices should be taken up by the employees and consider them making a custom so that there is no unauthorized disclosure of the information.

When it comes to safeguarding the important and sensitive information online, there are many factors that determine the same. One of the requirements is that of the stringent maintaining of the password. With the massive security and a structure that protects the passwords, the framework of the same becomes impenetrable.

The HIPAA Password Requirements mandate that there should be certain processes and procedures for the creation, amendment and securing the passwords. The passwords should be taken seriously until there is an equal alternative that is similar in nature and secure in its effect. The best way to comply with the HIPAA requirements is a two way authentication process. A strong and secure password can go a long way in protecting and safeguarding the sensitive health information.

HIPAA password requirements are listed in the Administrative Safeguards of the HIPAA Security Rule. In the section that refers to Security Awareness and Training, states Covered Entities must put in place “procedures for creating, changing and safeguarding passwords”.

What are HIPAA Password Requirements?

HIPAA sets regulatory standards that require the organizations to comply with the safety standards when it comes to the sensitive information available online. The HIPAA standard should have some policy or procedure that corresponds to the safety of the information of the patients. Under the HIPAA SECURITY RULE, there are mainly three categories of HIPAA standards:

• Technical: The technical category deals with the electronic Protected Health Information. These security standards address safeguards that must be in place to protect infrastructure that can access, handle, or store electronic protected health information (ePHI). It implies that the organizations must haveanti-virus software, data encryption, and firewalls.
• Physical: These security standards address safeguards that must be in place to protect the physical premises of an organization. Examples include having locks on doors, placing screen protectors on computers, and ensuring that papers containing protected health information (PHI) are not publicly viewable.
• Administrative: These security standards address safeguards that must be in place to guide staff on the actions they should take to maintain the security and integrity of PHI. Examples include authorization of access to PHI, employee training, and password management.

HIPAA is very advantageous and important in protecting the confidentiality of the client’s protected personal health information (ePHI). Frequent exchange and transmission of information online has become the new normal and it is only imperative that certain guidelines ensure that the sensitive and personal information is protected throughout in the process.

HIPAA Record Retention Requirements mandate that the business associates and covered entities retain the data for at least sixth years from the date of creation or last effective date, whichever happens to be later. The following is to be retained as per the norms of HIPPA :

1.Any record that is the form of physical or electronic that the organization contains as a part of health insurance, affiliated covered entity etc.

2. Information, policies and procedures implemented time and again to safeguard the privacy of the patients and that is a part of the compliance to HIPAA.

3.HIPAA mandates the retention of all documented settings and assessments.

4. Any bond or document that has to do with the compliance of HIPAA should be    retained by the organization for example any agreement or any form.

5.Any signed authorization or acknowledgement letters or receipt of the notice or the documentation of good faith efforts to obtain such written acknowledgements.

6. The notice of Privacy Practices for entities that must provide them.

7.Any form of record that can be accessed by the subjects.

8. Accounting of disclosures of HIPAA compliance.

9. Titles of the persons or office responsible for HIPAA compliance are to be documented and retained. The documentation is for people not only responsible for the overall responsibility of the compliance but for also those receiving and processing requests for amendments by individuals.

Other than the above record retention, the business associates and covered entities must also know their legal retention requirements from state, federal, international and other such forums, other than HIPAA. These laws may require some other type of retention of documents that may or may not be only HIPAA compliant. For example, Connecticut state law requires that ePHI should be maintained for 7 years.

We live in an era of technology and how. We are so dependent on technology that it becomes almost implausible that we live without being invaded by it. Every aspect of the day-to-day work we do relies on technology.  Be it buying something online or ordering food, our personal details and information goes online and becomes a prey to infiltration. In the modern times, even doctors and medical health experts connect with their patients through technology or through the medium of an app to be precise.

Apps come handy when you have to connect with your patients easily. A face-to-face interaction never goes wrong and can easily help you analyze certain things about your patient. What is to be considered here is an important question about the privacy of the patients!The physicians use certain apps that are of course handy but they were not designed to be completely compliant with the privacy rules. Just like Skype is very useful when it come to the interaction between the doctor and the patient but are a potential threat to the personal information shared on it.

Ian Morris reports in Forbes “According to figures from 2013, Skype is now used by 300 million people worldwide.” These high user numbers mean Skype is a valuable, high profile target for information thieves. So here is you need to know if Skype is HIPAA compliant. Technically Skype is not HIPAA compliant but Skype for Business is. The Information that is transferred as a part of the health information should be subject to the privacy rules. This further mandates that Skype should obtain the Business Associate agreement from Microsoft before the transmission of any information or ePHI.

HIPAA guidelines maintain that any software or app that transmits customers’ protected personal health information needs to comply with a 128-bit level of encryption. Although, Skype’s is 256-bit encrypted, it still doesn’t mean that Skype is HIPAA compliant.  Other than that, a secure back up of all messages and audit trails should be maintained for Skype to be HIPAA compliant. Adequate precaution and prevention measures to apply controls and regulate them from ePHI being transmitted outside the organization should be taken and checked upon frequently.

GDPR i.e. General Data Protection Regulation that came into effect on May 25,2018, with the aim to prevent the personal and sensitive data of the residents of European Union, is still a challenge in many arenas. The concerns and challenges are in the wake of very few companies being completely HIPAA compliant.

There are some companies that still feel that they are not prepared for GDPR and therefore, still use temporary measures and controls until a better and permanent control is implemented. Other than these basic concerns, a wide sphere of concerns also needs attention.

The organizations face difficulty in protecting the data subjects and ensuring that the breach of security is reported. Organizations still have numerous loopholes to be filled and implement measures that are long lasting and impenetrable.

Let’s have a look at some of the reasons that worry the organizations and poses concerns with respect to GDPR compliance:

1. The newness of the law: Organizations still have a long way to go in order to adapt themselves to the new guidelines and framework of GDPR that requires the organizations to not just conform to them, but also maintain, report, formulate, adopt, visit and revisit certain policies that uphold the privacy of the data uptight, without any breach of security.
2. The Specifications: The new requirements and policies focus to meet specific procedures pertaining to the safeguarding of data. They help structuralize and formalize new measure to make the existing policies more efficient and by adopting new ones. They work to maintain, report and notify new policies and measures and demand for remedial actions as per the requirement.
3. The Fines Imposed: Non-compliance of the GDPR can often come with a heavy price. The regulators can authorize actions in any of the following ways:
   • By issuing a warning or imposing a temporary ban on processing the data.
   • By imposing a hefty fine. The fine depends from case to case.
   • The action could be both of the above, again depending on the gravity of the case.

4. Ambiguous Demands: The uncertainty and no fixed level of protect the personal data further constitutes the concerns as regulators can employ flexibility in assessing fines for the breach in data protection norms.