Check Your App or Website to be HIPAA, PIPEDA & GDPR Corresponding
There’s no industry where cybersecurity can be considered a thing, not worth paying attention to. In the modern world, almost any country has its own data privacy regulations And the only choice is to comply with them. However, things are even trickier now. One can have the customers from country A, operate in country B, being a legal entity of country C.
GDPR, PIPEDA, and HIPAA stopped being just the set of capital letters in the documentation. They are the big names, and you are 100% subject to some and even all of them if you are working within the European or North American markets.
I’m going to provide a set of articles to help you get a clear vision of what it means to be a HIPAA-, PIPEDA- and GDPR-compliant, as well as to define for yourself if you should comply with these regulations.
Comply or not comply with GDPR, PIPEDA, and HIPAA, that is the question
To begin with, let’s define the subjects of these regulations, so it will become more clear whether the product you develop should comply with them all.
The General Data Protection Regulation (GDPR)
Here everything is simple — in case the product you develop works with data storing and processing and you have the customers within the EU, even if they are not your target audience, in this case, you most likely fall under GDPR compliance requirements.
The General Data Protection Regulation, known as GDPR for short, is the most important and critical law in the EU, related to the data and privacy protection area. Talking about the overall impact, then things become even more clear — being among the top regulations, GDPR is the one that definitely has to be considered.
Just to nail it, let’s look at the quote from the paper itself:
“The GDPR applies to individuals and companies (including websites and mobile apps, of course) that process personal data of EU citizens.”
And, once again, it does not matter where your company operates. If there’s any presence in the European Union, the GDPR will be applied.
It’s another framework related to data privacy, but it is applied and has to be complied with in case the product you are developing operates within the Canadian market. More to that, the PIPEDA is applied to the representatives of the Canadian private sector. So if the company collects, discloses, or uses in any way the data for commercial purposes, it must comply with PIPEDA. In other words, it is a specific regulation of commercial activity, seen as a particular act of bartering, selling, leasing of donors, membership plans, etc.
But how does it all apply to the websites and mobile apps? The thing is, even collecting data to improve usability and user experience which, potentially, will lead to commercial success, will be considered a commercial activity in terms of PIPEDA.
In the regulation papers, there’s no specific mention of the foreign companies, however, there were cases in the past when the penalties were applied. To be safe it is strictly recommended for the foreign companies to comply with PIPEDA in case they collect and use the data of the Canadian users in any possible way.
It should be mentioned that non-profit organizations, as well as educational and healthcare institutions, are not the subject of PIPEDA’s regulation. The only condition for them is not to be engaged in any commercial activity. Operating within the Canadian market has its own peculiarities For example, if the company operates within Quebec, Alberta, and British Columbia only, it should comply with the local regulations, which have a lot in common with PIPEDA. At the same time, they are exempt from PIPEDA itself.
The Health Insurance Portability and Accountability Act (HIPAA)
This regulation is applied to the companies, which use the health information of US citizens for their needs. Let’s have a closer look at the definition of the parties involved:
“Covered entities include healthcare providers, clearinghouses, and health plans; business associates are individuals and organizations that provide data-related services for covered entities or on their behalf”
HIPAA, which is a shortening for The Health Insurance Portability and Accountability Act, introduces national standards of personal health data protection of the US citizens. There are a number of criteria, which define the meaning of covered entities and business associates, so they have to operate in compliance with the current regulation.
There’s a list of activities and services listed in the Privacy Rule, defining if the company or person is a business associate. Among the listed activities one can find billing, data analysis, consulting, quality assurance, claims processing and administration, etc.
If you are developing a mobile app, there’s good news. The Federal Trade Commission has a tool, allowing you to define whether the product you are working on is subject to key data protection federal laws such as HIPAA, FD&C Act, and FTC Act.
What are the consequences of the GDPR, PIPEDA, and HIPAA violation?
So, we do hope you have a clearer vision and a deeper understanding of the regulations which can be applied to your product. But what if you do not comply with them? What will be the consequences, if there are any? We hope you will get the knowledge of the consequences of the violations of the regulations only from this article, so let’s consider some real-life cases and the regulations themselves.
Fines for GDPR breaches
There are a lot of similar regulation violations, but fines for failing GDPR IT compliance and data breach are considered to be the biggest.
According to the most recent data, the fines can reach €20 million or 4% of the annual global turnover of the preceding financial year. Just to specify: the higher amount will be charged. It makes it important to understand in detail how to comply with EU GDPR because the regulation is strict and completely disregards the status of the violator within and outside the Union.
Penalties for PIPEDA non-compliance
The fines for the companies, violating the PIPEDA, can reach C$100,000 for an indictable offense and start from C$10,000 in case an offense is punishable on summary conviction.
In some cases, remedial measures and audits can be implemented to ensure that the specific company operates in compliance with PIPEDA. One such case is the office of the Privacy Commissioner.
HIPAA violation & breach fines
When talking about HIPAA, it’s important to keep in mind that there are 4 violation penalty tiers. They are based, generally speaking, on the level of perceived negligence within the organization that led to the violation. The fines range differs and starts from $100 to $50,000 per violation. This sum can dramatically increase and reach up to $1.5 million per year for each violation. But all these numbers are just numbers. What about the real cases? Let’s have a look.
- September 2020. Premera Blue Cross health insurer was penalized $6.85 million because of the breach which affected around 10 million people.
- July 2020. Lifespan paid $1,040,000 because of the breach related to an unencrypted stolen laptop.
- May 2019. MIE was forced to pay $100,000 in addition to the consent of taking corrective action in order to settle might-be violations related to HIPAA regulation. Important to note here that MIE provides media records services and software to healthcare providers.
There are cases when HIPAA violations can lead even to the criminal penalty and real sentences. The most common example is the offense, related to the transfer, use, or selling of personal health data for personal gain and commercial profit, as well as harm to the third parties.
At the end of the article we would like to point out that now when you are well-aware of the regulations that can be applied to you, it will be a wise decision to investigate the regulations which may be applied to the product or service you provide. In the following articles, we will get into details and investigate each document, the rules stated there, and how to conduct the business in accordance with them.
Follow Celadon for more