Blog Keeping you updated with Contract and Document Management Processes

Compliance Can Be Costly… Are You Aware of These Updates?

Once the dotted line of your contract has been signed, the particulars of administering the contract, proper implementation, and compliance begin.  Compliance is crucial to business success.  Staying up to date while utilizing a contract management software allows for due diligence and continuous monitoring to avoid possible compliance failure and its consequences.  Learn about the latest updated regulations and the support of a complete contract management system to decrease risks and maintain compliance.

Icons by freepik.com

The Most Recent Compliance Updates

HIPAA:

The Health Insurance Portability and Accountability Act (HIPAA) has three changes that are being considered this year that may be updated in 2019.

  1. The HIPAA Enforcement Rule – This rule allows financial penalties for HIPAA violators. The Office for Civil Rights (OCR) is working on how a percentage of settlements and civil financial penalties can be paid to breach and HIPAA violation victims.
  2. Doing away with keeping signed forms from patients that signify receipt of copies of the covered party’s notice of privacy practices and replacing them with a displayed notice of privacy practices within the facilities to inform patients.
  3. A good faith rule for Private Health Information (PHI) release. While current HIPAA rules allow for PHI disclosure in cases of imminent harm, OCR plans to clarify disclosing PHI to family or close friends in certain circumstances (ie. incapacitation or involved in opioid drug abuse) without patient consent.

GDPR:

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018.  This regulation applies to all organizations located within the European Union (EU) as well as any organization located outside of the EU if they offer goods or services to, or monitor behavior of EU data subjects.  Any companies processing and holding the personal data of data subjects residing in the EU regardless of the company’s location are also liable under GDPR.

Companies must request consent for consumer data in a clear and plain language with the purpose for data processing attached.  It must be as easy to withdraw consent as it is to give it.  It is necessary for CIOs to perform a privacy impact assessment to show how personally identifiable information is gathered, used and shared by an organization.  They must also have strategies in place to issue breach notifications to regulators within 72 hours.

The rules of GDPR apply to both controllers, the body that decides the purposes, conditions, and means of processing of personal data, as well as the processors, those who process personal data on behalf of the controller. This means that ‘clouds’ are not exempt from GDPR enforcement.  

Penalties for not being compliant are fines up to 4% of annual global turnover or 20 million Euros. Additionally companies can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment.

California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018 (CCPA) was created on June 29, 2018 and takes effect on January 1, 2020.  It grants consumers four basic rights in relation to their personal data or information and places regulations on companies who have consumers located in California, USA.

Under CCPA consumers are granted these 4 rights

  1. The right to know what personal information has been collected, where it was sourced from, what it is being used for, whether it will be shared or sold, and who it will be shared with or sold to.
  2. For consumers over the age of 16, the right to ‘opt out’ of allowing businesses to sell their personal information to third parties. Consumers who are under the age of 16 have the right to ‘opt in’ or not to have their personal information sold without their consent or the consent of their parent or guardian.
  3. The right to have personal information deleted by a business with some exceptions.
  4. The right to receive equal service and pricing from a business, regardless of exercising their privacy rights under CCPA.

Under CCPA, businesses that are for-profit, collect and control the personal data of California residents, do business in the state of California, and have annual gross revenues in excess of $25 million must be compliant.  Businesses that collect or share the personal data of 50,000 or more California residents, households, or devices on an annual basis, or obtain 50% or more of their annual revenues from selling California residents’ personal info are also required to be compliant.

Even if companies have no physical presence in California, its large population and economic presence means that many serve California residents and will be held accountable under CCPA.  Any US company with an online presence will also need to comply with the act and update their privacy policies and web sites. These companies should implement a means of quickly providing disclosures by law as well.

Businesses are also required to make certain disclosures to consumers via their privacy policies or when personal data is collected. To maintain compliance organizations must define what personal data they are collecting and its purposes as well as update privacy policies every twelve months to make the disclosures that the act requires.

Companies that sell personal data to third parties must disclose that practice and offer the ability to opt out by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page.  Data belonging to consumers sixteen years old and younger cannot be sold without attaining the proper consent.

Companies are required to monitor data sharing practices and comply with requests for information.  They must provide answers to consumer requests for information free of charge within 45 days of the request.

Denial of goods or services are forbidden for consumers exercising their privacy rights under the Act. The civil penalty for intentional violations is up to $7500 per violation.  

Ensure Compliance with a Contract Management System

Managing multiple contracts and their compliances can be overwhelming.  Due diligence and continuous monitoring are key to avoiding possible compliance failure and criminal or civil penalties.  A contract management system allows your business to not only easily maintain contracts but also to benefit from a central storage location with multiple support features.

A complete contract management system ensures that all contractual obligations are fulfilled.  The specific deadlines and schedules for each contract are compounded by the important factor of compliance timeliness. By having contracts safely deposited in a central storage location compliances can easily be searched for and quickly maintained.   

One key ingredient to maintaining compliance is ensuring that the correct approvals are given by the correct personnel.  Routing enables a contract’s compliances to be routed through the appropriate channels to ensure that approvals are made in order at each level and in a timely manner. This helps to avoid costly redundancies or unfortunate oversights by ensuring that contract management processes are plainly outlined and individual roles and responsibilities are clear.

Staying on schedule and providing a timely response are major factors in maintaining compliance.  Human error and oversights often complicate these issues.  A complete contract management system allows for automatic reminders and ticklers.  These features help to avoid complications and guarantee that lapses and renewals are addressed before time runs out and costly repercussions begin.

Other features key to maintaining compliance are tracking and reporting.  These abilities allow you to quickly answer any required reviews, audits, or surveys.  They also provide a bigger picture to help ensure that the data you are maintaining is secure, accurate, and readily available for evaluation.

Staying aware of the current changes is good, but unfortunately not enough. Forward thinking organizations should make every effort to reduce corporate risk and eliminate liability.  In order to avoid oversights and the penalties that they are accompanied by, you need to be constantly alert.  A complete contract management system offers numerous solutions to the complications of maintaining compliance.  Take control today.

Sources:

The California Consumer Privacy Act of 2018
AB-375 Privacy: Personal Information: Businesses. California Legislative Information  
What you need to know about California’s New Data Privacy Law, Harvard Business Review
California Passes Sweeping Law to Protect Online Privacy
GDPR FAQs – EUGDPR  
9 GDPR Requirements for 2018
GDPR, The Checklist for Compliance 
HIPAA Journal, HIPAA Compliance News
Three Proposed Changes in HIPAA Regulations in 2018

No Comments

Add a Comment