What Happens in a HIPAA Breach?

Posted on by suzanneleigh

What happens in a HIPAA breach?

Even if you’re HIPAA compliant, you’re not immune to data breaches. In today’s increasingly digital environment, data breaches are a common and unfortunate occurrence. The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), understands this. If you have a breach, it doesn’t necessarily mean it was a result of a HIPAA violation.

However, under HIPAA, there are specific steps you need to take to mitigate any risk to the HIPAA protected health information that you hold and process in anticipation of a breach. And if you do experience a breach, there are specific protocols you should follow depending upon the severity of the breach. The best defense for a data breach is preparation.

What is a data breach according to HIPAA?

According to HIPAA, a breach occurs when protected electronic Personal Health Information (ePHI) is used or disclosed in any way that compromises its security or privacy in violation of the Privacy Rule. For a leak of information to be considered a breach under HIPAA, the information exposed must be unsecured. Unsecured ePHI is ePHI that hasn’t been “rendered unusable, unreadable, or indecipherable to unauthorized persons” by encryption or destruction of the data.

How can you avoid HIPAA violations in the event of a breach?

You can avoid HIPAA violations if you’ve made a thorough and continuous effort to stay in compliance before any breach occurs. This means you do periodic risk assessments and have made sure that all ePHI – whether at rest or in transit – is encrypted to NIST standards so that the data is unreadable, undecipherable, and unusable by unauthorized parties if there is a breach.

Many data breaches go unnoticed because companies fail to conduct regular risk assessments and don’t catch them, which increases their chances of being charged with a violation of negligence.

Companies must train all staff and have written protocols in place for personnel to follow in the event of an emergency, security, or data breach.

If there is a breach, but the ePHI is secured because it is encrypted to the extent that it is unreadable, undecipherable, and unusable by any unauthorized parties, you may not be subject to the Breach Notification Rules. However, you should still do a risk assessment. It will be up to you to recognize the severity of a breach to be able to take the correct action under HIPAA and to prove to the HHS that you did.

The burden of proof is on you

If you have a breach, you’ll have to be able to prove to the HHS either that the ePHI was unusable and did not constitute a breach, or that you’ve responded appropriately by sending out all of the breach notifications required under HIPAA.

The HHS strongly urges covered entities (you) to perform a risk assessment if you suspect a breach. The goal of the risk assessment is to discover the following:

  • If unsecured ePHI was improperly viewed or obtained.
  • The type and amount of the ePHI as well as the likelihood of personal identifiers, what kind they are (name, medical numbers, etc.)
  • The possibility of any data that has been de-identified by encryption (no longer able to identify an individual) of becoming re-identified by an unauthorized party.
  • The identity of the illegal party who is responsible for the breach or who received the data (if possible).
  • The extent to which you were able to mitigate any damage caused by the breach.

If the HHS does an audit and finds that there may have been some impermissible use or disclosure of ePHI that you didn’t report, they’re going to ask you why.

Your risk assessment is your only defense against appearing culpable. It’s also how you might find out whether your situation falls under one of the three exceptions to a breach of ePHI. These are situations where you might not be found liable for a violation:

  1. Unintentional access, acquisition, or use of ePHI by an authorized employee while doing his or her job.
  2. Accidental disclosure of ePHI by one authorized person to another authorized person.
  3. Disclosure of ePHI by an authorized person who believed that the unauthorized person who received the ePHI wouldn’t be able to view, use, or retain it.

How do you perform a HIPAA Risk Assessment?

A risk assessment can help you identify risks and vulnerabilities so that you can develop and implement administrative safeguards and protections that keep ePHI secure under the HIPAA Security Rule. The US Department of Health & Human Services (HHS), offers guidance on risk assessments on its website as well as a Security Risk Assessment (SRA) Tool that helps walk you through the risk assessment process. HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, redesign programs, or experience a security incident like a data breach.

What is the HIPAA Breach Notification Rule?

If you have a breach, but your risk assessment has determined that ePHI is secured (encrypted), you might not be subject to the Breach Notification Rule. But if there is any chance that unsecured ePHI was improperly used or disclosed, you have to follow specific notification rules to stay in compliance.

Victim notification letter:

You must notify each person whose ePHI is suspected of having been accessed, acquired, used, or disclosed within 60 days from the day of discovery of a data breach (unless law enforcement needs a delay of notification to investigate criminal activity.) The breach notification letter for affected individuals can be created on the HHS website once you have the details of the breach. The letter must include the following information:

What happened and the date it happened — Breaches are considered “discovered” the same day that the breach is known or should’ve been known if you were exercising diligence under HIPAA.

  • A description of the PHI involved in the breach
  • Steps affected individuals can take to protect themselves further
  • A description of what the covered entity is doing to mitigate the breach
  • Contact information for affected individuals to find out more information

Notification to HHS Secretary:

You must notify the Health and Human Services Secretary of any breach. Companies can report a breach on the OCR Website.

  • If a breach affects more than 500 victims, you must report the breach to HHS and the media. OCR will display details about the breach on its website (known in the industry as “the wall of shame.” You don’t want your name on this wall.)
  • If the breach involves less than 500 people, you must report it to HHS within 60 days of the end of the year in which the breach occurred.

Business Associates notification:

Business Associates must notify the covered entity if ePHI is suspected of having been accessed, acquired, used, or disclosed in a data breach.

For more details and guidance on the HIPAA Breach Notification Rule check out what the HHS has to say.

How significant are the fines for noncompliance resulting in a breach?

If the Office for Civil Rights (OCR) concludes that a HIPAA breach occurred because of noncompliance, the severity of the penalty will depend upon the extent to which it finds a company negligent.

HIPAA has four categories for violations. Fines can be imposed each year, every year for each violation category. The four different tiers of penalties depend upon the severity of the violation. Cases involving willful neglect (Tier 3 and Tier 4 can lead to criminal charges.) Breach victims can also file civil lawsuits against covered entities.

Tier 1: $100-$50K per violation. $25K max per year. Unaware of the HIPAA violation and even by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Tier 2: $1K – $50K per violation. $100K max per year. Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.

Tier 3: $10K-$50K per violation. $250K max per year. Willful neglect of HIPAA rules with the violation corrected within 30 days of discovery.

Tier 4: $50k per violation. $1.5M max per year. Willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.

Keep your name off of the wall of shame

As everything we do becomes more digital, you’re better off expecting a data breach than thinking it won’t happen to you. Breaches will be a part of life and business and the best thing you can do to protect your brand and your clients is get in front of them. If your HIPAA compliance needs a bit of dusting off, check out our HIPAA Compliance Checklist for 2020 and make sure you’re ahead of the game.

GDPR: What US Companies Need to Know

Posted on by suzanneleigh

Do you know whose data you have?

When the General Data Protection Regulation (GDPR) became law on May 25, 2018, it raised the bar on standards for data protection and security around the world. It also set off a massive ripple of global privacy laws that are changing business — and how we use the internet — forever. 

A common misconception by US companies is that the GDPR only applies to companies in Europe. If you’re a US company, GDPR directly applies to you today if you fall into one of these categories.

  • You have offices in the EU
  • You have offices in the US but customers around the world
  • You are a B2B company in the US that has EU clients

More specifically, if you collect or process the data of any EU citizens residing anywhere in the world, you need to pay attention to GDPR. 

GDPR caught a lot of US companies off guard. 42% of US sites are still blocking EU customers because they weren’t prepared to comply with GDPR. That’s a nice sized market share just waiting to be tapped by whoever gets there first. 

Why all US companies should pay attention to GDPR

Understand that the GDPR is currently setting the framework for a rash of privacy legislation that is sweeping the US and the globe. It’s raising service, transparency, and accountability to levels that previously didn’t exist. Consumers are aware of these laws which means consumer trust is becoming an essential feature of brand ethos.

The biggest mistake US companies can make is to think of data privacy law as something restricted to Europe. It’s already here. The sooner US companies get in front of the standards set by the GDPR, the easier it will be to comply with any other privacy laws that become relevant to a company’s jurisdiction.

Privacy laws are being enacted in the majority of the states. One of the strictest privacy laws to pass in the US so far is the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. 

What does GDPR do?

GDPR gives ordinary people an unprecedented amount of control over the personal information organizations can collect, retain, and process. It grants individuals the privacy and security of their personal data as a fundamental human right. 

All organizations operating within or outside of the EU that deal with any data of EU citizens, directly or indirectly, must have a lawful basis for collecting and processing personal data. Along with this required legal basis comes the responsibility of keeping that data safe and responding to a consumer’s request to amend, delete, or obtain a copy of it.

What is personal information under the GDPR?

  • Names, addresses, phone numbers, ID numbers, bank details, etc.
  • IP addresses, cookies, tags, pixels, email addresses, user names, Instagram and Facebook posts, Tweets, stories, etc.
  • The following data has special rules and companies need to be very careful with it — Biometric data, health data — physical and mental, racial or ethnic data, political opinions, philosophical or religious beliefs religious, trade union membership, sex life and sexual orientation. Article 9(1) 

When is it legal to collect and process personal information under GDPR?

Before you can ask for and collect anyone’s personal data, you need to have a legal basis for its collection and use — the GDPR outlines six lawful bases for collecting and processing someone’s information:

  1. Consent: The user has given you explicit consent to process specific data for a particular reason.
  2. Contract: You need to collect and process data to carry out a contract you have with the user.
  3. Legal obligation: You need to collect and process data to comply with the law.
  4. Vital interests: You need to collect and process data to save someone’s life.
  5. Public task: You need to collect and process data to complete a job that is in the public interest, or part of your official functions as a public officer, and the job has a clear lawful basis.
  6. Legitimate interests: You need to collect and process data for your legitimate interests, or the legitimate interests of a third party — unless that interest is overridden by the fundamental rights and freedoms of the user granted by the GDPR.

For most US companies, consent, contract, and legitimate interest are the legal bases that are most applicable. ( Legal obligation, vital interest, and public task are designed to cover organizations engaged in public services and health.) 

Let’s discuss what consent, contract, and legitimate interest might mean to US companies so that you understand the extent to which you’ll need to redesign how you collect personal data, where you store it, and who you share it with, to comply with the GDPR.

What does consent mean under the GDPR?

Users can’t really give consent to something they don’t understand. The burden of making your intentions clear to your consumers in transparent and understandable language falls on you, the company, entirely. Not only do you have to be completely transparent with your consumer base, but you have to be able to prove to any privacy authorities that you have been. 

All communication with a user regarding their consent needs to be readable by the average person, not just lawyers. This does away with long illegible privacy policies full of legal and technical jargon. It requires companies to overhaul their privacy policies, terms and conditions, disclosures, opt-in boxes, and any other communication regarding a user’s data to comply with GDPR standards. 

What you need to do when you ask for consent

When you ask for consent, it needs to be informed consent. You have to explicitly layout in everyday language why you want a user’s information and what you intend to do with it. 

You also have to advise users of their right to opt-out, request deletion, correction, transfer, and copy their data. Whenever you request consent for a users information, you must include the following:

  • Who you are and your contact information
  • The contact of the Data Protection Officer (DPO), if you have one
  • The purpose for requesting the data
  • The legal basis for requesting the data
  • If the legal basis is legitimate interests pursued by you or by a third party, you have to say what those legitimate interests are
  • Identify who else will process data if there are any third parties involved

Two essential points about consent are:

Consent must be freely given:  You must be able to prove that consent was freely given. Your request for consent must be in clear and understandable language.  

Consent can’t be a precondition to using services: Consent must be separate from all other terms and conditions. This means that there is no longer a legitimate way to bundle a bunch of services and permissions together and simply provide an “I accept” checkbox. Nor can you use a pre-checked opt-in box or any other default method. 

Transparency in privacy policies and opt-ins under GDPR

The first step in transparent and informed consent is revising privacy notices, disclaimers, and cookie notices to include all of the information that the GDPR requires in simple, readable language. The GDPR wants you to inform users of the following:

  • What data do we collect? — Identify what data you collect. Name, email, phone, etc.
  • How do we collect your data? — Explain how data is collected. Forms, opt-ins, web browser, etc.
  • How do we use your data? — Explain exactly how the data will be used. Process an order, email list for additional services, etc.
  • How do we store your data? — Explain how data is stored, its location, and your security features. 
  • Marketing — What 3rd party companies you share data with, and the ability of users to opt-out!
  • What are your data protection rights? — You must inform users of their rights under GDPR:
      • The right to access – Users have the right to know what data you have
      • The right to rectification – Users can ask you to correct their data
      • The right to erasure – Users can ask you to completely erase their data
      • The right to restrict processing – Users can ask you to restrict data processing
      • The right to object to processing – Users have the right to stop you from processing their data altogether
      • The right to data portability – Users can ask you to send their data somewhere else
  • What are cookies? — Explain what cookies are. 
  • How do we use cookies? — Explain precisely how you use cookies. Keep you signed in, track your purchases, etc.
  • What types of cookies do we use? — You must explain every function used under your cookie policy. Functionality, advertising, etc.
  • How to manage your cookies — Give all users the ability to opt-out of any type of cookie functions. Explain how it might affect user experience on your site.
  • Privacy policies of other websites — Explain that your privacy policy doesn’t cover websites you hyperlink to.
  • Changes to our privacy policy Provide the latest date you updated your privacy policy. Explain how and when you update your privacy policy.
  • How to contact us — Provide, email, phone, and physical address.
  • How to contact the appropriate authorities — For the GDPR, this is the Information Commissioner’s Office (ICO). https://ico.org.uk/ But US companies should also include any other data privacy authorities that may cover their jurisdiction.

What revising your privacy policies means to your business processes

It stands to reason that before you revise your existing privacy notice to a privacy notice that outlines everything you promise to do, you need to have set up both the technical and business processes to be able to do what you say.

To anticipate the changes in purpose and legal basis that occur in data processing, you’ll need to walk through the timeline of all your business processes that involve the collection, processing, and retention of data — who has access to it and why. Then you can be clear about what needs to go into your privacy notices, terms and conditions, disclosures, opt-in boxes, etc.

Can I use legitimate interest as a lawful basis to collect and process data under GDPR?

Legitimate interest may sound ambiguous enough to slip in marketing or tracking cookies or pixels and justify it as a legitimate interest of your organization. However, remember the requirements above for consent? One of the requirements for obtaining consent is letting the user know precisely what your legitimate interest is if you plan on using legitimate interest as a legal basis for data collection. You need to do so in simple language and give them the right to object.

The bottom line here is that there is no sneaky way to get around being completely transparent and upfront with users about why you want their data from the very beginning. 

Can I use contract as a lawful basis to collect and process data under GDPR?

If you’re selling someone a product online, you’re going to need their credit card information. And if you’re delivering that product, you’ll need their address. So, you deliver the product and, for all means and purposes, no longer need their address to complete the contract. Do you have to delete it?

Maybe you need to keep a record of their address for your accounting procedures. And since you must engage in proper accounting to be able to enter into valid sales contracts in the first place, you could argue that keeping and processing the address is necessary under the same legal basis. 

What happens to data you’ve collected when you’re done with it is still your responsibility

Let’s say the bank processing your customer’s credit card information needs their address to process the payment and also needs to hold onto the address to comply with laws that require the bank to keep this information. Has the legal basis changed? Yes, and you need to be aware of this.

The bank is a processor that got the address from you, the controller. And the bank has to process the data under a legal obligation. So, the legal basis for the bank, the processor, for holding onto the address that they got from you, the controller, is no longer Article 6(1)(b) contract but is now Article 6(1)(c) legal obligation. You, as the controller, have to anticipate this from the onset.

You can’t respond to a user’s request about their data if you don’t know where it is

This example supports the need for US companies to walk through their business procedures involving data and look at them in a new light. To stay in compliance, as the company in the data controller role (you collected the information in the first place), you need to walk through your data supply chain so that you know where the data you collect is held, who is processing it, and why. 

You must be able to respond to users’ requests regarding their data, and you can only do that when you know where there data is. Only then can you make sure that you are in compliance. Most companies will have to make some changes to how they collect, store, and process data to be able to comply with the GDPR. They will also most likely have to amend their data governance plan and data governance team.  

Challenges for compliance with GDPR

One of the biggest challenges companies face becoming compliant with new data privacy regulations blazing around the globe is that much of the data collected, controlled, and processed today exists in unstructured storage, both on-site and in the cloud. That data is shared with 3rd party processors further complicates the issue.

Firms have to be able to locate and quantify the personal data stores they hold to minimize risk. You should only keep the data that is necessary for those business purposes that you can prove you have a valid legal basis for, as discussed above.

Penalties of non-compliance with GDPR

GDPR can impose some pretty hefty fines on data controllers and processors for non-compliance that can range from 10-20M Euros, or up to 4% of global annual revenue, whichever is higher. GDPR also establishes a private right of action for material or non-material damage caused by controllers or processors who violate the GDPR. 

For those of you who still think these fines won’t apply to you, know that the California Consumer Privacy Act (CCPA) fines are similar.

Other disadvantages of non-compliance with GDPR

Beyond penalties, the reasons for taking the GDPR seriously are that global consumers and B2B companies already expect you to. If you control or process data, your clients and business associates will be asking if you are GDPR compliant because they can get in trouble if you aren’t.

To put it bluntly, you could lose customers if you are not GDPR compliant. And you may lose trust. It’s harder to regain a customer’s trust than it is to get it in the first place. You want the PR for your brand to celebrate your accomplishments, rather than have to defend your misgivings.

The advantages of complying with GDPR

In the long run, taking your company to GDPR compliance level is going to give you a much better understanding of where all the data is in your company. It will also help you become more effective and efficient in your business decisions. Your company will be more prepared to handle any data breach incidents. And you’ll be that much more ahead of the game when local privacy laws in your geographic region of governance take effect.

The upside of being GDPR compliant is that it can give you an edge in your industry, especially if you can beat your competitors to compliance levels 

In today’s digital business climate, data privacy and security is a huge selling point for those leading the way. Consumer trust is a new realm of marketing that companies need to take seriously. Get a handle on your network infrastructure and business processes, and align yourself with compliant vendors and service providers. You’ll protect the market share you have now, and set yourself up to grow that share tomorrow. 

 

HIPAA Compliance Checklist for 2021

Posted on by suzanneleigh

Check the pulse of your HIPAA program

Whether you’re just getting started creating a HIPAA compliance plan for your organization, or checking the pulse of your current HIPAA program, a road map is always helpful.

The HIPAA requirements are deliberately vague because they need to be flexible and scalable enough to apply to a broad range of health care companies and anyone those companies contract with. This HIPAA compliance checklist aims to do several things. 

  1. Introduce you to the language used in HIPAA so that you have a better grasp of the HIPAA Rules.
  2. Help you become more acquainted with the HIPAA rules and what they want you to do if you deal with Personal Health Information (PHI).
  3. Help you determine what areas your organization may need to focus on to become HIPAA compliant by providing a simplified checklist that can point your efforts in the right direction.
  4. Give you some additional tips on how to use the HIPAA Security Risk Assessment Tool to find weak areas in your HIPAA compliance program.

What is HIPAA trying to protect?

HIPAA wants to protect the security and privacy of patients’ Personal Health Information (PHI) that is used or shared in any form. When a patient’s Personal Health Information is in electronic form, it’s called ePHI. 

As most health information is digitally managed these days, the handling of ePHI is critical. HIPAA wants healthcare companies to completely protect any ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors. 

This Compliance Checklist will walk you through the more critical aspects of the HIPAA so that you can determine what areas your organization needs to work on to get in HIPAA compliance.

What’s the difference between a Covered Entity and a Business Associate under HIPAA?

A Covered Entity (CE) is any health care provider, health plan, or health care clearinghouse that creates, maintains, stores, processes or transmits PHI or ePHI. Most health care organizations do business with 3rd parties that provide a service or perform a specific function or activity for a  company that may involve having access to ePHI. Under HIPAA, these 3rd parties are called Business Associates (BA). 

Before having access to ePHI, the Business Associate must sign a Business Associate Agreement (BAA) with the Covered Entity. While the ePHI is in the Business Associate’s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity. 

Check the boxes of the statements you agree with:

□ We have identified all of our Business Associates (BA) and vendors.

□ We have Business Associate Agreements (BAAs) in place with all of our BAs.

□ We have satisfactorily assessed all of our BA’s HIPAA compliance levels.

□ We monitor and revise our BAAs annually, and anytime there is a change in services.

□ We have Confidentiality Agreements in place with non-BA vendors.

The HIPAA Privacy Rule 

The privacy rule provides the standards for people who are allowed to have access to PHI and governs the use and disclosure regulations of any PHI. If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA. 

Use and Disclosure of PHI

□ We acquire and hold HIPAA authorizations for any uses and disclosures of PHI, which aren’t otherwise permitted by the HIPAA Privacy Rule.

□ Our authorizations are written in every day simple language (no legalese) and clearly explain the precise uses and disclosures of PHI.

□ Our authorizations accurately describe to whom we will disclose PHI.

□ Our authorizations include an expiration date.

□ Our authorizations are signed and dated by the patient.

 

Individuals Access to PHI

□ We have procedures for providing patients with access to their health information.

□ At an individual’s request, we provide access to and copies of their PHI.

□ We provide copies of an individual’s PHI in the format of their request.

□ We respond to an individual’s request for copies of any PHI within 30 days.

□ Our fees charged for requested copies of PHI by an individual are cost-based.

 

Notice of Privacy Practices (NPP)

The Privacy Rule gives people the right to information about an organization’s privacy practices. The HIPAA refers to this as Notice of Privacy Practices (NPP). While Covered Entities can use templates for their Notice of Privacy Practices, the notices should be customized to your organization.

□ We have created and customized a Notice of Privacy Practices (NPP)

□ We have provided a copy of our NPP to all patients.

□ All patients have confirmed in writing that they’ve received a copy of our NPP.

□ We have posted an NPP in a visible and prominent location on our website.

□ We have posted an NPP poster in a visible and prominent location visible to patients in our facility. (If applicable.)

□ We have procedures in place and have trained staff for dealing with complaints and any failures on our part to comply with our NPP.

The HIPAA Security rule 

The Security Rule requires entities to evaluate risks and vulnerabilities and implement reasonable and appropriate security defences to protect against anticipated threats to the security and integrity of ePHI. There are three elements to the HIPAA Security Rule:

  • technical safeguards 
  • physical safeguards 
  • administrative safeguards

These are areas that you need to assess yourself with an understanding of what could go wrong in either the technical, physical, or administrative functions of your organization that could make ePHI vulnerable to a breach. You’re basically looking at your IT set up, your office set up, and your staff policies. 

HIPAA Technical Safeguards § 164.312

Technical Safeguards concern the technology used to both provide access to ePHI and protect it. The HIPAA won’t tell you how to prepare for compliance, but it will show you what outcome it expects. 

Access control

This section deals with who has authorization to access PHI. 

□ We have an identity management and access controls plan in place.

□ We assign unique IDs to all individuals authorized to access to ePHI.

□ We can confirm that access to ePHI is restricted to authorized individuals only for the purposes of their employment duties.  

□ We vet all employees before providing authorization to access ePHI and can confirm authorization is appropriate.

□ We have procedures in place to terminate an employee’s access to ePHI if their position changes or they leave our company.

□ We have procedures in place to recover all devices and media holding ePHI if an employee’s position changes or they leave our company.

 

Audit logs  

Track all users who access ePHI on your systems and monitor all activities and systems involving ePHI at all times.

□ All of our uses and disclosures of PHI/ePHI are limited to the minimum amount of PHI necessary for the purpose the PHI/ePHI is disclosed. 

□ Our systems are set to log out any user after a period of inactivity automatically.

□ We have created ePHI access logs and monitor them consistently.

□ We have created ePHI access logs that track successful and unsuccessful login attempts. 

□ ePHI access logs are monitored consistently for unauthorized access to ePHI.

 

Integrity 

Protect ePHI from being destroyed or altered in any way and be able to tell if it has.

□ We have controls in place to protect ePHI from being altered or destroyed unless authorized.

 

Transmission Security 

Make sure all ePHI – whether at rest or in transit – is encrypted to NIST standards once it moves outside your organization’s internal firewalled servers — so that patient data is unreadable, undecipherable, and unusable by any unauthorized employees or 3rd party contractors. Prevent unauthorized access to ePHI over any network communications such as public wifi.

□ We have assessed whether encryption of ePHI is necessary.

□ If encryption of ePHI is unnecessary, we have instead employed alternative and equally effective means to secure the integrity, confidentiality, and availability of all ePHI.

□ We have controls in place during electronic transmission to safeguard against any unauthorized access of ePHI.

□ We have documented our decisions regarding encryption and electronic transmission safeguards.

 

HIPAA Physical Safeguards § 164.310

Physical standards are designed to protect storage media and the physical places where ePHI is held in an organization

□ We have procedures in place for the secure disposal of ePHI and PHI.

□ We have procedures in place to make physical PHI forever unreadable upon disposal.

□ We have procedures in place to permanently delete all ePHI stored on devices being prepared for disposal.

□ All devices that hold ePHI and PHI are secure at all times.

 

HIPAA Administrative Safeguards § 164.308

This section deals with your staff, employees, and any workforce member that comes into contact with ePHI, whether from your office or a 3rd party contractor. It also requires you to designate a Security Officer.

Assigned security responsibility 

You need to designate a security official who will conduct risk analyses, monitor audit logs, train the workforce, manage security incidents, and update policies and procedures.

□ We have a designated HIPAA Security Officer.

 

Security awareness and training

Have a required security awareness training program for all employees.

□ All employees attend annual HIPAA training.

□ We keep documentation to substantiate that all employees attend annual HIPAA training.

□ All staff has received Security Awareness training.

□ We keep documentation to substantiate that all employees have received Security Awareness training.

□ We provide staff with periodic updates to reinforce Security Awareness training.

 

Contingency plan 

These are guidelines for emergencies.

□ We have a contingency plan set up for emergencies.

□ We have developed procedures for responding to emergency situations.

□ We keep an updated exact copy backup to recover all ePHI in the event of a disaster.

□ We have procedures in place in the event of operating in emergency mode to ensure that all critical business processes function.

□ Our contingency plans are updated and tested at regular intervals.

 

Security incident procedure

Security incidents require a response and reporting whether or not there is a data breach. You need to set up a system to audit and track any security events.

□ We have procedures in place for any security incidents and data breaches.

□ We have the capability to conduct and record investigations of all security incidents.

□ We are able to report all breaches or incidents.

□ Our employees can anonymously report any privacy or security incident and any potential HIPAA violation.

 

HIPAA Breach Notification Rule 

The breach notification rule applies to unsecured ePHI, which is not encrypted and not destroyed, rendering it usable and readable. (The HHS states that encryption and destruction are the only two methods that will render ePHI unusable unreadable, and undecipherable.)

□ We have policies and procedures in place under HIPAA Privacy, Security, and Breach Notification Rules.

□ All employees have read and legally attested to the HIPAA policies and procedures.

□ We have documentation of all employees’ written legal confirmation of the HIPAA policies and procedures.

□ We keep documentation for our annual reviews of our policies and procedures.

 

Audits

Covered Entities and Business Associates must conduct their own periodical audits. There are six required annual self-audits for businesses. There are five required annual self-audits for Business Associates. 

These audits are entirely self-conducted by Covered Entities and Business Associates. Only the Security Risk Assessment (SRA) has any guidelines in the form of an available tool on the HHS site. All other audits are up to you. Links are provided to the relevant rules for your reference.

□ We have completed the six annual audits required by the HIPAA compliance program. 

Security Risk Assessment (SRA)

□ Security Standards Audit — Self-audit against the HIPAA Security Rule.

□ Asset and Device Audit — List all devices that hold ePHI and who uses them.

Physical Site Audit

HITECH Subtitle D Audit

□ Privacy Assessment (Not required for BAs) — Self-audit against the HIPAA Privacy Rule.

□ We have proof that we have conducted the six annual audits and assessments for the past six years.

□ We have identified any and all gaps revealed in the self-audits.

□ We have documented all areas with deficiencies or gaps.

□ We have created a remediation plan to correct any and all deficiencies or gaps found in the audits and risk assessments.

□ Our remediation plans are fully documented in writing.

□ We review and update our remediation plans annually.

□ We keep copies of our yearly remediation plan for six years.

What is a HIPAA Risk Assessment? 

A risk analysis can help you establish the safeguards you need at your organization to protect patient data and comply with the HIPAA. This will allow you to identify risk and develop and put in place administrative safeguards and protections such as office rules and procedures that keep ePHI secure under the HIPAA Security Rule. 

The US Department of Health & Human Services (HHS) offers guidance on risk self-assessment on its website as well as a Security Risk Assessment (SRA) Tool that you can download to guide you through the risk assessment process. 

The SRA Tool walks you through potential threats and vulnerabilities and gives recommendations based on standards identified in the HIPAA Security Rule. Keep in mind that the SRA Tool only provides scoring in terms of risk, not compliance. Also, the SRA Tool is only available for Windows. (There’s an older version of the HHS SRA Tool for iPad in the App Store.) 

How does a HIPAA Risk Assessment work?

A HIPAA Risk Assessment helps you identify any potential risks to the PHI that your company holds, transmits, creates, or receives from another party. It walks you through the required actions that you must be able to perform to be in compliance. It also helps you identify areas or gaps in security that you need to upgrade. The risk assessment for ePHI wants you to focus on several areas:

  • Storage, processing, and transmission
  • Potential threats and vulnerabilities
  • Current security measures
  • Proper use of security measures

It then asks you to make determinations based upon your assessment:

  • What’s the likelihood of a reasonably anticipated threat?
  • What’s the potential impact of a data breach involving ePHI?
  • What are the risk levels for vulnerability and impact?
  • What actions can be taken to improve the security features to mitigate any threats, breaches, or vulnerabilities?

HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, or redesign programs.

Disclaimer:  This checklist is merely a guide to direct you toward what you may need to work on to achieve HIPAA compliance. Completing this checklist does not in any way mean you are HIPAA compliant, nor does it give legal advice. Consult a HIPAA compliance professional to ensure your organization achieves and retains HIPAA compliance. 

Download Now  

Recent Posts

Blog Categories

Sign up to receive our latest research, updates and success stories.
Live Chat Newsletter
Learn more about our HIPAA-compliant chat solutions

Release Notes December 23rd: CSV export for all users, Hub Logout and Syncing Improvements

Posted on by Niki Finegan

Hello SnapEngagers,

Here are the latest changes that applied to the system in the last weeks:

Updates:

  • A new CSV export of all agents and sub-admins: An account owner now has the option to download a “Full User Report” of all users across all widgets as a CSV file in the My Account > My Info section.
  • Admin Dashboard:
    • Proactive Chat: We have improved the UI for the proactive configuration modal in preparation for an upcoming feature release. Stay tuned for updates!
    • We have increased the audit log events for changes to the Design Studio tab to include the selection of a different design.
    • We have updated and improved the UI of the subscription and payment page.
  • Bot API:
    • Improved the performance of the initial message query to the bot to speed up the first bot response.
  • Chat Box:
    • Moved the call-me button to the input menu (This option was temporarily in the old position at the bottom of the box outside of the menu).
  •  Hub:
    • Improved the login speed for accounts set up on a very high number of widgets.

Resolved Issues:

  • Hub:
    • Fixed an issue where the system did not immediately register when an agent logged out of the Hub. The “logout” option will now log the agent out of all Hub sessions they were logged in to, across windows and tabs.
    • To avoid missing visitor chat messages we have improved the syncing behaviour of Hub when an agent intermittently loses their connection.
    • Also improved the team chat message syncing.
    • Fixed an issue where agent links were not resolved correctly in the right side column.
    • Fixed the infinite scroll on team chats.
    • Fixed an UI issue with the Knowledge Base search box and file upload request modal.
    • Fixed an UI issue with the Survey Score modal.
  • Microsoft Dynamics integration: Fixed an issue where the ‘Topic’ field in Dynamics was not updated by the custom data mapping selection
  • Proactive Chat: Improved the admin dashboard performance when a high number of proactive chat rules are configured
  • Auto Translate: Fixed an issue where auto-translated messages were missing for a transferred chat.
  • Analytics:
    • Fixed Agent Performance – Transfers Report – drill down by agent not displaying chats.
    • Fixed two issues with Visitor Experience – Queue Report:
      Chats in Queue vs Total Count report drill down showing the wrong selection of chats.
      (Notice: The Hourly Average Time in Queue and Visitor Queue Time Binned Report are currently not yet updated and remain to be fixed.)
      Queue report graph was showing the queued chats outside the top of the report.

Four Steps to Data Governance C-level Sponsorship

Posted on by suzanneleigh

Privacy laws such as the CCPA are being enacted all over the country at a rapid pace. Some firms are still struggling with how to get executive levels on board. Successful data governance plans need a C-level sponsor who understands the business value of adopting a thorough data governance strategy as well as the risks of kicking the can down the road. It may be up to you to convince them why. 

Four Steps to Data Governance C-level Sponsorship

Getting executive support starts with educating your internal team on data privacy laws. You’ll need to be able to communicate the benefits to the bottom line while illustrating the urgency of preparing for the rapidly developing regulatory environment. 

Nothing speaks truth to power as quickly as fact. The implementation of the GDPR in May of 2018 caught many companies unprepared. Your proposal should give your internal team a glimpse of what happened to those firms who were not GDPR ready and highlight critical data risks firms are experiencing. The goal is to align data privacy with leadership’s priorities and be able to respond to their questions. 

Here are four steps you can take to prepare your proposal to educate your internal team on data privacy law.  

1 – Point out the effect of data privacy law compliance on revenue

As the California Consumer Privacy Act (CCPA) begins in 2020, we can look back at the implementation of the GDPR in 2018 and how those companies that set up a data governance plan immediately had a competitive edge over those that didn’t. 

The consumer climate is data privacy-aware. Customers and business associations are starting to insist that firms answer questions about data privacy. As a result, compliant companies experienced less of a sales delay due to customer privacy concerns. 

A January 2019 report by Cisco Cybersecurity mentioned that 87% of the companies reported having delays in sales because they hadn’t yet created a data governance plan or were struggling to implement one and could not respond to the client’s data privacy requests or concerns. 

Cisco also reported that GDPR-prepared companies experienced roughly one week less of a sales delay than those that weren’t yet compliant, and two weeks less of an impediment than those who knew they wouldn’t be able to reach compliance in one year.

There are both benefits of being compliant and detriments to not being compliant, and becoming compliant is not something you can do overnight. The sooner C-level and internal teams understand the potential damage to the bottom line by ignoring data privacy laws, the closer you are to being ahead of data privacy laws..  

The goal is to present the importance of a data governance plan, team, and execution as  inseparable from your firm’s vision for growth and scalability. Being GDPR and CCPA compliant is becoming a public marker of personal data safety. The more consumers demand data transparency, the more your level of competitiveness will hinge on your level of compliance. 

2- Highlight key data risk issues firms are currently experiencing

Data graveyards — Many businesses have masses of latent data stored in disparate locations which interferes with database efficiency by impeding migration, increases risk, and bleeds finances. Data assessment, data mapping, and data pruning as a part of a data governance plan are first steps in tackling data graveyards. 

To comply with data privacy laws, firms will have to be able to retrieve and delete data in a timely fashion or face the possibility of fines and lawsuits. House cleaning and streamlining data storage will enhance a firm’s ability to scale and remain agile amid rapidly evolving technology and accelerated data privacy-focused business climate.  

Fines and lawsuits — The lack of a thorough and compliant data governance program is a liability that leaves a firm’s bottom line exposed. Fines, lawsuits, and reputational damage are definitely something that C-suite management can understand. Bring in the statistics, resources, and projected outlook to build a sense of urgency. Data privacy penalties are real, and they are becoming more and more prevalent in all markets and countries. Here are some recent examples:

  • British Airways £183.39M
  • Uber £385,000
  • Equifax £500,000
  • Marriott International £99M
  • Facebook Ireland £500,000
  • Google $50M
  • YouTube $150M

Information security — Data breaches are a genuine threat. Without a robust and scalable data governance plan in place, companies will be less able to defend against the increasingly evolving technology used by malicious agents. Not only will data breaches harm your reputation and your brand, new data privacy laws such as the CCPA will also slap you with fines and open you up to civil action. Some of the data breach headlines of 2019 include:

  • Capital One — One of the most significant data breaches in history. 106M private records were hacked, including customers’ personal information, Social Security, and credit card numbers.
  • Adobe Create Cloud — 7.5M users’ emails and other details that could be used in phishing attacks against users.
  • Canva — 140M users login credentials hacked. 
  • American Medical Collection Agency —7.7M private records, including Social Security numbers and medical records resulting in the medical billing vendor filing for bankruptcy.

Third-party vendors — The GDPR requires mutual B2B compliance. This means if your vendors are not in compliance, neither are you. The CCPA requires a written contract in place with all vendors that has specific language. Privacy laws make it compulsory for companies to audit the third-party vendors in their supply chain as soon as possible. This also means that you can expect inquiries about your level of data governance from your business associates as they prepare for compliance with data privacy laws.

3 – Align data privacy with leadership priorities

What execs need to understand is that data privacy is here to stay and will only continue to develop in a future that is inextricable from the dependence on data collection for business processes. In short, tabling this issue will only make things more complicated and more expensive down the road. 

After the passage of GDPR, many US media sites had no choice but to block EU customers because they didn’t prepare soon enough. The California privacy law has a more extended reach. As the 5th largest market in the world, expect the CCPA to become a national standard. Any company doing business with any person or service provider from California will be directly affected.

Overhauling or implementing a data governance program will be an investment challenge. It will require embedding data protection throughout all processing operations and communication through all lines of business in an organization. It may even require firms to rethink their business models. Your internal team needs to understand that the quality of this investment will have a direct effect on scalability in the future. 

4 – Be prepared to respond to C-level questions

1 – Study GDPR and CCPA laws with legal to grasp a full understanding of the bar set for current data privacy laws.

2 – Review your ongoing master data management and data governance programs with IT to isolate primary weaknesses and brainstorm solutions.

3 – Research data governance plan and data governance team options considering the structure currently in place. You have choices here depending upon your current data management structure but keep agility and scalability in mind. You’ll want to be able to illustrate the benefits of the future adaptability of any data governance investment. 

4 – Beyond regulatory obligations, prepare to speak to risk mitigation, customer expectations, and ROI considerations to leverage leadership priorities.   

Depending on your organization, you may only get one shot at getting your internal team on board. Take the time to prepare thoroughly to maximize your chances of getting funding and support from senior leadership. Identifying the key decision-makers, their priorities, and what angles have persuaded them in the past will go a long way towards a smooth sale. 

 

Request a demo of our secure chat platform

How to Comply with New Data Policies

Posted on by suzanneleigh

Why You Need to Comply with New Data Policies

 

The EU’s General Data Protection Regulation (GDPR) caught many companies with European customers off guard — and started a tidal wave of data regulation legislation across the globe, including America. Organizations the world over scrambled to try to comply with new data policies.

GDPR introduced higher privacy standards, transparency, and accountability for all companies (both inside and outside the EU) that offer goods or services to —  or collect the data of — EU individuals.

Think it doesn’t apply to you? The GDPR has set precedence for a wave of similar data privacy laws… everywhere.

Tens of thousands of violations were reported within eight months after the GDPR went into effect on May 25, 2018 — one was Google. Facebook’s verdict should be revealed in the coming months. 

Sites that weren’t prepared to comply with new data policies, such as the LA Times and Chicago Tribune, went dark in Europe until they could get up to speed. The penalties under GDPR can be up to 4% of a company’s revenues.

 

Learn more about our secure customer engagement solutions

Request a call

 

The new US data privacy laws expose companies to fees and lawsuits

Even though the federal government has yet to adopt a nationwide data privacy law, the states have been taking up the slack and creating their own. To date, data privacy, data security, cybersecurity, and data breach notification laws have been passed, enacted, or are pending in 25 states creating a potpourri of regulation that can be confusing. 

The penalties of these laws are stiff, but they can also expose companies to private legal action which can be considerably more damaging to both a firm’s bottom line and brand.

Act Now

 

Firms need to be proactive and get in front of the coming onslaught of data privacy laws. On the state level, the most comprehensive law thus far is the California Consumer Privacy Act (CCPA). The CCPA went into effect on January 1, 2020. 

Coupled with the GDPR, the CCPA is a good frame of reference to gauge what changes you need to implement today. The CCPA is currently worded to apply to companies that:

  • Have more than $25M in gross annual revenue, or 
  • Handle the personal information of 50k consumers, households or devices, or
  • Receive 50% of their revenue from selling consumer personal information.

Qualifying hurdles are likely to get even more stringent as legislation continues to be enacted and amended all over the country.

 

The Gist? Consumers Own Their Own Data. You Don’t.

 

In contrast to the past, today’s data is no longer the property of the company to do with what it wants, it’s the property of the customer. Under the CCPA regulations, here’s what needs to happen when consumers visit your site for you to comply with new data policies.

  • Consumers must be informed that you collect data, what data you collect, and how that data will be used — in language they’ll understand
  • Consumers must be provided with all of their personal information if they request it
  • Consumers can request that you delete all of their personal data which means you must make sure that any third-party service providers you do business with delete it as well 
  • Consumers can’t be discriminated against for exercising their rights

Consumers can sue if there’s a breach of non-encrypted or not-redacted data.

 

5 Steps to comply with new data policies

 

1. Educate yourself on GDPR and CCPA laws

Companies will not only have to comply with new data policies — but also be able to prove what they did to ensure compliance. Learn more about these regulations, and any other regulations that are relevant to you, so you can understand how to comply with new data privacy laws that might apply to you. You’ll then have to do a bit of data soul searching and thoroughly revisit why you collect data in the first place.

2. Create a team and framework for compliance

  • Integrate IT and legal to develop a team and a plan for compliance
  • Understand the definitions of “Personal Information” under GDPR, CCPA, and any other laws that may have jurisdiction over the data you collect, how you collect it, how it is controlled, processed, managed and protected.
  • Identify similarities, overlaps, and gaps between privacy laws in different relevant jurisdictions

3. Identify and classify what data you collect

 

What lawful basis do you have for collecting data? 

There must be a lawful reason for you to collect, control, and process data to be in compliance under the GDPR. There are six categories of lawful basis for data collection:

  • Consent: The consumer has given you consent to collect their data.
  • Contractual:  The collection of data is necessary for your company to fulfill a contract with the consumer.
  • Legal Obligation:  Your company must collect and/or keep the data to comply with the law.
  • Vital Interests:  Your company must collect/keep/use a consumer’s data because it is necessary to protect the vital interest of the consumer or another party.
  • Public Task:  Your company must collect/keep/use a consumer’s data in order to perform a task that is in the public interest.
  • Legitimate Interests:  It’s in the legitimate interest of your company and the consumer to collect/keep/use their data.

 

What data is subject to GDPR, CCPA, or any other relevant data privacy regulations?

Beyond obvious identifiers such as names, social security numbers, medical records, etc, personal information can extend to many other more indirect identifiers. Both data laws specify data that could be used as an identifier ranging from cookies and IP addresses to order history and geolocation. 

While the GDPR includes all publicly available data, the CCPA makes further distinctions about which publicly available data is subject to the law. This means that even though you may collect data that is available to anyone online, once it is controlled by you, you may be subject to compliance. A careful study of what constitutes data under any relevant privacy regulation is critical.

 

What data is shared and/or managed by third parties? 

Both data controllers and processors are subject to compliance. GDPR and CCPA both say companies can only work with other companies that are also completely compliant. Anyone that processes data sourced from you must be in compliance. Your business associates need to follow suit. If they don’t, find new ones.

4. Evaluate your data management and protection systems

  • What are your current data protection systems?
  • What are your data mapping and integration processes?
  • What are your procedures and controls for internal access rights and requests?

5. Take Action

  • Overhaul vendor agreements, on both sides, for third-party compliance
  • Develop procedures for tracking and confirming the compliance of business associates and service vendors — If the’re not in compliance, get new ones
  • Develop procedures for managing opt-out and deletion requests
  • Revise customer consent, disclosure, and privacy notices with legal counsel
  • Invest in technology upgrades, security tools, and AI to mitigate risk and upgrade your cyber defense platform
  • Hire or designate staff to manage data protection, stay apprised of changes in regulation and communicate with regulators
  • Develop procedures for ongoing internal updates and security awareness staff  training to stay in compliance with evolving regulations

The benefits of complying today

 

As privacy standards become the status quo, transparency and trust will be major players in generating brand loyalty. Firms that incorporate secure and compliant customer solutions will generate consumer trust and engagement sooner than others.

SnapEngage chat solutions let you send and receive data and images in compliance with the most rigorous privacy laws emerging — both internationally and in the US. Our customizable platform and omnichannel reach allow you to engage with prospects and customers wherever they are. 

With SnapEngage, you won’t have to worry about making sure you comply with new data policies, privacy regulations, or amendments when using chat. We do that work for you.

 

Request a Demo Now

How to Put Together a Data Governance Team

Posted on by suzanneleigh

 

How to Put Together a Data Governance Team

 

Many businesses are scrambling to either upgrade or design a data governance plan. A wave of new privacy law legislation, set off by the GDPR in Europe in May 2018, has brought data governance programs and their terminology into a fresh spotlight. The new California Consumer Privacy Act (CCPA) effective January 1st, 2020, has created an even more pressing sense of urgency. 

Organizations currently exploring what type of data governance plan would be a good fit for their business structure are likely running into a dizzying array of terminology involving data chiefs, officers, councils, committees, data stewards, and data owners that leave them more confused when they began. 

The truth is it really doesn’t matter whether you call your data governance plan a ‘program’ or ‘policy’ or your team a ‘committee’ or a ‘council.’ The data governance plan and data governance team right for your firm are highly dependent on your industry sector, size, and business culture. There is not one unique framework for all.

 

Learn more about our secure customer engagement solutions

Request a call

 

Tailor your data governance team to your business framework

Data governance and data management have rapidly evolved from an IT-specific responsibility to an enterprise-wide necessity. Along with data evolution, roles and titles have changed as well — and they’re still evolving. 

When pulling together a data governance team, it’s important to remember that all employees are data people and need to bear varying levels of responsibility for data governance. How you assign specific roles and titles should be in line with your company’s architecture rather than any convention.

What is a data governance team?

 

data governance team is made up of people from throughout an organization who carry out responsibilities specific to their role within a data governance plan. A data governance plan prioritizes the data governance policies that dictate how users collect, process, disperse, integrate, store, use, and delete data in the business processes of that organization. 

Your data governance team should understand why a data subject-centric focus is essential for your data governance plan to both stay ahead of data privacy regulation and respond organically to business growth.

Who is a data governance team?

 

The members of a data governance team span across all lines of business and should integrate effectively into your current business model. If possible, each role in your team should be an organic extension of each member’s current position within the business systems you have in place. 

While you may find you lack the human resources to fill specific roles, you will only discover this by understanding the actual functions that need to be performed within your data governance plan first before assigning titles and positions. Let’s go over some of the core roles typically required in most data governance teams.

Does a data governance team need executive-level sponsorship?

 

Without C-level sponsorship, you may find it challenging to acquire the funding for the human resources and technology needed to get a data governance plan off the ground. 

According to a 2018 Digital Analytics & Data Governance Report by Observepoint, companies with C-level support onboard their data governance or management program show 42% more confidence in data accuracy. The same report found the most significant challenge organizations face in developing a data governance team is a lack of human resources. 

Effective and persistent data governance programs will also most likely need to research and invest in new technology and machine learning to automate systems. This will require a budget. Building a data governance program and a data governance team should start with educating your internal team on data privacy laws to harness executive level support.

A C-level sponsor will both create and sustain momentum for your data governance program. Whether your executive sponsor is the Chief Data Officer (CDO), Chief Technology (CFO), Chief Technology Officer (CTO), Chief Information Officer, or Chief Marketing Officer (CMO), what’s important is that they are vested in the value of data within your company in some way. 

Beyond championing your governance plan and providing clarity and direction, the executive sponsor will kick off the birth of your data governance team by designating a Data Protection Officer.

What is a Data Protection Officer?

 

A data protection officer (DPO) is responsible for overseeing a company’s data governance plan at enterprise level to ensure ongoing compliance with data privacy laws. Also referred to as the Chief Data Steward, or sometimes a Data Project Manager, your DPO is the link between C-suite, IT, and the rest of the company — A key player in implementing and maintaining your data governance plan throughout day-to-day governance operations. 

Your DPO should know their way around the broad data protection space, including the GDPR, CCPA, and any other upcoming data privacy legislation that you may subject to. The DPO could be in-house or outsourced through a service provider, part-time or full-time, and could even consist of a Data Protection Office that integrates data analysts and IT depending on the size of your company. For smaller firms, if your DPO performs other duties within the company, those duties shouldn’t create a conflict of interest.  

The DPO will be responsible for staying abreast of changes in data privacy law and amend the data governance plan to ensure compliance. Along with conducting data governance team meetings with the Data Governance Council, the DPO will either hold or arrange for ongoing training for all employees.

Your  DPO will also be the go-to for external data stakeholders:

  • Third-party vendors that process data on behalf of your firm must be cleared for compliance with data privacy laws.
  • Data privacy regulatory authorities will need a consistent point of contact in the event of a breach or complaint
  • Data subjects (individuals whose data you collect, process, or store) must have an identifiable contact in regards to their data in the event of a deletion request or other data-related inquiries.

Once appointed, your DPO’s first priority, usually along with the C-level sponsor, is to designate roles for the Data Governance Council, which is the body that extends data governance throughout the enterprise to the business user level. The DPO will create ongoing data privacy awareness through policy creation, implementation, and education by collaboration with the Data Governance Council.

 

After a data governance plan is set in place and begins to mature, the DPO can focus on improvements to data processes and the deployment of new technologies and alternative business models. This might involve the creation and update of detailed guides on data protection policies as well as the continual monitoring and tracking of all data performance metrics and data protection impact assessments.

What is a Data Governance Council?

 

A Data Governance Council is made up of the people who are going to carry out the activities of your data governance strategy. They should be subject matter experts (SMEs) from each line of business (LOB) such as HR, IT, marketing, etc. But they should also individually recognize data as a critical business asset and be well acquainted with both the data and systems in your organization. The members of your Data Governance Council will be the liaisons between your Data Protection Officer and all business users — everyone exposed to data in your enterprise.

The right people should be able to collaborate with other SMEs from all other LOBs, along with IT and data analysts, to determine and prioritize how data governance will be integrated into day-to-day business processes among all business users. 

The complexity and reach of your data council will depend on your business size, framework, industry, and level of data dependence and interaction. For example, a health insurance firm that handles sensitive personal data will most likely have a much more complex Data Governance Council than a construction supply wholesaler.

What does a Data Governance Council do?

 

A Data Governance Council integrates the development and implementation of data privacy policies, standards, and procedures by involving the end-users in the importance of data privacy through education and ongoing support. 

Because council members come from all lines of business, they can represent the nuances of how data is used within their department. They’ll be able to deliver feedback from users to the council and DPO to create an ongoing dialogue that keeps data governance agile and in-line with evolving business interests. 

Depending on your company, council members may be designated as data owners in their departments, or they may delegate ownership to someone within their department. Similarly, they might be assigned stewardship or delegate data stewardship within their department.

What is the difference between data owners and data stewards?

 

Because some companies use these titles synonymously, or other firms might use different titles for the same roles, defining the difference between data owners and data stewards can be confusing. Generally, the difference between data owners and data stewards is:

 

  • Data stewards typically have programming and data modeling expertise, define policies to protect data, and oversee the lifecycle of a particular data set or data within a specific function. Data stewards are responsible for the integrity and analysis of data sets and report to data owners. 
  • Data owners own particular data sets and need to have the authority or resources to take action if there are data quality problems. They generally monitor data with data quality reports and sign off on any actions their data stewards may have to consider.

In the same sense that there is no single standard of data governance plan for all enterprises, there is nothing etched in stone that says data owners and data stewards have to be assigned those titles, or even that those roles cannot be combined in some way.

Tips for designing your data governance team structure

 

The team structure you design is going to need to extend from the executive level to the user level and cover any roles in between that deal with data. In business today, that means everybody. 

While considering individual roles, you’re going to want to focus more on data governance as an integral part of an employee’s position rather than the external imposition of data rules and regulations. The ultimate goal is to inspire a data governance culture at the user level rather than solely relying on policy enforcement from the top down. 

A successful data governance team should reinforce open communication lines in both directions for holistic development by keeping the DPO and executive levels apprised of business users’ data experience on the front lines. Clear communication is necessary for the agility required to adapt data policy in response to users’ experiences and changes in privacy law.

Tips for choosing your data governance team

 

C-level support, the DPO, IT, data analysts, and SMEs in your Data Governance Council are the engine of a data governance team. But the focus of ongoing data governance will always come back to the point of use. 

Examine the architecture of your data flows from the first point of contact throughout the entire data lifecycle. Identify those areas where data gives the most value, and where data creates the most risk. Data stakeholders closest to data value and data risk areas may be prime candidates for primary roles at the onset. 

Ultimately, the goal is to create roles that are easily transferable with any turnovers. However, when initially kicking off a team, you want people who are motivated and care about your initiative. It will be their job to get everyone else in their line of business to care, so they should be data experts, skilled educators, and respected leaders in their departments.

 

Schedule a discovery call

Release Notes November 15th: Bot API Public Beta, Mobile Buttons Option, Hub Starred Chats, Copy Transcripts and other Improvements

Posted on by Niki Finegan

Hello SnapEngagers!

Here’s what the development team has been working on in the last couple of weeks:

Bot API Public Beta

We have now made the Bot API Beta available for Professional and Enterprise plans.

The SnapEngage Bot API allows developers to create your own chat bot or build a connection with 3rd party bot providers. Through the API a bot agent can take chats just as a human agent can and perform operations such as sending messages and issuing various commands such as transfers, bans and /goto redirect.

A developer documentation can be found here.

Hub Improvements

  • Visitor Chat: Agents can now copy the chat transcript into the clipboard, along with some additional case information.The option is available in the chat actions during the chat, as well as after the chat:
  • Team Chat: We added a ‘Starred’ chat option so you can pin your most important team chats to the top.
  • We have updated the Hub color scheme to improve the readability.
  • Home Screen: We removed the banner ads and moved the latest news to the front.

 

Design Studio Mobile Buttons

We have added a feature to add additional mobile buttons to the Design Studio -> Online/Offline Button settings. You can now configure individual button style, type, position settings for desktop and mobile to match your mobile optimised layout:

Other Improvements

  • Security:
    • We have added additional Audit Logs for the Design Studio selection in the Style tab.
    • We have disabled the possibility to allow adding agent and admin accounts to different organisations to increase general account level security.

Resolved Issues

  • Proactive chat: Fixed an issue where certain rule types like language or time of day were being ignored.
  • Visitor chat:
    • Fixed an issue causing problems with the ‘is typing’ notification
    • Fixed issues with sending messages when visitor used Japanese IME Keyboard on Chrome
  • Hub:
    • Fixed some issues with the UI of the new left sidebar
    • Fixed display problems of the agent avatars in the IE11 browser.
    • Fixed an issue where invalid email addresses like [email protected] were misidentified as valid email addresses
    • Fixed messages in team chat not syncing after computer goes to sleep
  • Auto Translate:
    • Fixed an issue where the translations were lost after a transfer
    • Fixed missing time stamps on auto translated messages.
  • Analytics: Fixed analytics filter column not working on IE11

 

One Proven Way To Convert More Leads

Posted on by marketing

Make every conversation count

Sales strategies require ever more frequent engagement at every key stage in the customer journey. That starts when they’re a prospect. Most already know something about you from your website, but then decide to move on if time is tight. If you’re depending on Sales to follow up, you’ve likely lost them. Smart sales organizations use chat to engage potential buyers at the first moment of truth.

Align the sales team with the strategy

51% of online prospects prefer live chat options for the quickness and convenience that it offers. Real-time interactions allow the sales team to instantly connect with site visitors and clients alike. Incorporating live chat with your sales strategy allows you to turn every conversation into an opportunity. We take it one step further by recommending a robust proactive chat strategy for your customer engagement mix.

The Secret Sauce

Proactive chat is an under-utilized secret of the chat world. A well-planned proactive chat strategy can reap massive sales leads and drive communication with visitors. Less work. More play. Proactive chat can:

  • Enable complex outreach strategies: Engage prospects with ease using highly contextual, rule-based messages
  • Build trust and rapport: Use advanced triggers to reach out to prospects and clients at exactly the right moment to start meaningful conversations
  • Keep the door open: Make sure site visitors know that your website is staffed
  • Bring joy to the customer journey: Send relevant messages to create a custom and tailored experience and connect site visitors to the right person at the right time

Proactive chat greetings can be triggered based on factors such as site visitor location, time spent on a page, and abandoning a full shopping cart.

Picture this: you enter a store shopping for your first flat screen tv. You’re ready to shell out some serious cash and need help finding your perfect tv. Nobody asks if they can help you, shows you where the tv’s are at in the store, or makes suggestions on the tv’s that offer high-definition. Not a great experience. Now pretend you walk into another store with the same goals in mind. An employee welcomes you warmly and lets you know about the current sales. You wander through the phone section and another employee asks about your day and points you in the direction of your goal: tv’s. As you browse tv’s, another employee offers to demo a few different options, mentions their price-match promise, and helps you pick the perfect tv for you. These are vastly different scenarios, with the second one highlighting a delightful customer experience. It is not enough to simply have tv’s if site visitors don’t know where to find them. You have the chance to be their guide, take advantage!

 

Stay on your toes

Proactive chat is highly customizable. You have the freedom to test proactive chats on certain pages, test specific messages, even fire messages for a limited time only. Check out your chat analytics to see which messages are getting the most traction and continually refine messaging to stay on-brand.

See our proactive chat in action

Download Now  

Recent Posts

Blog Categories

Sign up to receive our latest research, updates and success stories.
Live Chat Newsletter

Proactive chat allows us to quickly and easily engage potential customers. We are much more sufficient.

Co-Founder, Zferral

The Live Chat Holiday Checklist

Posted on by marketing

Maximize your sales and support potential during the holidays

 

“Tis the season to be chatty…”

The holidays are approaching fast and while some of us are preparing to survive the crowded malls and airports, others are flocking to your website. Some are seeking gift purchases, others are getting those last minute work projects completed before the year’s end.

You will want to ensure that your live chat strategy is tuned up for the coming surge in site traffic so that you can crush those conversion rates and end of year goals while continuing to deliver the top notch customer experiences that you already do. We’ve created this holiday checklist to serve as a guide for you and your team to ensure that “all systems are go” before the holiday launch.

The Live Chat Holiday Checklist

 

Step #1: Staff accordingly

An influx in site traffic leads to more chat demand. You might want to consider beefing up your chat team to assist with the holiday rush. Using analytics from previous years, you can get a rough idea of what volume of chats you can expect and hire/staff agents accordingly.

The new SnapEngage Capacity Report is a very powerful feature that will allow you to maximize staffing efficiency and provide better insights to use to help allocate your resources. Businesses that strive to provide quality customer experiences must plan and staff accordingly to ensure that all customer inquiries are addressed in a timely manner. Read more about the Capacity Report here.

Step #2: Set up new channels

Today, live chat is about much more than just a chat box on your website. Make yourself available wherever your customers are with the new Channels tab! Channels allows you to connect your SnapEngage account to Facebook Messenger, SMS-to-Chat, and WeChat. When connected, your visitors can chat with you wherever they are without the need to visit your site. Your organization has never been more reachable! For more tips on SMS-to-Chat best practices, check out this guest blog post.

 

Step #3: Update your chat box design

For the folks who end up chatting with agents from your website, give your chat buttons and windows a holiday facelift with the Design Studio! The Design Studio allows you to create the opportunity to unify your entire customer experience and match your brand. With so many more eyes looking at your site around the holidays, wow visitors with a chat design that is truly unique to your organization.

In addition to adding a new chat box design, start using Auto-Translate chat to speak with customers and site visitors around the world. You can now speak your customer’s language without extra staff or coding. Auto-Translate works seamlessly across your website, Facebook Messenger, and SMS-to-chat. 

 

 

Download Now  

Recent Posts

Blog Categories

Sign up to receive our latest research, updates and success stories.
Live Chat Newsletter

Step #4: Prepare holiday-specific shortcuts

We’ve said it time and time again… In the live chat environment, response time is paramount! One easy way to help reduce agents’ average response time is to configure shortcuts for common responses.

Try to work with your agent team to identify frequently asked questions, such as ‘What are your holiday hours?’ or ‘What is your holiday return policy?’ . Once you’ve identified trends and FAQs, create shortcuts to cut down on agents’ typing/response times. Don’t forget to include quick and friendly holiday greetings if appropriate (i.e. “Happy Holidays! How may I help you today?”). This step may seem insignificant, but every keystroke saved is valuable time that can be spent making more sales or assisting more customers.

Step #5: Tune up proactive chat rules

Haven’t touched your proactive chat triggers in a while? We never advise a set-it-and-forget-it approach to proactive chats (or any chat messaging strategy, for that matter). You definitely want to rethink your proactive chat strategy as you prepare for periods of high traffic volumes on your site. Consider creating specific messages on certain product pages and be sure to add a little holiday flair. Remember, site visitors are more likely to engage in a conversation if your proactive chat messages take on a more human approach and tone.

What’s next?

Remember, a successful holiday season comes down to more than just headcount and enabling all of your communication channels. You will want to ensure that your newer agents continue to deliver excellent product knowledge and employ a communication style consistent with that of your organization.

Be sure to allow ample time for training on the chat platform and teaching best practices so that your new agents are well-prepared for the holiday rush. This is especially important if you hire seasonal and/or part-time teams who may be less familiar with your product and brand.

Need training assistance during the busy holiday season? Whether you’re a brand new client or have been with us for years, the SnapEngage Implementation team is here to provide additional agent and admin/supervisor training services. Use the button below to schedule a call and learn more about how we can help you achieve your goals during the holidays (and beyond).

Ready to maximize your website's potential during the holidays?

“Every keystroke saved is valuable time that can be spent making more sales or assisting more customers.”