Data protection at your medical practice: A guide to dealing with sensitive patient data
After a two-year grace period, the new EU GDPR has been in force since May 25, 2018. However, this obliges not only companies to provide more protection for personal data. The General Data Protection Regulation applies to everyone who collects and processes information, including your medical practice.
In the healthcare sector, the majority of patient data is very sensitive and therefore particularly worthy of protection. There is also the fact that both you and your staff are subject to confidentiality. Careful handling of the information entrusted to you is therefore doubly important. But how do you manage to keep data protection in medical practices as high as possible and implement the GDPR adequately?
The correct handling of patient data
Every day you deal with people in your practice. They hope for an improvement of their current condition and place their health in your hands – as well as all information about themselves. This is because the systems and files contain all relevant contents concerning the physical and mental health of a patient. This fact makes data protection particularly important in hospitals and medical practices.
According to Art. 9 (1) of the GDPR, the processing of health data is prohibited in principle for the reasons mentioned above. However, the following exceptions exist:
If the data subject has expressly agreed to the processing for a specific purpose, you may use the data.
- Legal reasons:
If the information is relevant under social or labor law, an exception may be made. This is also the case if you or the affected party exercise legal claim(s). A legal framework also constitutes an exception.
- Protection of interests:
If a patient is seriously injured and unable to give their consent, data protection can be temporarily reduced in the medical practice – but only if it concerns the protection of vital interests!
- Own publication:
If the data subject has published data, photos or other contents on the internet on their own or has communicated them to unauthorized persons, you will not be legally prosecuted.
- Health hazards:
In order to prevent such things as epidemics, for example, it is in the public’s interest to process health data.
The importance of personal data in health care
As already described, the General Data Protection Regulation specifies the exceptional cases in which you may disclose information. Nevertheless, outsiders are often unaware of the cases in which data is processed in medical practices:
- Doctors need information in order to carry out treatments and diagnoses. This is the only reason they can collect the relevant data.
- Hospitals and practices are obliged to share their information with health insurance companies. However, they may not automatically receive all the details of patient files – especially not without the patients’ consent.
- Personal data is stored: No longer only in writing in the patient files, but also digitally in the internal system.
How do you correctly implement the General Data Protection Regulation in your medical practice?
Start by minimizing the possibilities for unauthorized access. Unattended computer screens are, for example, a popular way for third parties to quickly and easily obtain information. It is also important to position the reception desk so it is not within immediate earshot of the waiting room. In the worst case, the patients sitting there can listen in on telephone calls that do not concern them. In exactly these moments, an adequate level of data protection is not guaranteed at your medical practice.
Internal/external data protection officer
According to the GDPR, you are only obliged to appoint a data protection officer if nine of your employees process personal data. However, anyone who is not familiar with the subject of data protection in medical practices is well advised to look for an expert. First of all, get an overview – for example, by comparing several offers from external data protection officers. Then you can select a person for your medical practice who best meets your requirements.
Check the processing operations
With this measure, you assure that you have checked all processing operations with regard to conformity. This also includes technical measures such as encryption of patient files and data.
Creating a directory for processing operations
According to Art. 30 EU GDPR you are obliged to keep a directory of processing activities. Proceed as follows:
- Consider carefully which personal data you process within the scope of your activity.
- Add the purpose and retention period.
- Indicate who your data protection officer is and which medical practice it is.
Surely you use various forms in your daily work, which your patients have to fill out. But do they also comply with data protection regulations? You should therefore check all the documents in your medical practice to see whether they still conform.
Obtaining declarations of consent
Apart from the fact that you are obliged under data protection law to obtain consent for data processing from every patient in your medical practice, in general you will always be on the safe and legally compliant side with this procedure.
Important: Please make explicit reference to the existing right of objection, which every patient can exercise! In no case should you forget that you might also be asked to delete your own data.
Technical precautions for better data protection
In the digital age, many doctors have a website to promote themselves and their services. In the meantime, this is necessary in order to be able to assert oneself against the competition. It also helps patients get an initial feeling for the potential general practitioner or specialist. Please note that data protection not only applies to your medical practice, but also to your website. You should definitely take the following measures:
- You need a legal notice and a privacy statement. Both must be quickly recognizable.
- Your page must not be unencrypted. Without a security protocol (https), you are an open target for hackers.
- Data exchange must also be encrypted. This is particularly relevant if you schedule online appointments.
GDPR not correctly implemented?
No matter whether intentionally or unintentionally – if you do not adequately implement the General Data Protection Regulation at your medical practice, you must expect the following penalties:
- Fines: These can be up to 20 million euros – but at least four percent of your annual revenue.
- Legal action: Of course, you can be sued by patients if their personal data is illegally circulated. The consequences are compensation payments or damages for pain and suffering. If the court finds that you have not observed your duty of confidentiality, in the worst case you even face imprisonment.
Data protection in the medical practice: a difficult topic
It is not easy to keep track of the new GDPR guidelines. In many places, there is uncertainty regarding implementation – especially in view of the very high fines. It is therefore indispensable that you deal intensively with this topic. An alternative is an external expert who will help you comply with the data protection guidelines in your medical practice. You are certainly aware of the responsibility you bear with the wealth of personal data. It is precisely for this reason that you must be particularly conscientious with the information entrusted to you.