GDPR & Healthcare Practitioners
The General Data Protection Regulation and Healthcare practitioners
Cometh the New Year, cometh the new regulations. If you are a doctor, medical expert or health practitioner, don’t read the GDPR’s 300 page hand book, find out everything you need right here in the Medstars reading room:
The EU’s new General Data Protection Regulation, or GDPR, comes into force in May 2018. The UK government has already confirmed that the regulation will come into force in the UK, regardless of Brexit.
And whatever you may have heard, it will apply to private healthcare practitioners. The new law applies to anyone who processes personal data about an EU citizen, for economic purposes. As a regulated healthcare practitioner, providing private healthcare, that is very definitely you. It will apply to information that you hold about your patients, and also about your employees and suppliers.
The GDPR does make some exceptions for small companies—those with fewer than 250 employees—but the exemptions are very precise. For example,
- Small enterprises do not have to keep a record of data processing unless they are processing the same data regularly (ongoing patients, for example, or employees.
- OR there is a risk to the rights and freedoms of the data subjects.
Given the consequences of not complying, however, and the sensitivity of the data held by most medical practitioners, it would probably be wise to take the approach that GDPR applies.
So what do you need to know about GDPR? We have tried to sort the wheat from the chaff, to help you work out what you need to know and to do in order to comply.
What is behind GDPR and what does it mean?
GDPR was designed to achieve two main objectives: to give individuals back control of their own personal data, and to simplify regulation across the EU.
It therefore gives individuals much greater control over their data. For example, they have a right to withdraw consent to the use of their personal data at any time, and a ‘right to be forgotten’ if they do withdraw consent, or if their data is no longer needed. This may well have some serious implications for healthcare practitioners, for whom deleting medical records could be a difficult question.
What is personal data?
Personal data is any information that enables an individual to be identified. It would therefore include names, addresses, and also identification numbers, if there was a way to link that back to names. Medical information is also sensitive, as well as personal, so there is a ‘double-whammy’ in healthcare. Personal data may come from emails, social media interactions, and recorded phone messages, as well as being held in formal records such as patients’ medical records.
It is worth remembering that personal data includes information about employees and suppliers as well as patients, so if you employ a secretary, or hold details about suppliers, you also need to apply the same rules to their personal information.
What does GDPR require?
GDPR sets out requirements about how data can be processed and collected. These requirements include:
- Information must be processed fairly, lawfully, and transparently. In other words, what you do must be fair to individuals, you must have a lawful basis for doing it (for example, the person has given their consent), and individuals must be able to see what you have done. Individuals can ask to see all the information that you hold about them, and how you have used it. Any question of using computer algorithms to decide what treatment to provide, unless you really understand what the algorithm is doing, is likely to be at best a grey area.
- Information must be collected for a specific purpose, which must be explained at the time. You cannot use it for any other purpose later. This means that you need consent for each specific use of data, and you cannot use a blanket consent. You also need to use an ‘opt-in’ rather than an ‘opt-out’ form of consent to data processing. You cannot, for example, use your private patients’ addresses to market ‘related services’ to them without them having agreed that you can do so.
- You can only collect and keep the information that you need for the purposes you have specified. This should be fairly obvious: you only need what you need, and for the purpose agreed with the individual. If you don’t need it, then you cannot keep it.
- Personal data should be accurate. Inaccurate data should be deleted or updated as soon as possible. Again, this is likely to be something that you want to do anyway.
- You should only keep data in a form that enables individuals to be identified for as long as that is necessary. This will probably not be very significant for healthcare practitioners: information in medical notes needs to be personally identifiable, so there is unlikely to come a point when you still need to hold the information, but in an anonymised form. However, good practice requires you to keep this in mind.
- Data should be kept and processed securely. You need to take measures to ensure that the data is unlikely to be lost or stolen. Using good anti-viral and anti-malware software is essential, but so is password-protecting files, and making sure that access to information is restricted to those who really need it. Automatic logging out with inactivity could be a useful addition to your patient records system.
What is this likely to mean for me in practice?
In practice, provided that you are already taking care of your patients’ personal data, and you know where it is stored, the GDPR will probably not make a huge difference in most areas. You should, however, review what you are doing to make sure that it is compliant, and that you are aware of all the personal data that you hold.
There are one or two big issues that you should also consider. These include questions about how long you should hold personal data, in the form of medical notes, for example to ensure continuity of care in future, and also some of the new rights, such as the ‘right to be forgotten’. This allows people to ask for their information to be erased, as long as it is no longer necessary for the purpose for which it was provided.
For example, is it necessary or advisable to hold records of previous patients? How long should you hold them? What about if a patient asks to have their information removed, but you suspect that they may be preparing to challenge your practice in some way? You are permitted to hold onto data to exercise or defend legal claims, but you should not use this as a blanket reason to avoid any erasure of information. The Information Commissioner’s Office has useful guidance about the individual rights, which may be helpful if you are concerned.
You also need to think about the purpose for which you are holding the data. You’re more likely to be able to justify holding patient information if it impacts their future health. But less so if you wish to use it to send emails about new services provided by your clinic. Ensure that you have systems in place to record details of the consent provided for holding and processing personal data.
What happens if something goes wrong?
If you think that some personal data has been lost or stolen, you must inform the data protection authorities within 72 hours (and within 24 hours would be better). In the UK, that is the Information Commissioner’s Office.
The bottom line
Healthcare practitioners already hold a lot of confidential information about their patients, so are already likely to be complying with guidance from their regulator, and with UK data protection law. However, there are a few key changes, and practitioners need to understand how these will affect what they do.
Failure to comply with the GDPR could result in a heavy fine (the maximum penalty is up to 20 million euros, or 4% of turnover, whichever is greater). It is therefore worth taking action to avoid this.
Finding out more
Most of the professional regulators will be updating their guidance on confidentiality as GDPR approaches, and you are advised to check with your regulator to make sure that you are complying. You may also want to check with a lawyer to make sure that you have fully understood the implications of GDPR for the way that you work.