Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that patient data must be managed with more of a holistic approach. Organizations must have certain procedures in place that can be acted upon immediately in order to meet the requirements. Starting with being more cautious with patient information, knowing where it is being stored and how it is being processed. This applies for both, public and private sector: hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, e-shops that sells pharmaceuticals, and every other company or organization that processes data concerning health.
The definition of sensitive data and conditions to process it
The GDPR defines personal data processed in the Healthcare sector as “sensitive data”. Therefore, standards for its protection are much higher and GDPR mentions three special references to data concerning health:
- Data concerning health – “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
- Genetic data – “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
- Biometric data – “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
The processing of mentioned forms of data is allowed under certain conditions only, which are:
- The explicit consent to process the data is received from the data subject by healthcare providers.
- “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […].”
- “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].”
However, according to the GDPR, Member States may maintain or introduce further conditions, including limitations in regard to processing personal data, like genetic data, biometric data or data concerning health. With the GDPR, data subjects gain more rights. For the Healthcare sector, the most important ones are the right to access that allows data subjects to access their health data that is processed also known as subject access requests.
The right to data portability allows data subjects to transmit their health data to any other healthcare provider more easily. The right to be forgotten – the most difficult one to operationalize. It allows data subjects to request for termination on health data processing and it’s deletion.
According to the Data Protection Act, the GDPR that Healthcare sector should have a Data Protection Officer (DPO) to achieve GDPR compliance, since sensitive data being processed on a large scale. Carrying out a Data Protection Impact Assessment (DPIA) helps to evaluate the origin, nature, particularity, and severity of a risk to the rights and freedoms of individuals that processing operations are likely to result.
The Healthcare sector has an obligation to comply with data protection laws by reporting security breaches as well as data breaches (within 72 hours) not only to the local data protection authority but also to individuals whose personal data might be compromised.
To maintain data security, clear, practical and effective procedures in the case of the breach should be thought through. Breach notification procedure, including detection and response capabilities, must be put in place by healthcare providers to protect patient data against data breaches. Therefore, training and fire drills should be done every once in a while, to keep the staff and the system ready.
In the case of a data breach that could expose patient information, fines can reach up to 20 mln € or 4% of the global annual turnover, whichever amount is higher. These fines are imposed by the Information Commissioner’s Office under the GDPR. The most recent breach in the Healthcare sector happened in Portuguese Hospital. The fine of 400 000€ was initially imposed for accessing patient data through false profiles. Read more about GDPR fines.
EU Member states may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
Steps for the Healthcare sector to take towards the compliance
In order to avoid any breaches, organizations must implement compliance points mentioned above, including reviewing contracts – DPA (Data Processing Agreements). This is in addition to updating policies, procedures, documentation, and records of data processing activities in order to be ready for inspections, maintain compliance, and ensure data protection of patient information. Therefore, data processing activity records and data retention and deletion periods also should be in place.
Due to aging critical IT infrastructure and weak IT security practices, the Healthcare sector is one of the greatest targets for cyber-attacks. Meaning that technical security measures must be set in order to avoid unauthorized access to patient data, mishandling and loss of personal data kept in the server or cloud.
More on:
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1543321123665&uri=CELEX:32016R0679
https://ico.org.uk/for-organisations/health
http://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf