healthcare sector

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that patient data must be managed with more of a holistic approach. Organizations must have certain procedures in place that can be acted upon immediately in order to meet the requirements. Starting with being more cautious with patient information, knowing where it is being stored and how it is being processed. This applies for both, public and private sector:  hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, e-shops that sells pharmaceuticals, and every other company or organization that processes data concerning health.

The definition of sensitive data and conditions to process it

The GDPR defines personal data processed in the Healthcare sector as “sensitive data”. Therefore, standards for its protection are much higher and GDPR mentions three special references to data concerning health:

  1. Data concerning health – “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
  2. Genetic data – “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
  3. Biometric data – “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

The processing of mentioned forms of data is allowed under certain conditions only, which are:

  1. The explicit consent to process the data is received from the data subject by healthcare providers.
  2. “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […].”
  3. “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].”

However, according to the GDPR, Member States may maintain or introduce further conditions, including limitations in regard to processing personal data, like genetic data, biometric data or data concerning health. With the GDPR, data subjects gain more rights. For the Healthcare sector, the most important ones are the right to access that allows data subjects to access their health data that is processed also known as subject access requests.

The right to data portability allows data subjects to transmit their health data to any other healthcare provider more easily. The right to be forgotten – the most difficult one to operationalize. It allows data subjects to request for termination on health data processing and it’s deletion.

According to the Data Protection Act, the GDPR that Healthcare sector should have a Data Protection Officer (DPO) to achieve GDPR compliance, since sensitive data being processed on a large scale. Carrying out a Data Protection Impact Assessment (DPIA) helps to evaluate the origin, nature, particularity, and severity of a risk to the rights and freedoms of individuals that processing operations are likely to result.

The Healthcare sector has an obligation to comply with data protection laws by reporting security breaches as well as data breaches (within 72 hours) not only to the local data protection authority but also to individuals whose personal data might be compromised.

To maintain data security, clear, practical and effective procedures in the case of the breach should be thought through. Breach notification procedure, including detection and response capabilities, must be put in place by healthcare providers to protect patient data against data breaches. Therefore, training and fire drills should be done every once in a while, to keep the staff and the system ready.

In the case of a data breach that could expose patient information, fines can reach up to 20 mln € or 4% of the global annual turnover, whichever amount is higher. These fines are imposed by the Information Commissioner’s Office under the GDPR. The most recent breach in the Healthcare sector happened in Portuguese Hospital. The fine of 400 000€ was initially imposed for accessing patient data through false profiles. Read more about GDPR fines.

EU Member states may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

Steps for the Healthcare sector to take towards the compliance

AD 4nXehdqC5QSJNnQwRy8WQWN7UDH Ne4kr5szm7YHYdrSjgoHfCsmvTbSL7RipnktiEDEwJEChIkLs4VL8QMpnCQBRQft2ozsQQtZ59jd4Iw8RxgEX8fAKKQGwKdVbTMelzHxamnOs JsFsvMF0cd55M6VWeNT?key=8qYFkEc8ssNFz0fqaZA87Q

Photo by Pixabay from Pexels

In order to avoid any breaches, organizations must implement compliance points mentioned above, including reviewing contractsDPA (Data Processing Agreements). This is in addition to updating policies, procedures, documentation, and records of data processing activities in order to be ready for inspections, maintain compliance, and ensure data protection of patient information. Therefore, data processing activity records and data retention and deletion periods also should be in place.

Due to aging critical IT infrastructure and weak IT security practices, the Healthcare sector is one of the greatest targets for cyber-attacks. Meaning that technical security measures must be set in order to avoid unauthorized access to patient data, mishandling and loss of personal data kept in the server or cloud.

More on:
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1543321123665&uri=CELEX:32016R0679
https://ico.org.uk/for-organisations/health
http://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
Preparing Your Small Business for GDPR Compliance

Preparing Your Small Business for GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals...
The GDPR Data Map – Your Complete Guide

The GDPR Data Map – Your Complete Guide

The General Data Protection Regulation (GDPR) is a European regulation establishing the framework for personal data protection of individuals in...
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
GDPR software: 10 Great Tools For Compliance in 2024

GDPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)?A Data Processing Agreement (DPA) is a legally binding document to be entered into...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...