GDPR and the Healthcare Professional
This Month: The Healthcare Professional…
Welcome to the seventh article in our series of professionally-themed insights for 2019.
Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.
This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you independent Healthcare Professionals out there.
We hope it makes your GDPR life that little bit easier.
Dear Healthcare Professional…
No, not those peeps in big organisations like the NHS – but those of you working independently in private practice and smaller set-ups such as dentistry, physiotherapy, acupuncture, osteopathy, holistic therapy and counselling (other healthcare professions are available!).
In your line of work, have you ever stopped to consider how much personal information you collect throughout the patient care pathway; from your initial case history-taking and assessment all the way through to your ongoing treatment plans?
We bet there’s a lot!
So, here’s some basic guidance and gentle reminders on how best to manage your GDPR role with patients and clients…
GDPR Tips for the Healthcare Professional
Since the GDPR was introduced just over a year ago, there are very few businesses (if any) it doesn’t apply to. So, with the large and varying amounts of personal data that healthcare professionals collect, it applies to yours more than most.
And not just because of the everyday personal data you process, such as someone’s name, address and DOB etc., but also the sensitive, special category (SC) data that comprises physical and mental health, genetic and biometric information.
Here are some things to consider:
1. Processing personal data and special category data means you need a justification for each.
As with any form of data processing, you need to have a valid lawful basis to collect and handle someone’s information. Usually, this covers the regular basics that make up someone’s personal details. However, due to the nature of your healthcare professional/patient relationship, you’re likely to uncover more than just routine biographical details in order to treat them or deliver your service – i.e. special category data.
We mentioned some of these above although it’s worth being aware that SC data also includes racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; and data concerning the patient’s health or sex life and sexual orientation.
The important thing to remember is that, whatever the extent of SC data you process, you must have an additional and separate justification for why you specifically need to have that data. And guess what? If you don’t, then you mustn’t.
How confident are you that your bases for processing personal and special category data are lawful?
2. Be clear on why you’re storing data and keep it safe!
In addition to paper records and electronic documents, you may also have client data in audio, video and even x-ray formats. Of course, these are fine in themselves (as long as you can justify them and only keep them for the appropriate amount of time) but you also need to ensure that you have a safe means of storing them (and processes in place that should they become compromised, you have a means of monitoring exactly what data has been affected).
Because of the SC data you hold, it’s worth ensuring that your storage and security measures are as robust and stringent as possible – think encryption, physical security and only using third parties that adhere to strict GDPR guidelines.
Have some of your records overstayed their welcome or are at risk of being compromised?
3. If you’re under-prepared, then to share is to dare…
If there are other agencies (e.g. a GP) with an interest in the care you provide for patients there’s likely to be a degree of back-and-forth liaison, and that’s when your security is only as strong as your weakest link.
It’s also why, in GDPR terms, there’s no such thing as being over-prepared. A Data Protection Impact Assessment (DPIA) helps take your level of planning up a notch so that you can prepare for the unexpected. It’s particularly valuable if you know you’re going to need to share and transfer data, helps you to rationalise what’s being shared and why, and pre-empts how best to handle the inherent data breach risks that it involves.
If you’re sharing data, how well have you mitigated against potential risks?
4. Keep your knowledge up to date with some proper training!
Keeping abreast of the latest developments and recommendations doesn’t just apply to your healthcare specialism – it applies to the GDPR too!
So, as wonderfully informative as these DBX blogs are (?), why not refresh your GDPR knowledge with our online training course?
Seeing as you have a responsibility to keep on top of your GDPR commitments, it’s a great (and both time- and cost-effective) way of building a deeper understanding of how the data protection regulation fits in with your practice. For instance: reminding you of the importance of making clients aware of what you do with their data and obtaining their consent; or, getting you to specifically consider why you need to store someone’s records – whether that be for monitoring treatment progress against baselines or using for future teaching purposes by way of a case study.
How comfortable are you with how the GDPR applies to your work?
5. Knowledge is powerful and sensitive information is a privilege…
Handling people’s personal and sensitive data is both a huge privilege and responsibility. Become careless with it and the damage to an individual can be irreparable.
That’s why ensuring unceasing discretion and routine anonymisation is so important. It could be something as simple as not directly acknowledging a patient of yours in a social setting where others present could deduce the connection between the two of you (e.g. living in a relatively small community and running into one another in the pub!) to having digital patient records password-protected or encrypted so that non-authorised people can’t access them. (And if they can, that they’re aware that it’s an offence to view someone’s data for their own personal interest or gain. It sounds crazy but it does happen!)
How proactive are you in protecting your patients’ identities?
In-the-Know… Summary
The Need-To-Knows
- Personal and special category data need 2 separate justifications for processing.
- Only process and store data that’s essential to your healthcare provider role.
- Keep patient data protected at all costs!
The Good-To-Knows
- Proper data mapping and DPIAs will help you stay on top of the data you control, process and share.
- It’s your responsibility to keep your GDPR knowledge up to date.
- Your healthcare provider/patient relationship is between you and your patient. Remember to keep it that way!
The No-Nos!
And whatever you do, please…
- Don’t dismiss the GDPR or not find time to take it seriously.
- Don’t forget where you are if you bump into one of your patients in public!
- Don’t put off asking for help if you need it.
Help and support is only a quick email away
If your data protection bedside manner is smoother than a soothing linctus, keep taking the tablets!
However, if it’s in need of some special TLC, we have just the tonic for you. Just get in touch and we’ll have you feeling better about your GDPR issues in no time.
Trust us: we’re Data Protection Practitioners… ?