Digital transformation is and has been the focus of many organisations in the last couple of years, including those of the healthcare sector. This shift brings with it new, additional aspects for all areas, a major one being data protection. In the healthcare sector, where a huge amount of sensitive personal data is being processed on a daily basis, protection of this data has to be of top priority, with strict procedures, access controls, and guidelines on privacy. As such, compliance with the GDPR, within digitized care and cure organisations, is crucial. Let’s take a look at how you can ensure compliance for your healthcare organisation without disrupting the efficiency of your work.
What the GDPR says about health related personal data in general
Under the GDPR, health data is considered a special category personal data, demanding even further steps for its protection than other, regular types of personal data.
Article 4(15) GDPR defines health related personal data as: “personal data related to the physical or mental health of a person, including the provision of health care services, which reveal information on their health status”. Other, special category personal data includes details such as a person’s beliefs, ethnic origins, genetic information, and other significant detailed information.
To lawfully process special category data, both a legal basis under Article 6 GDPR and a separate condition for processing under Article 9 GDPR must be identified. Although it should be noted that they both don’t have to be connected.
The GDPR also requires that upon processing special category data, you must keep records and include documenting the categories of the data you process. The GDPR doesn’t explicitly state how long an organisation is allowed to hold on to personal data, however healthcare organisations should ensure that the information relating to health data is not kept for longer than needed. For that reason, retention periods must be clearly established and communicated to data subjects, such as patients.
Additionally, the GDPR requires that before processing data that’s likely to be high risk to the rights and freedoms of data subjects, a Data Protection Impact Assessment is to be conducted in order to identify the potential risks that could be faced.
Processing health data in the digital age
Many systems used within the healthcare sector are now fully digital. With the help of cloud-based technology, systems containing patient data are often ‘shared’ among hospitals, GPs, pharmacies, and other practicing institutions, in order to serve patients best. But how should this sensitive data be processed and shared according to the GDPR?
Looking at the Netherlands, the Dutch Digitalisation strategy already acknowledges that data sharing is vital for the private and public sectors alike. In the case of healthcare, data sharing can enable doctors to use patient data from a number of healthcare institutions to make better diagnoses, create less of a hassle for patients, for research, and to improve the quality, safety, and efficiency of healthcare systems.
For example, a cloud-based system often used within healthcare is the Dutch MedMij, which creates a personal health environment (PHE) to manage and share medical data. It involves a set of agreements between stakeholders like software developers, healthcare providers and patients, as well as a financing system and information standards, to facilitate data sharing and also mitigates concerns around data privacy, awareness, and interoperability.
Especially considering the fact that health data mounts to sensitive data and falls under the special categories of data, it must be ensured that the principles of GDPR are duly complied with before processing or sharing. As this data sharing arrangement would involve special category data, a lawful basis must be duly identified for sharing the data.
Accessing the health data of individuals
According to the GDPR, your organisation will need to demonstrate that your processing has met specific requirements, which include having put appropriate safeguards into place to ensure the protection of that information.
Given the sensitivity of health related personal data, it should only be processed by authorised health professionals that are bound by the obligation of medical and data secrecy. Individuals should properly be assessed and reminded of their confidentiality obligations. Moreover, it’s especially vital for institutions to carry out data protection impact assessments and create specific security measures such as two factor authentication procedures on access controls over a patient's personal data.
If access control is not adequate, it could easily lead to a data breach. For instance, in July 2019, the Dutch Data Protection Authority (DPA) issued the country’s first ever GDPR healthcare related fine. The Hague’s largest hospital, Haga Ziekenhuis, was fined €460,000 for failing to secure the personal data of one of their patients. The Dutch DPA stated that at least two of the hospital’s security measures were insufficient. Not only did the hospital fail to alert administrators that an unauthorized employee was looking into personal files, but the hospital also failed to use a two factor authentication for accessing the database itself.
The rights of patients according to the GDPR
One of the fundamental aspects of the GDPR is to ensure that data subjects are given appropriate rights over their own personal data.
When healthcare institutions handle personal data, patients should be given the right to information: patients should be well informed about their rights, for what purposes their health-related personal data is processed, and how it’s processed, as well as by who, for how long and additional information. Patients should also be made aware of the recipients/third parties with whom their personal data are shared. This is also in the case of where their data is transferred outside the EU/EEA. This clarification should specifically be communicated to patients in a clear and precise manner.
Patients should also be guaranteed their right of access. Access to existing medical files, reports, or other health-related information that is gathered from the patient, should be made accessible for the patient to securely access when they want. Their right of data portability gives them the opportunity to transfer their data to a different health care provider in a machine-readable and commonly used format, like .CSV.
Additionally, patients hold the right to object and can refuse the processing of their data in certain circumstances. In other cases, patients can also opt to have their existing data erased, according to the right to erasure. However, institutions could refuse a request on several legal grounds or claims. Besides this, patients could opt for the right to restrict processing of their data.
Finally, patients have the right not to be subject to a decision based solely on automated processing, which produces legal or similar effects concerning him or her.
What steps can healthcare institutions take to ensure compliance and reduce the risk of a breach while using cloud-based systems
After going through the most important aspects of the GDPR in regard to healthcare institutions using digital systems, let’s move onto 3 tangible steps that care and cure organisations should take in order to safeguard the personal data processed by them.
1. Ensure Awareness
A first crucial step for compliance is that all the data subjects, such as patients, should be made aware of details of third parties with which their data will be shared, in order to comply with transparency requirements set out in the GDPR.
Next to that, the data sharing agreement should clearly set the purpose, lawful bases and the information to be shared, along with necessary details about handling data subjects’ rights, and agreed shared security standards. All this information should be communicated in a clear, and easy-to-understand manner.
It’s advised to hold regular staff trainings for data protection, in order to reduce the risks of a human error and therefore an internal data breach. While in practice, personnel should be obligated to medical secrecy, mistakes and accidents can happen. Therefore making all staff aware of the importance of data protection, the safeguards that need to be in place, and what typical problematic aspects to avoid, can have a significant positive impact on the compliance efforts of an institution.
Additionally, all employees should also be aware of how to recognize a data breach, what steps they need to take in case of a security incident, and which key stakeholder they need to involve in the process.
2. Process and share only the personal data necessary for the purpose of your work
It’s also important that health data necessary for processing should be processed minimally and shared only if necessary.
Unauthorized disclosure can have a serious impact on the patient’s life, therefore it must be ensured that data sharing is done on the basis of any of the lawful basis of processing, with adequate agreements in place to hold a relevant party accountable.
To add to that, such data shouldn’t be shared unless e.g.:
• the data subject has given explicit consent
• if the patient makes the data public themselves
• it concerns a life-or-death situation where the patients can’t provide their consent and it is in the patient’s vital interest
• for preventive or occupational medicine
• for the assessment of your working capacity
• for medical diagnosis
• for the provision of health or social care or treatment or the management of health or social care systems and services
Note that in case of sharing to countries outside the EU/EEA, there should be safeguards in check to make sure the data is secure.
3. Set strict access controls
Given the shared nature of cloud-based systems often used within the healthcare sector, ensuring that only those necessary have access to patient data is fundamental. Having measures such as two-factor authentication or single-sign-ons implemented could also help with providing further measures for data protection when it comes to accessing patient files.
GDPR compliance: an investment, but a worthy one
With the digital transformation of the care and cure sector, the way data is processed and accessed has to be adjusted as well. This has brought several new aspects on board in regard to data protection, requiring healthcare institutions to make data privacy their top priority.
While compliance with the GDPR requires healthcare institutions to invest time and resources, at the end of the day, it is in the best interest of both patients and the organisation itself. Keeping up with the obligation will not only decrease the possibility of a potential data breach, protecting your institution from a hefty fine and a reputation damage, but it also plays a significant role in gaining patient trust and improving the overall efficiency of how patients are treated.