Patient data and the GDPR: The four main challenges of the General Data Protection Regulation for the healthcare sector

Blog Cybersecurity Data Protection
Pic Source: rawpixel via Unsplash

General state of health, specific blood results, sexual orientation: every medical examination involves the collection of quantities of particularly sensitive personal data. These are stored, retained and often also passed on to service providers for processing.

Since May 25, 2018, the European Union’s General Data Protection Regulation (EU GDPR) also applies in Germany. The law standardizes data protection law throughout Europe. Personal data is to be better protected and its disclosure regulated with the new provisions. Since the healthcare sector also frequently deals with sensitive personal data, particular caution applies here. As a rule, the attending physician is responsible for protecting patient data. The new regulations to which the EU GDPR leads pose financial and organizational challenges for the healthcare sector, especially for physicians in private practice.

We have summarized the four most important challenges in our opinion for you:

1. Duty to inform when collecting patient data.

Medical practices have a duty to comprehensively inform their patients about the collection of personal data and its processing. This applies, for example, to the purposes of processing the data, the legal basis for collection and any rights of appeal. In addition, at the patient’s request, information about further details must be provided at least within one month of the request being made.

Our Tip:

  1. Define and structure the information process (esp. responsible parties, procedure, documentation of information).
  2. Use standardized templates
    Across the country, consumers are currently inundated with information about the GDPR.
    Therefore, understand if some of your patients do not jump for joy about another “lecture” on the new data protection regulations.

2. Documentation of consent subject to proof.

Patients must expressly consent to the use and processing of their health data unless a more specific legal exception applies. The requirement of “expressness” places higher demands on the degree of concreteness than is the case with “normal” consent. It is essential that this consent is documented and stored in a way that requires proof. The signature of the person concerned is a good way of doing this. This involves a certain amount of administrative work, for which you should be prepared. In addition, special regulations apply to minors; here, the consent of the parent or guardian is required.

Our tip:

  1. Prepare for administrative burdens with comprehensive consent templates.
  2. Technical solutions for documenting consent

3. Commissioned processing and transfer of health data

Don’t process all personal data in your practice? If you forward this information to external service providers or they have access to it (such as IT service providers), you should check whether you have concluded order processing agreements that meet the legal requirements. If you are transferring original health data, you must obtain the consent of the data subject – i.e., the patient whose data you are transferring. Unless a special legal exception applies. This applies, for example, to billing service providers. As a general rule, data must be just as well protected at your partners as in your own company.

Our tip:

  1. Create a procedure directory (overview of which personal data is processed by whom and how).
  2. Checking the technical and organizational measures of your service partners to ensure that they adequately protect your patients’ data.
  3. Conclusion of order processing contracts
  4. Obtaining explicit declarations of consent

4. IT security and data protection concept

Patient data, like other personal data, must be protected against unauthorized access using state-of-the-art technical and organizational measures, among other things. You must report data breaches immediately and inform those affected. Security incidents not only lead to a loss of trust in your medical practice, but also damage your reputation. Legislation punishes violations with hefty fines of up to 20 million euros or a maximum of four percent of the previous year’s turnover.

Our tip:

Patient data is popular with cybercriminals. Considering the enormous damage that can occur in the event of a cyber security incident, prevention is the most important component of the IT security and data protection concept.

  1. Updating IT systems and adapting them to the state of the art.
  2. Use of technology in which IT security and data protection have already been integrated and which facilitates handling through user-friendly default settings
  3. IT security training for all employees
  4. Establishment of reporting chains in the event of data protection mishaps

In the event that a data breach does occur:

  1. Emergency checklist
  2. Reliable service and emergency partners who can be reached.
  3. Insurance against cybersecurity incidents

Our author:

Dr. Hans-Peter Anlauf (LL.M.), ehemaliger Leiter der Rechtsabteilung bei Perseus