Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) applies as of 25 May 2018. It repeals Directive 95/46/EC. The regulation is an essential step to strengthen individuals' fundamental rights in the digital age.
The GDPR of course impacts and will certainly influence the medical industry as well, as the treatment of patients necessarily involves the function of collecting, analysing, managing and storing patients’ sensitive health information. Health information refers to personal information that relates to the health status of an individual. Health information is considered sensitive data and is subject to particularly strict rules and can only be processed by health professionals who are bound by the obligation of medical secrecy. The inappropriate use of such data can and may have a negative impact on patient’s life and/or reputation.
The GDPR introduces a higher level of protection of such information in relation to the health of a patient.
According to the GDPR, healthcare professionals/medical practitioners are in practice data processors and/or controllers and therefore responsible for the sensitive data of their patients and obliged to safeguard this data by taking appropriate measures. Controllers are obliged to set up particular measures in order to guarantee that the data is being processed according to the GDPR requirements and keep records of all the activities concerning data processing, to be ready to prove the compliance.
Also, within the context of GDPR, healthcare professionals must obtain clients’ consent. Consent under the GDPR must be freely given, specific, informed and unambiguous, and involve a clear affirmative action. Patients must always be informed about the purpose of collection of their health related data and must be able to easily withdraw their consent if they choose. Additionally, they must have access to their data, in order to be able to change or update information and/or to withdraw it at any time.
Article 30 of the GDPR stipulates the obligation of the data controller to keep a record of the processing activities for which he is responsible. The record must include inter alia the following:
• Name and contact details of the controller and DPO (if specified)
• Processing purposes
• Categories of data subjects (i.e. patients, employees)
• Categories of recipients to whom the data are disclosed
• Transfers to third countries or international organizations (if applicable)
• Estimated deletion deadlines
• Technical and organizational security measures
Furthermore, according to Article 37 of the GDPR, data controllers and processors must appoint a Data Protection Officer (DPO), who will be responsible for overseeing the implementation of the data protection strategy and policies to ensure compliance with applicable data protection legislation. The appointment of the Data Protection Officer becomes mandatory in some cases.
The GDPR will significantly change the way healthcare institutions use and store all their personal information. Keeping confidential information about staff and patients secure is a responsibility all healthcare providers have taken seriously for years. The difference GDPR has brought is the fact that now all organizations that hold, control or process personal data, including health care institutions, are legally bound to comply since the GDPR enforces compliance. Due to the complexity of the GDPR and the significant penalties that may result from a breach of it, all businesses are advised to seek help from an advisor in order to make sure that they are processing data according to GDPR thus avoiding the risk of fines for breaching GDPR.
Our Law Firm is in a position to assist healthcare professionals to comply with the GDPR and national legislation. You may contact us for any enquiries and assistance.