Healthcare sector requires a full ‘data medical’ to ensure GDPR compliance
It's not just IT which makes patients and patient organisations vulnerable.
Earlier this year, the NHS dominated the headlines as services across England and Scotland were hit by a large-scale ransomware attack, causing widespread disruption to hospital and GP appointments. With a growing number of high-profile data breaches reported and the General Data Protection Regulation (GDPR) deadline rapidly approaching, data security and privacy is high on the agenda for medical institutions.
If you are responsible for data compliance within a healthcare organisation in the EU, you should already be well underway with your GDPR readiness plans and initiatives, working to ensure compliance before the May 2018 deadline. But, don't be swayed by recent headlines into focusing all of your time and energy on cyber threats and electronic data systems; healthcare organisations require a thorough audit of all data processes, as obligations of security and confidentiality also apply to manual and paper personal records, and these areas of vulnerability can be trickier to identify and control.
Patients' health and genetic data are considered 'sensitive data'
Recognising that certain categories of personal data are of a higher value in identifying and characterising individuals, the GDPR provides an additional level of protection for 'sensitive data', for example data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, data concerning health, an individual's sex life or sexual orientation. Due to the nature of the work carried out in the healthcare sector, medical organisations are likely to be holding and processing large volumes of sensitive personal data both electronically and manually, so processes and systems need to be in place to protect this data and ensure an organisation's compliance with the GDPR.
With so many people working within healthcare organisations, for example GPs, nurses, consultants, clerical staff, pharmacists, care home staff, physios etc., and often outdated offline and online processing systems in place, how can you manage compliance over such a wide net?
Before you begin to consider answering this question, the first step is to carry out an audit of your patients' journeys, from first admission to discharge and beyond. Mapping the patient experience, establishing who needs access to which records and why, will help you to identify points where personal data may be at risk. Only then can you begin highlighting what will change under the GDPR and define risk reduction measures.
Electronic vs manual records
It is easier to protect the privacy of patients using electronic files. In fact, the use of electronic files is something which is encouraged under the GDPR. With electronic files, people need only have access to the areas of the files relating to their particular role, for example laboratory staff can attach results to a dedicated area in an electronic file without viewing the full patient record. As a matter of routine, non-medical staff such as care assistants or clerical staff should not have unrestricted access to patient records. Access to information should be granted on a need-to-know basis only.
For manual files, there are more challenges in protecting your patients' privacy than for electronic files, because the entire patient file travels with the patient and you cannot restrict access to certain sections. Manual files are also at risk of being left unattended or taken home by staff to catch up on notes or prepare for forthcoming procedures. All of the complex data handling processes need to be identified and mapped within an organisation, before plans and initiatives can be designed to manage GDPR compliance on an ongoing basis.
Why it's important to protect your patients' data
The processing of patients' personal data is vital in the functioning of healthcare services, for the safety of patients and to ensure the continued advancement of medicine through research, but it has to be managed in the right way. Not only is there a risk to your organisation's reputation and high fines being issued for being non-compliant, but should the personal health information of an individual be disclosed without the correct authorisation, it could have far-reaching negative impacts on that individual's personal and professional life.
With so much to do before the GDPR comes into force in May 2018, and the stakes being high, managing your organisation's compliance with the new legislation might seem like a daunting task.
Supporting your internal teams
We can help with assessing your organisation's current situation, identifying your unique needs and managing the ongoing process of risk mitigation. Our risk assessment identifies detailed operational risks around the decision-making and assumptions related to personal data. We then create a detailed implementation plan to help you drive these changes through your organisation. In addition, we provide you with the best online solution to manage this work - via our cloud-based SaaS product, PrivacyEngine - and demonstrate in detail to the regulator how you are risk mitigating and identifying new risks across all of your processes on an ongoing basis. Finally, we provide you with a knowledge transfer process to quickly allow you to manage this yourself and leverage this best practice.