healthcare sector

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data must be managed with more of a holistic approach. Organizations must have certain procedures in place that can be acted upon immediately in order to meet the requirements. Starting with being more cautious with the personal data, knowing where it is being stored and how it is being processed. This applies for both, public and private sector:  hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, e-shops that sells pharmaceuticals, and every other company or organization that processes data concerning health.

The definition of sensitive data and conditions to process it

The GDPR defines personal data processed in the Healthcare sector as “sensitive data”. Therefore, standards for its protection are much higher and GDPR mentions three special references to data concerning health:

  1. Data concerning health – “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
  2. Genetic data – “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
  3. Biometric data – “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

The processing of mentioned forms of data is allowed under certain conditions only, which are:

  1. The explicit consent to process the data is received from the data subject.
  2. “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […].”
  3. “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].”

However, according to the GDPR, Member States may maintain or introduce further conditions, including limitations, regarding the processing of genetic data, biometric data or data concerning health. With the GDPR, data subjects gain more rights. For the Healthcare sector, the most important ones are the right to access that allows data subjects to access their health data that is processed. The right to data portability allows data subjects to transmit their health data to any other healthcare provider more easily. The right to be forgotten – the most difficult one to operationalize. It allows data subjects to request for termination on health data processing and it’s deletion.

It‘s stated under the GDPR that Healthcare sector should have a Data Protection Officer (DPO), since sensitive data being processed on a large scale. Carrying out a Data Protection Impact Assessment (DPIA) helps to evaluate the origin, nature, particularity, and severity of a risk to the rights and freedoms of individuals that processing operations are likely to result.

The Healthcare sector has an obligation to report security breaches (within 72 hours) not only to the local data protection authority but also to individuals whose personal data might be compromised. Clear, practical and effective procedures in the case of the breach should be thought through. Breach notification procedure, including detection and response capabilities, must be put in place. Therefore, training and fire drills should be done every once in a while, to keep the staff and the system ready.

In the case of a data breach, fines can reach up to 20 mln € or 4% of the global annual turnover, whichever amount is higher. The most recent breach in the Healthcare sector happened in Portuguese Hospital. The fine of 400 000€ was initially imposed for accessing patient data through false profiles. Read more about GDPR fines.

EU Member states may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

Steps for the Healthcare sector to take towards the compliance

In order to avoid any breaches, organizations must implement compliance points mentioned above, including reviewing contracts – DPA (Data Processing Agreements). As well as, updating policies, procedures, documentation, and records in order to be ready for inspections. Therefore, data processing activity records and data retention and deletion periods also should be in place.

Due to aging IT infrastructure and weak IT security practices, the Healthcare sector is one of the greatest targets for cyber-attacks. Meaning that technical security measures must be set in order to avoid unauthorized access, mishandle and loss of personal data kept in the server or cloud.

 

More on:
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1543321123665&uri=CELEX:32016R0679
https://ico.org.uk/for-organisations/health
http://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...