General state of health, special blood results, sexual orientation: Quantities of particularly sensitive personal data are collected during every medical examination. These are stored, stored and often passed on to service providers for processing.

Since 25 May 2018, the General Data Protection Regulation of the European Union (EU GDPR) has also been applied in Germany. The law standardises data protection law throughout Europe. The new provisions are intended to better protect personal data and regulate its transfer. Since the healthcare sector often deals with sensitive personal data, special caution must be exercised here. As a rule, the attending physician is responsible for protecting patient data. The new regulations to which the EU GDPR leads pose financial and organizational challenges for the healthcare system, especially physicians in private practice.

We have summarized the four most important challenges for you in our opinion:

1. Duty to provide information when collecting patient data

The medical practice has the duty to inform its patients comprehensively about the collection of personal data and its processing. This applies, for example, to the purposes of the processing of the data, the legal basis for collection and any rights of complaint. At the request of the patient, further details must also be provided at least within one month of the application.

Our tip:

• Definition and structuring of the information process (esp. Controller, process, documentation of the information)
• Use of uniform templates
• Consumers across the country are currently inundated with information about the GDPR.
• Therefore, please understand if some of your patients do not jump for joy at another “lecture” on the new data protection regulations.
  

2. Documentation of consent with the burden of proof

The patient must expressly consent to the use and processing of his or her health data, unless a more specific legal exception applies. The requirement of “explicitness” places higher demands on the degree of specificity than is the case with “normal” consent. This consent should definitely be documented and stored with the burden of proof. The signature of the person concerned is a good option for this purpose. This comes with a certain amount of administrative work, which you should be prepared for. In addition, special regulations apply to minors; here it depends on the consent of the legal guardians.

Our tip:

• Prepare for administrative burdens through comprehensive consent templates
  Technical solutions for documenting consent

3. Order processing and disclosure of health data

You don’t process all personal data in your practice? If you pass this information on to external service providers or they have access to it (such as IT service providers), you should check whether you have concluded order processing agreements that meet the legal requirements. If it is a matter of passing on original health data, you must obtain the consent of the person concerned – i.e. the patient whose data you are passing on. Unless a special legal exception applies. This applies, for example, to billing service providers. In general, data must be just as well protected by your partners as it is in your own company.

Our tip:

• Creation of a register of procedures (overview of which personal data is processed by whom and how)
• Control the technical and organizational measures of your service partners to ensure that they adequately protect your patients’ data.
• Conclusion of order processing agreements
• Obtaining explicit declarations of consent

4. IT security and data protection concept

Patient data, like other personal data, must be protected against unauthorised access by means of technical and organisational measures, among other things, in accordance with the state of the art. You must report data breaches immediately and inform those affected. Security incidents not only lead to a loss of trust in your medical practice, but also damage your reputation. The legislator punishes violations with severe fines of up to 20 million euros or a maximum of four percent of the previous year’s turnover.

Our tip:

Patient data is popular with cybercriminals. In view of the enormous damage that can occur in the event of a cyber security incident, prevention is the most important component of the IT security and data protection concept.

• Updating IT systems and adapting them to the state of the art
• Use of technology in which IT security and data protection have already been integrated and which facilitates handling through user-friendly default settings
• IT security training for all employees
• Setting up reporting chains in the event of data protection breaches

In case a data breach does occur:

• Emergency checklist
• Reliable service and emergency partners who can be reached.
• Insurance against cybersecurity incidents