Data Protection in Healthcare
Data Protection in Healthcare
Data protection regulations have a historical and relevant relationship with health and social-health centers, which is why we will discuss in this article the importance of this close relationship.
Social-health care is an activity that is growing due to the aging of the population. The number of Day Care Centers and Nursing Homes is growing. 
exponential. According to the latest data for 2019, there are 389,031 vacancies in Spain and 70,000 more are needed.
Likewise, the health system in general, driven by the culture of personal image, has seen in recent years an increase in Dental Clinics, Aesthetic Clinics, and even Polyclinics where you can find comprehensive solutions to increase self-esteem and feel good about your body, including surgery.
Healthcare is booming and the processing of personal data is necessary to maintain the relationship with Patients and Users, therefore, the amount of data processed is enormous and we are not only talking about identifying and usual data (name, telephone, address, etc.), but also and obviously, we refer to the large amount of health data related to all these Patients and Users.
The processing of the aforementioned personal data has a direct impact on compliance with European(RGPD) and Spanish(LOPD-GDD) data protection regulations, and we will begin by addressing the key points that the data protection regulations have on the healthcare sector in general.
Health Data:
The General Data Protection Regulation (GDPR) determines as “special category” data those related to the health of individuals, including genetic, biometric, etc. data.
In the health field, therefore, specific data from the health field derived from the state of health circulate: results of analyses and medical tests, diagnoses, surgeries, dispensing of medicines, etc. Being the chronological sum of all of them, the Clinical History.
Responsible for Treatment
The Data Controller will be the one who processes the patient’s medical records or User’s files, such as Medical Professionals, Health Centers, Hospitals (Public or Private), Senior Citizen’s Centers, etc.
The Data Controller has the obligation to implement all technical and organizational security measures necessary to ensure that the medical records or files will not be lost (availability), will not be subject to illegitimate access by unauthorized third parties (confidentiality) and that their content is not altered (integrity).
Right to Information
Within the relationship with healthcare centers or medical professionals, every patient and user has the right, without exception, to be informed of at least the following:
— Identity and contact details of the Data Controller.
— Contact information of the Data Protection Officer(DPO)
— Purpose of the processing for which the personal data is intended and the legal basis for the processing.
— Time limits for the conservation of patients’ and users’ personal data
— Possible assignments
— International data transfer
— Possibility of exercising rights and how to exercise them.
— The existence of automated decisions (profiling)
— About treatments other than the doctor-patient relationship.
— Informs whether providing and processing the data is a prerequisite for providing healthcare or whether it is a legal or contractual requirement, and the possible consequences of not providing such data
All this information must be provided:
— Concise
— Transparent
— Intelligible
— easily accessible
— Clear and simple language
The information may be provided in layers. For example:
— 1st layer: basic information
— 2nd layer: complete information provided in circulars, web page, etc.
Consent in Health Care
Consent will not be necessary on the part of patients, due to the nature of the specific purposes of the practices of Preventive or Occupational Medicine. And provided that we are referring to the following:
- Medical diagnosis.
- Provision of health or social assistance or treatment.
- Management of health and social care systems and services.
- Evaluation of the worker’s capacity to work.
All of this is regulated by the Data Protection Regulations, according to Article 6.1.b) of the RGPD for Private Health Insurance Companies, and in Article 6.1.c) of the same RGPD for Public Health.
Consent is also not required if the data processing is carried out for reasons of public interest in the field of public health (Article 6.1.e) of the GDPR). Or when the processing is necessary to protect the vital interests of the data subject or another natural person (Article 6.1.d) of the GDPR).
However, it will be mandatory that the persons processing the personal data are always professionals subject to the obligation of professional secrecy, or that they are under the responsibility of these.
Consent must be requested when the purposes are outside the discipline or practice of medicine, as is the case, for example, if a health professional wishes to send advertising to patients, contact them via WhatsApp, publish their image, transfer their data to third parties, etc.
Conservation and Access
One of the fundamental principles of conservation is to guarantee adequate assistance to the patient or user, therefore the medical records and files will be kept for the time necessary to guarantee this principle and for the time established by law.
Access to medical records and files shall be reserved exclusively for professionals assisting patients or users. That is to say, it is not allowed that health or social-health personnel access to such documentation to browse or transfer information to third parties.
We help all Clinics and Residences
Business Adapter® has been assisting for 11 years clients whose activity is related to Health and Socio-Health activities. Do not hesitate to contact us and request a free audit to know the degree of compliance of your organization in terms of personal data protection (RGPD + LOPDGDD).
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]I want a free audit[/su_button]