The General Data Protection Regulation (GDPR) classifies health information as particularly sensitive information. Accordingly, data protection in medical practices is very important. Even in the hectic pace that often prevails in medical practices, it should not be handled carelessly.
What does a medical practice need to consider when it comes to data protection?
In some ways, special rules apply to medical practices with regard to data protection. Not in the sense that they can do whatever they want with the data. But doctors are not required to obtain direct consent from patients when collecting data. This means that the written consent actually required for data collection by the GDPR does not apply to patients in the doctor’s surgery. The data may therefore also be collected without this written consent. However, this only applies if a private medical billing office is involved and the data is not passed on to third parties. Otherwise, written consent for data collection must also be obtained from the doctor. If a patient refuses this consent, they must still be treated. Data is usually collected by the doctor via the medical card. All the important data that doctors need is already stored on it.
A walk through the doctor’s surgery
Let’s take a step-by-step look at a doctor’s surgery and see where data protection needs to be taken into account:
The reception
Data protection in the doctor’s surgery starts at reception. Every patient comes here at least once when they come in for an examination. This also means that every patient has access to everything that goes on at reception: open patient files, notes from telephone calls and so on should not be left lying around. Conversations about personal data should also not be held in the presence of patients. “Anna, why is Mr. Meier here again?” “Oh, he’s got that nasty rash between his legs again.” “I told you, ointment X helps well, I know that from my friend.” This is not information that is intended for other patients. Nor, of course, is information shouted across the room so that the whole waiting room can hear Mrs. Müller’s cell phone number. The layout of the reception desk is also important. Do patients possibly have a clear view of the computer monitors on which patient data is displayed? This should be prevented. Patients are generally not interested in this information, but that doesn’t matter when it comes to data protection.
The treatment room
In the treatment room itself, things become very personal. After all, this is where the actual illness, injury or ailment is determined. This is also where the treatment takes place, during which you show more of yourself than you would normally do in public. It should go without saying that the door is closed. The principle of data minimization must also be observed here. This principle means that only the data that is actually relevant to the diagnosis and treatment is collected.
The storage location for patient data
Patient data is logically stored behind closed doors for data security. Either in a room or in cabinets that are locked. Data processing and transferring patient data is somewhat complex. In principle, of course, this is not allowed just like that. However, the transfer of data between medical practices is sometimes useful if further treatment is to take place in another medical practice. The patient’s consent is required for this transfer. This consent must be given in writing. What is permitted, however, is to obtain a professional opinion from another doctor on a diagnosis or treatment. However, only the data that is absolutely necessary may be used.
The IT department
As a rule, a medical practice does not have its own IT department. Instead, external service providers are commissioned for this purpose. Under certain circumstances, these service providers may have access to patient data. This is fine as long as it is contractually agreed that the service providers are bound by professional secrecy in accordance with Section 203 of the German Criminal Code (StGB).
Conclusion
Data protection in medical practices is actually relatively easy to implement. However, the predominantly hectic pace in medical practices often plays against this. Minor errors quickly creep in during data processing and data security. However, these small errors can have a major impact. After all, even a brief glimpse of personal data can lead to difficulties if the wrong person gains access to it.