When 25th May 2018 arrives, your healthcare practice needs to be ready for the General Data Protection Regulation (GDPR). If you have not started preparing yourself, you don’t have much time left to review and amend your processes before the new legislation comes into force.
Up to 4% fines
Breaching the new regulations could mean a fine of 4% of turnover or €20million (whichever is higher), which would be a big hit for practices to pay. It could also result in loss of trust and reputation, among other costs. As the healthcare industry is a popular target for Cyber crime, with the huge amount of the medical history and personal data held, practices need to be on top of new guidelines.
There are a number of key challenges for healthcare practices to meet GDPR rules. Some of these challenges include requiring informed, explicit consent to hold personal data and contact patients. You also need to provide timely responses to requests for what data you hold on an individual. There is also new legislation around how to report a breach.
Here are some practical steps for your healthcare practice to take in order to support your journey to GDPR compliance:
Carry out an IT system check to make sure your systems are up to date and to rectify any potential security flaws.
Appoint a Data Protection Officer (DPO) to manage processes and compliance related to large scale data processing. You can appoint an external company to help you with this.
Find out who is the relevant authority that you report a breach to, and how. You have 72 hours to report a breach from when you first become aware of it.
Document processes for auditing purposes. This includes what data you collect and why, how you securely store it, how you gain patient consent, how patients can request a copy of their information and how breaches are handled.
Update new patient forms to include a section that explains how their data is used and stored, and for them to give explicit consent for this.
Explain law changes to current patients, and what this means. It is good practice to ask for renewed consent at this point.
Update and publish terms and conditions with details of how patients can request to have their data removed, withdraw consent, request a copy of data held on them and information about what data is collected, why it is collected and how it is used and stored securely.
Remember that you have an obligation to be open and honest with patients. Your consent forms and terms and conditions must be visible, straightforward and clear.
Additional protection for peace of mind
We appreciate that even with the best intentions and processes in place, sometimes things go wrong. Cyber crime is on the rise and medical and dental practices are high on the target list. For these instances, we recommend Cyber liability insurance.
If you want to find out more about if this can help protect your practice in the event of a Cyber breach, contact one of our specialists today to discuss your requirements.