Healthcare is a very personal topic, and health information needs to be protected and available only to those who need it to care for patients. When healthcare data is collected online, information is transmitted and needs to come with the assurance of GDPR-compliant processes.
What Protection is Legally Required?
The UK General Data Protection Regulation (GDPR) is the post-Brexit domestic version of the EU law. The two are almost identical except for UK-specific language in the UK version.
The GDPR includes 7 basic principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
While GDPR covers ALL sectors of data, healthcare data is a special category that is defined even further and held to a higher standard. Similar to the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., healthcare data in the GDPR is defined as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.” The GDPR also includes special protections for genetic data and biometric data, treating it the same as health care data.
Healthcare organizations have added responsibility under the GDPR to maintain a higher standard of protection than typical personal data. The GDPR prohibits any processing of health data (electronic or physical data) unless the patient has given explicit consent.
Explicit consent for healthcare purposes means that a patient signs consent with the explicit use(s) of the data listed on the form. This consent also covers potential transfers of health data, international data transfers, and cloud storage of data.
Important considerations for practices in the UK are:
- Data workflows
- Data handling
- Cross-border data transfers
- Data privacy
- Security monitoring
- Overall policy compliance
When providing health information, it is reasonable for patients to assume that their information will be used by the doctors, nurses, and other clinicians involved in their direct care, such as lab or radiology staff. The information will also be needed to process the billing and payment claim or other administrative tasks.
If that data is to be used for any reason other than individual care, such as for a research project, then staff must obtain explicit consent.
What Are Patient Data Rights Concerning Electronic Forms?
Electronic forms are to be treated the same as paper forms filled out in a physician office or hospital when it comes to privacy. In fact, they need even greater protection, because the data is in transit.
Healthcare patients, as individuals covered under the GDPR, have the following individual data rights:
- The right to be informed.
- The right to rectification.
- The right of access.
- The right to be forgotten (erasure).
- The right to restrict the processing of your data.
- The right to data portability.
- The right to object.
- Rights regarding automated profiling and decision making.
This means that electronic systems must implement specific cybersecurity measures and demonstrate compliance with GDPR standards.
FormDr provides businesses and practices with electronic patient forms and submission that meets GDPR standards. Our GDPR compliant electronic forms are protected with a 128-bit secure socket layer which encrypts patient data – both when data is in transit and at rest. Regular security risk assessments are performed to ensure FormDr maintains the highest level of data security. Also, because patients and care providers can access their forms from any device that has internet access, our forms are secure on phones, tablets, and computers.
FormDr take healthcare privacy seriously – as part of our responsibilities when it comes to transmitting private information via electronic forms. We value our client’s peace of mind when it comes to data security. This is why we are GDPR compliant in the UK, as well as HIPAA compliant in the U.S., to provide encrypted and secure forms. To learn more about our processes and privacy practices, contact us to get started.
