GDPR's here! Now what?
Keeping clinical patient records is part of a healthcare professional’s duty. Ensuring that the records are kept safe was a legal requirement under the Data Protection Act 1998. As of 23 May 2018 it is a requirement under the Data Protection Act 2018 (DPA 2018), which implements the General Data Protection Regulation (“GDPR”) into UK law. How will this affect the healthcare sector and its insurers?
What is GDPR?
The Data Protection Act 1998 required healthcare professionals to keep personal data, including medical records, effectively protected at all times against improper access, disclosure or loss. The General Data Protection Regulation ('GDPR') took effect across the European Union on 25 May 2018, and was incorporated into UK law on 23 May 2018 via the Data Protection Act 2018. The principles of GDPR are now part of UK domestic law and are unlikely to be affected by Brexit at least for now.
The underlying principles of the previous regime are retained, clarified and expanded, but new concepts are also introduced. For example, data relating to health is a 'special category' of personal data to include all data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person's health status.
GDPR imposes a higher standard of protection for the processing of health data, with the aim of protecting the fundamental rights and privacy of patients. There are now significantly higher penalties for infringements, with the maximum fine being “4% of global annual turnover” or €20 million (whichever greater) for the most serious. This means that not only is there now a higher regulatory burden on the healthcare sector, but the consequences of breaches could be much more significant.
Crucially, GDPR does not distinguish between individuals and organisations. The obligations will apply to individual self-employed healthcare professionals in exactly the same way as they will to large hospitals.
What data might healthcare professionals hold?
Healthcare professionals will almost inevitably hold or use data about the health of all of their patients. That data could be held in a variety of different formats in a variety of different locations and devices. For example, a clinic or healthcare professional might have a hard copy medical file for each patient in a filing cabinet, but also store emails about that patient on a local server or online data storage service. If clinical photographs of the patient have been taken, there could be a copies on the camera’s memory card, a local computer used to export the images from the camera, any automatic back up service for that computer (which could include cloud storage), and then finally on the hard copy and electronic formal patient medical file.
All of that data must be secure, not just the formal patient file. If the healthcare professional lost a camera or laptop that still had patient photographs on it (even in the ‘trash’ folder), that might be a data breach that might need to be reported to the ICO.
Other uses of patient data
In terms of the ability to use the ‘data’, from both a professional conduct and a data protection point of view, the healthcare professional will need to give careful thought in advance to all the purposes for which patient data will be used. The healthcare professional will have the right to use the data for the purposes of treating the patient under the ‘medical’ exclusion. However, depending on the healthcare professional’s particular practice, the healthcare professional might also want to use the data for other purposes such as providing training to other healthcare professionals, advising other patients, clinical or academic research, or even publicity purposes. If any such other uses are contemplated then the healthcare professional will need to find out whether the DPA 2018 permits that use, and if not, ensured they have explicit, specific, freely given and clearly recorded explicit consent from the patient for those uses.
Can I breathe a sigh of relief?
Whether the healthcare professional is a data ‘controller’ or a ‘processor’, increased obligations have been introduced by GDPR.
There was a great deal of publicity about the need for careful preparation ready for 25 May 2018. Everyone from individual self-employed healthcare professionals through to the largest hospitals should already have ensured that they have a framework for compliance, including policies and procedures which provide an audit trail to demonstrate that the required standards are being met. That should include robust processes for making sure that where patient explicit consent is necessary for any data processing, that consent is expressly recorded.
The policies and procedures will also need to deal with other rights patients have in respect of their data. The patient will have right to access data held about them, and often free of charge. In some circumstances, a patient may also have a right for their data to be forgotten meaning that the healthcare professional must securely erase the data. However, in every case they should also consider their regulatory duty as healthcare professionals to retain patient medical records for certain minimum periods of time, to avoid professional conduct breaches.
In cases where there is a breach of data protection which poses a ‘high risk’ to patients, healthcare professionals now have to notify the Information Commissioner’s Office (“ICO”) within 72 hours of the detection of the breach as well as notifying the patient themselves. It is therefore prudent to have in place a data breach response plan to ensure breaches are reported and escalated without delay and dealt with appropriately to minimise damage.
If any healthcare professionals have not yet completed these preparations, then clearly they should do so as an urgent priority. But what about those who prepared in advance for the introduction of GDPR? Can they consider the job done and breathe a sigh of relief? Probably not!
Like with any new law, it will take some time (possibly years) for the full practical implications for healthcare professionals to become clear. Healthcare professionals should anticipate that updated guidance on how to comply will be produced fairly regularly by the ICO as well as by other healthcare regulators and professional bodies. It is important to keep abreast of new guidance as it comes out and to continually check and, where necessary, adapt data protection processes and policies accordingly. While the deadline to 'become' GDPR compliant has passed, the work to ensure good data protection governance and remain so is now something we all must continue to do.
How could this affect insurers?
Insurers who provide medical indemnity insurance and related products will need to give careful thought to whether they intend their cover to extend to DPA 2018 infringements. If so, to what extent will such claims be covered? Insurers who do not intend to cover such claims will need to check that their policy exclusions are sufficiently clear to avoid coverage disputes. This is especially so if the cover extends to the cost of replacing lost medical documents, given that the loss of such documents could also be a DPA 2018 infringement depending on the circumstances.
Insurers who do provide cover in relation to DPA 2018 infringements will likely need to prepare for an upturn in notifications and claims. The increased obligations of GDPR will almost certainly result in an increase in the number of breaches of the legislation as some parts of the healthcare sector struggle to keep pace with the regulatory changes. By the same token, insurers may wish to review their standard proposal forms to help ensure that they elicit information from the proposed policyholder about their data protection policies and processes.
For more information please contact, Joanne Staphnill Partner, Joanne.Staphnill@dwf.law 0207 280 8874
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.