EN

|

DE
This is some text inside of a div block.

Data protection for health professions & doctors

Request advice now

Why is data protection so relevant for health professions & medical practices?

Data protection for health professions and doctors            

           
The handling of patient data and the associated personal data is particularly important in the healthcare sector. In the healthcare sector, the required patient data represent information that is particularly worthy of protection and must therefore be treated sensitively within the context of professional practice. Another and important aspect is medical confidentiality, which also affects employees.

• Data protection within the practice

Data protection must be lived within a practice and thus have a special priority for the practice management and also for the employees. A cornerstone of the practice is the collection of patient data. The focus here must be on the information required. As a rule, only such data may be collected in patient contact that is also necessary for the doctor's treatment and its diagnosis.

In the doctor's practice, data is often passed on in practice. An important aspect here is that the patient files with the personal data may not simply be passed on to insurance companies or third parties. When transferring data, specific guidelines must be observed that affect the desired addressee. In order to pass on the personal data and to remain legally compliant, in most cases a declaration of consent must be obtained from the person concerned.
In the doctor's office, too, data backup must be guaranteed and thus adequately protected against access by third parties. This applies to both analog data sets (forms, images, notes ...), but also the stored patient data within the IT and practice software.

In the case of a group practice or in a hospital, only the attending physicians are allowed to pass on patient data to one another. However, only information that is necessary for the treatment of the patient may be exchanged. Any further data exchange is not considered to be legally compliant.

• Data protection at the practice registration

As a rule, no doctor's office can do without a practice reception. Here the patients are received and the concerns of the visit are clarified. From this point on, the employee must observe and comply with the data protection regulations.

This data protection hurdle harbors the first problems:

- Several people stand at the reception counter and can follow the conversations

- Diagnoses are transmitted unprotected at reception and can be overheard

- Reception remains unattended and access to cabinets, files and PCs is unsecured

- Doctors and employees communicate via patient data - this information can be overheard

- The waiting room is not sufficiently soundproof and conversations can be followed

Talking to patients is part of everyday practice. A lot of data and information is exchanged by phone or email. Sensitive data such as therapies, diagnoses and test results are transmitted here. Often, however, these contacts are not verified and there is therefore always a risk that personal data will end up in the hands of unauthorized persons in this way.

Personal data also play an important role on a first visit to a practice. In the first step, this information is requested here. In everyday practice, a finished information letter on the subject of data protection according to Art. 13 of the GDPR is often presented here, which must be read by the patient and then accepted orally. This process does not comply with data protection and is therefore not legally compliant! With oral consent, the practice is unable to provide evidence of consent. This can and is assessed by the patient and the authorities as a data protection violation and is punished with corresponding fines.

In order to act in a legally secure manner and avoid fines, the practice should generally request a written patient declaration. This protection can also be done digitally. Thus it is also possible, for. B. provide the information via a mobile device and have it digitally signed.

Control points of a data protection compliant practice:

- Is there an audit-proof consent for data processing?

- Has the data protection declaration on the webpage been created in accordance with the law?

- Does the reception always remain manned?

- Is the doctor's practice secured (e.g. locked entrance)?

- Can data on PCs or the telephone system be viewed by third parties?

- Is information exchanged discreetly at reception?

- Can files and notes be viewed by third parties?

- Is there a backup of the personnel files?

- Are the waiting room and treatment room soundproofed?

- Is the telephone exchange verified?

- Are there any data processing agreements with external service providers?

- Is the server room secured?

- Is the practice secured against break-ins?

- Is there an external power supply?

- Are passwords securely assigned and changed?

- Is IT security guaranteed?

- Are there any employee training courses on the subject of data protection?

These questions should be in a data protection compliantn Practice can all be answered with "yes". If this is not the case, please speak to the experts at heyData! How do you lead safely through the data protection jungle!

• The data protection declaration on the homepage

The data protection declaration must be made available on the webpage precisely, transparently and easily accessible. In doing so, all processes in which personal data are processed must be clarified. The name and contact details of the operator and the person responsible must be listed. If appropriate tools are used that process personal data, these must also be listed (social media, web forms, cookies ...) This processing includes information on the purpose of data transmission and the legal basis for data processing.

In addition, the following information should always be included:

- Duration of data storage

- Right to information, correction, deletion, right of withdrawal, restriction of processing

- Right to lodge a complaint with the supervisory authority

- automated decision making

- Regulations for the legal or contractual provision of data

• Transfer of patient data to the health insurance companies

Insurers rely on patient information and store it. This information, in the form of social data, address data, diagnoses and billing, is necessary for medical care, otherwise medical care cannot be guaranteed. For these reasons, data storage is legally permissible.

However, health insurance companies are not excluded from data protection law. The health insurance companies are only allowed to save as much data as they need for their work. In principle, however, patient data must be deleted if it is no longer necessary and there is no reason for further storage.

Do you have any further questions about data protection in the health professions or within medical practices? heyData is happy to be your partner. Contact us - we will help you!

Decide on heyData and benefit from your personal and professional contact, who is the Data protection compliance at all levels and at the highest level.

FAQ

Do I need a data protection officer?
What are personal data?
How does heyData work?
How long is the contract term?
What is done in the data protection audit?
Do I need a data protection officer?

If you and your company meet one or more of the following criteria, then YES:
- Your company employs more than 20 people
- The employees regularly process automated data
- Special categories of personal data are processed in the company, such as ethnic origin, political opinion, religious conviction, health, the person's sex life
- Business-related personal data is transmitted, collected, processed or used and this represents a core activity of the company (this is the case with almost all companies that are related to personnel, e.g. software, recruiting, headhunting, consulting, etc.) 

What are personal data?

According to the GDPR, personal data is all information that relates to an identifiable or identified natural person. The persons concerned can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, a location or other features. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account details, license plates, customer numbers, e-mail addresses or postal addresses.

How does heyData work?

As soon as you have decided to work with heyData, after an initial needs analysis, we will carry out a data protection audit with your company in order to understand the processes of your company holistically - this process is digitally accompanied and supervised by the data protection advisor. We will then work with you to prepare the necessary documentation and, if necessary, adapt the website of your company according to our instructions, should there be a need for changes in order to achieve conformity. Depending on the package, we are then involved in a wide variety of processes in your company that require the expertise of a data protection officer to protect you in all matters; this usually extends to HR, marketing, product but also business development processes.

How long is the contract term?

The regular contract term is 24 months.

What is done in the data protection audit?

The data protection audit is intended to examine the processes of your company and to identify the essential points of data processing. You will then receive documentation of this so that the positions, the type of data processed and the persons responsible are also available as a diagram at any time.

Data protection for health professions and doctors

The handling of patient data and the associated personal data is particularly important in the healthcare sector. In the healthcare sector, the required patient data represent information that is particularly worthy of protection and must therefore be treated sensitively within the context of professional practice. Another and important aspect is medical confidentiality, which also affects employees.

Data protection within the practice

Data protection at the practice registration

Control points of a data protection compliant practice

The data protection declaration on the homepage

Transfer of patient data to the health insurance companies

Data protection must be lived within a practice and thus have a special priority for the practice management and also for the employees. A cornerstone of the practice is the collection of patient data. The focus here must be on the information required. As a rule, only such data may be collected in patient contact that is also necessary for the doctor's treatment and its diagnosis.


In the doctor's practice, data is often passed on in practice. An important aspect here is that the patient files with the personal data may not simply be passed on to insurance companies or third parties. When transferring data, specific guidelines must be observed that affect the desired addressee. In order to pass on the personal data and to remain legally compliant, in most cases a declaration of consent must be obtained from the person concerned.

In the doctor's office, too, data backup must be guaranteed and thus adequately protected against access by third parties. This applies to both analog data sets (forms, images, notes ...), but also the stored patient data within the IT and practice software.


In the case of a group practice or in a hospital, only the attending physicians are allowed to pass on patient data to one another. However, only information that is necessary for the treatment of the patient may be exchanged. Any further data exchange is not considered to be legally compliant.


As a rule, no doctor's office can do without a practice reception. Here the patients are received and the concerns of the visit are clarified. From this point on, the employee must observe and comply with the data protection regulations.


This data protection hurdle harbors the first problems:


- Several people stand at the reception counter and can follow the conversations


- Diagnoses are transmitted unprotected at reception and can be overheard


- Reception remains unattended and access to cabinets, files and PCs is unsecured


- Doctors and employees communicate via patient data - this information can be overheard


- The waiting room is not sufficiently soundproof and conversations can be followed


Talking to patients is part of everyday practice. A lot of data and information is exchanged by phone or email. Sensitive data such as therapies, diagnoses and test results are transmitted here. Often, however, these contacts are not verified and there is therefore always a risk that personal data will end up in the hands of unauthorized persons in this way.


Personal data also play an important role on a first visit to a practice. In the first step, this information is requested here. In everyday practice, a finished information letter on the subject of data protection according to Art. 13 of the GDPR is often presented here, which must be read by the patient and then accepted orally. This process does not comply with data protection and is therefore not legally compliant! With oral consent, the practice is unable to provide evidence of consent. This can and is assessed by the patient and the authorities as a data protection violation and is punished with corresponding fines.


In order to act in a legally secure manner and avoid fines, the practice should generally request a written patient declaration. This protection can also be done digitally. Thus it is also possible, for. B. provide the information via a mobile device and have it digitally signed.



- Is there an audit-proof consent for data processing?


- Has the data protection declaration on the webpage been created in accordance with the law?


- Does the reception always remain manned?


- Is the doctor's practice secured (e.g. locked entrance)?


- Can data on PCs or the telephone system be viewed by third parties?


- Is information exchanged discreetly at reception?


- Can files and notes be viewed by third parties?


- Is there a backup of the personnel files?


- Are the waiting room and treatment room soundproofed?


- Is the telephone exchange verified?


- Are there any data processing agreements with external service providers?


- Is the server room secured?


- Is the practice secured against break-ins?


- Is there an external power supply?


- Are passwords securely assigned and changed?


- Is IT security guaranteed?


- Are there any employee training courses on the subject of data protection?


In practice that complies with data protection regulations, it should be possible to answer all of these questions with "yes". If this is not the case, please speak to the experts at heyData! How do you safely guide you through the data protection jungle!


The data protection declaration must be made available on the webpage precisely, transparently and easily accessible. In doing so, all processes in which personal data are processed must be clarified. The name and contact details of the operator and the person responsible must be listed. If appropriate tools are used that process personal data, these must also be listed (social media, web forms, cookies ...) This processing includes information on the purpose of data transmission and the legal basis for data processing.


In addition, the following information should always be included:


- Duration of data storage


- Right to information, correction, deletion, right of withdrawal, restriction of processing


- Right to lodge a complaint with the supervisory authority


- automated decision making


- Regulations for the legal or contractual provision of data


Insurers rely on patient information and store it. This information, in the form of social data, address data, diagnoses and billing, is necessary for medical care, otherwise medical care cannot be guaranteed. For these reasons, data storage is legally permissible.


However, health insurance companies are not excluded from data protection law. The health insurance companies are only allowed to save as much data as they need for their work. In principle, however, patient data must be deleted if it is no longer necessary and there is no reason for further storage.


Do you have any further questions about data protection in the health professions or within medical practices? heyData is happy to be your partner. Contact us - we will help you!


To our data protection checklist in the doctor's office