Data protection in medical practices: what you need to know - incl. checklist

Data mishaps happen quickly: a completed medical history form is on display at reception, patients can overhear confidential conversations in the waiting room or an open patient file is still in the treatment room. These scenarios are not only annoying, they can also be expensive: Violations of the General Data Protection Regulation (GDPR), which came into force in 2018, are punishable by high fines of up to 20 million euros.

Although the first violation will probably "only" result in a warning, you should not let data protection slide, if only for the safety of your patients. But what is actually covered by data protection in medical practices?

What does data protection in medical practices involve?

In a doctor's practice, a lot of personal and health-related data is collected. According to Article 9 of the GDPR, this data is particularly worthy of protection. Doctors and practice staff must therefore ensure that no unauthorized persons gain access to this data.

With Nelly, all patient data is optimally protected. 100% GDPR-compliant. Test it now!

This also applies to processing outside your practice. If, for example, you wish to pass the data on to other doctors, you may only do so with the patient's consent. To this end, you should provide your patients with information on data processing at the time of admission . You can find a template for this form at the KBV, among others.

Hinweis: Eine FAQ-Liste zur DSGVO finden Sie beim Hausärzteverband.

Note: You can find a list of FAQs on the GDPR at the General Practitioners' Association.

Privacy policy: Information on data processing

You should inform your patients in writing about data protection in your medical practice. The following information must be included in the letter:

• Name and contact details of your practice or name and contact details of the person responsible and - if available - the data protection officer
• Purpose of data processing
• Legal basis for the processing
• Information on the disclosure of data
• Storage duration
• Patients' rights

With Nelly, you can easily inform your patients online about your data protection measures. Test it now!

Note: Data protection is a sensitive issue. Therefore, if in doubt, seek specialized legal advice to protect yourself and your practice. Further information on data protection obligations can be found at the Virchowbund.

To ensure that data is handled securely, a data protection officer can - or must - support your practice.

Data protection officers: supporters in matters of data security and data protection

The task of a data protection officer is to monitor compliance with measures to ensure data security and data protection. They also act as a point of contact for all questions on the subject and know what to do in the event of data protection incidents.

Who needs a data protection officer?

Not every practice is obliged to appoint a data protection officer. Article 37 of the GDPR specifies for whom corresponding support is necessary. As the GDPR does not specify which regulations explicitly apply to medical practices, requirements have been established in practice that are primarily geared towards practice staff.

The appointment of a data protection officer is mandatory if you

• employ 20 or more employees who are entrusted with data processing,
• sensitive health data of at least ten persons are processed extensively or a
• data protection impact assessment is necessary.

If none of the above points apply to your practice, professional support remains optional. Regardless of whether you involve a data protection officer, you should take measures yourself to ensure security. A checklist can help you do this.

Checklist: What you need to consider when it comes to data protection

Do you want to get everything right when it comes to data protection? There are a large number of free checklists on the Internet that offer you initial guidance when reviewing your processes with regard to the GDPR.

• "Checklist: What to do about data protection" from the KBV
• "Self-audit data protection in the medical practice/dental practice/MVZ" of the data protection lawyers Bavaria
• "Checklist on the General Data Protection Regulation" from the Virchowbund
• "How to make your medical practice GDPR-compliant" by advocado
• "Data protection in medical practices: Guidelines on handling patient data" from datenschutz.org

Please note: You will find many more handouts on the subject online. However, be sure to pay attention to the sources! Not all of them are reputable and/or cover all important aspects such as IT. Alternatively, you can also create your own checklist that is individually tailored to your medical practice.

Is your IT system GDPR-compliant?

A key aspect of data protection is GDPR-compliant electronic data processing in the medical practice. In this case, also check your practice software and pay attention to these aspects:

• Access control
• Two-factor authentication
• Allocation of authorizations
• Data backup
• Delete function
• Encryption method

Play it safe when it comes to data protection with Nelly

Data protection is a top priority at Nelly. That's why the tool stores all documents in a secure cloud, only sends encrypted messages and always sends invoices in compliance with the GDPR. So your patients and their data are always in safe hands. Create a digital workflow in your practice now. We will advise you on your individual case free of charge and without obligation!

Contact Nelly now!

The personal designations used in this article always refer equally to all persons. For the sake of better readability, we have refrained from using double or opposite names.