How to handle health data
Health data is all the information that relates to the health status of a person. This concerns not just medical data, such as physical health data and mental health data, but also financial and administrative data related to healthcare provision (Simoncini, 2017). When health data relates to an identified or identifiable individual it is considered as personal data, and even a special category of personal data which requires additional protection.
Processing health data
The processing of special categories of personal data is governed by Article 9 of the General Data Protection Regulation (‘GDPR’). Article 9 of the GDPR states that the processing of health information is in principle forbidden. It is however allowed to process such data when specific conditions are met. Generally speaking, healthcare organisations could base the processing of the health information of their patients on the legal grounds of consent, the necessity for the protection of the vital interest of the data subject, or the necessity for the provision of healthcare or treatment or the management of healthcare systems and services. For the latter it is required that the processing-exception is defined by the law or follows from a contract with a health professional and a data subject and the healthcare professional is subject to a legal obligation of professional secrecy (Art. 9, 2, h GDPR juncto Art. 9, 3 GDPR).
When treatment is completed or stopped for another reason, the legal ground for data processing can never be anything but consent, meaning that the patient needs to give explicit consent for further processing of health data after completing treatment.
Checklist for gathering and processing health data
The following list provides useful questions for those who collect and/or process medical data (Simoncini, 2017):
- Is the data directly relevant to medical treatment?
- Is the patient informed about which information is processed and why?
- Is the patient aware of his or her right to access his or her medical file to verify or rectify information?
- Is the process to request access known to him or her?
- Is the data kept according to an appropriate retention period?
- Is data handled by healthcare professionals who are bound by the obligation of medical secrecy?
- Is data handled by administrative staff that signed a specific confidentiality declaration?
- Is a risk assessment conducted and are appropriate security measures put in place?
Self-check for healthcare workers
Cybersecurity and information security are continuous processes that everyone should contribute to. The following list of questions can help healthcare staff members to check whether they are acting accordingly (Kaminski, 2018; SecureHospitals.eu, 2019):
- Do you talk about your patients in public?
- Do you post on social media about your work and/or patients?
- Do you lock your computer?
- Do you keep your account information to yourself?
- Do you leave your workspace and devices unattended?
- Do you leave patient files or other documents openly accessible in your workspace?
- Do you know and apply the rules and regulations of your workplace?
- Do you know who to ask for help when you have questions or problems with computers or devices?
- Do you know who to go to when you suspect or know of a data breach or leak?
Consequences of mishandling health data
In 2019, a Dutch hospital received a fine of €460,000 under the GDPR. The fine was imposed by the Dutch supervisory authority (‘Autoriteit Persoonsgegevens’), as a result of an incident in 2018. In that year, a local TV-show personality was admitted to the hospital. Curious staff members sought access to this person’s medical file, while they were not part of the official treating medical team (Kolbasuk McGee, 2019).
The Dutch supervisory authority concluded that the security of electronic medical files was not up to standards and should be improved upon. However, the authority also concluded that the confidential relationship between the healthcare provider and the patient was breached as well (Autoriteit Persoonsgegevens, 2019).
Further reading and resources
- General Data Protection Regulation (ENG): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e40-1-1.
- European Data Protection Authority Guidelines: https://edps.europa.eu/data-protection/our-work/our-work-by-type/guidelines_en.
Autoriteit Persoonsgegevens. (2019, July 16). Haga beboet voor onvoldoende interne beveiliging patiëntendossiers. Retrieved 2 September 2019, from https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/haga-beboet-voor-onvoldoende-interne-beveiliging-pati%C3%ABntendossiers.
Simoncini, N. (2017, January 4). Health data in the workplace. Retrieved 2 September 2019, from European Data Protection Supervisor website: https://edps.europa.eu/data-protection/data-protection/reference-library/health-data-workplace_en.