If you’ve followed our series so far, we’ve discussed the Hippocratic Oath and the 7 elements of GDPR that most concern dental practitioners. Today we continue with the hot topic of processing patient’s data.
It is a fact that many dental practices are still unprepared and therefore non-compliant with the requirements of the GDPR. Despite the big fuss last May, the processing of patient’s personal data is still not on the level it should be and some dental practices even limit GDPR compliance to a simple Consent form presented to patients. It is understandable, though, given that data protection is a field far away from dentistry. It is vital that some changes get implemented in the way the dentist practices are processing the personal data of the patients.
Here is a brief explanation of what the new rules suggest, said simply, with no specific legal terms:
- In case of a breach, data holders (controllers) must notify the authorities within a specific timeframe, which is 72 hours;
- Patients (data subjects) have a right to access their data;
- Patients will have the right to ask their data to be fully erased, a.k.a. The right to be forgotten;
- Any new project involving personal data from now on needs to be with implemented Privacy by design, simply meaning that the strongest level of protection of personal data must be implemented;
- Privacy is furthermore ensured by design, meaning that any project should follow the level of protection already implemented – this is privacy by default;
- Every organisation holding personal third-party data must have a data protection officer (DPO).
GDPR imposed others requirements as well, and the one that is expected to have the greatest influence over dental practices are looked into details below.
The Necessity of New Rules
The Current EU legislation regarding processing, storing and erasing of personal data was implemented back in 1995 – the 1995 Directive. The Directive was a modern piece of legislation for its time, but it hasn’t kept up with the vast technological progress. Think about it, the 1995 Directive was introduced before smartphones, digital apps or eHealth. The new regulation, adopted in 2016, aims to update the law for the digital era. If we have to be completely honest we may even say that the new legislation is a bit late – it’s been 20 years! It is expected that the new Regulation will emphasise the need for consent, clarity about the purpose of data collection, and transparency about how it is used. Some recent events, like the information that our personal data has been exposed to unauthorised third parties further support the need for new legislation in the field.
Consent in the Medical Field
One of the major areas where consent is strongly needed is the area of clinical trials. The reason for that is that medical information, in general, is considered sensitive personal information and one of the ways to have the data subject’s agreement to use it is to have an explicit consent form signed by the data subject.
The use of data for clinical trials, registries, and patient outcome databases was the focus of major debate before the final GDPR text was finalised back in 2016. The common concern against the explicit consent approach was the fact that some big datasets would become unusable for research purposes.
Explicit consent is required if data is to be used in any way. In practice, for biobanks and registries, which have genetic material of thousands of people collected probably dating a decade back and securing consent from thousands of individuals for each new research project would be impossible. However, this is absolutely needed if you want to be in compliance with the GDPR. So the solution here is either to hire an entire team of people who have to track down all of the subjects in the research and later to destroy the bio material of the data subject who refused to give their explicit consent in accordance with the GDPR. This means time and resources spent over a database already built up. But this raises even harder questions – what about the subject who are no longer in a state of mind to make such decisions or have passed away? Who will give explicit consent for them?
The GDPR requires companies and hospitals to significantly rewrite their patient consent forms for trials and routine surgery, where data could potentially have research use. All personal data – name, age, comorbidities, even IP address cannot leave the premises of the hospital or the research centre without prior consent. If the trial data is crunched by an algorithm beyond the boundaries of the trial, consent for that is needed as well.
For all the new trials that are about to begin, consent forms will reflect GDPR rules. A more challenging area will be registries and databases which contain information collected over several years, some falling under old data regulations and some under the new ones.
Even though this may sound like a lot of work, GDPR will have positive effects as well. One of them will be reassuring patients that the law is on their side when it comes to the use of personal health data. A perception of inappropriate use could undermine the huge potential of big data for healthcare.
The Overlap of GDPR and the Medical Devices Regulation
The GDPR comes at a moment, when the medical industry, more specifically the MedTech sector is busy digesting the new Medical Devices Regulation, which came into force in May 2017. Manufacturers have until May 2020 to bring products into compliance. Amongst other requirements, the rules require device manufacturers to provide a greater clinical evidence base of safety and performance before approval and to collect post-market clinical data as part of an ongoing assessment of product safety. Therefore it will be up to the manufacturer to implement the GDPR personal privacy requirements on top of the Medical Devices Regulation requirements. This has its good side, as every device contains some personal information of the patient it is implemented onto, so by having the time and resources to become compliant with both, the manufacturer will be saved the trouble to make something twice.
Thus, it is crucial that GDPR implementation strikes the correct balance in safeguarding individuals’ health data without creating significant logistical and practical hurdles for the use of this data for research purposes.
It seems like the medical and in particular, the dental field has a lot to digest when it comes to new regulations and rules. It is advised that they trust some outside professional in the field, as the administrative burden is heightened.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.