One of the fundamentals in the doctor-patient relationship is the principle of privacy. Nowadays privacy is a widely-discussed topic, given the recent implementation of the General Data Protection Regulation (GDPR) or the recent scandals with social media suggesting interventions in our personal lives. But the roots of patient privacy date back to roughly 400 B.C. with the Hippocratic Oath made some of the first mentions of patient privacy.
The aim of this article is to investigate how much of today’s pledged oath concerns the privacy in its modern outlook, as presented in the GDPR, and how much the medical professionals could rely on it. This is the first of a series of articles we call “Demystifying GDPR for Dental Practitioners”.
The Hippocratic Oath
The translation of the Hippocratic Oath, written in Greek on a part of a body of manuscripts called the Hippocratic Collection that was affiliated with Hippocrates, a physician of his time who is now deemed as the Father of Medicine, briefly states:
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”
Numerous revisions have been made over the years, although the context and general content of the Hippocratic Oath still remain very similar to the original text. The oath was written specifically for new physicians, but over the years other medical providers have looked to the pledge as a fundamental statement and have amended it to suit their specialties. It is known that one of the few countries, that has an official Dentist Hippocratic Oath, is Hong Kong.
In its basic form, the Hippocratic Oath states: “First, do no harm.” Obviously, the first promise that the physicians make is to maintain high ethical standards in their practice of medicine. In the original oath, the newly decreed physician promises to different healing gods to not harm patients, to admit his lack of knowledge and to hold his medical teachers to an equal level of respect as his parents. The physician promises not to intentionally harm, poison or otherwise cause injury. The oath involves a promise to care for anyone in need.
Now, centuries later, medical specialists are still struggling with patient information and trust issues with their patients. Has the digitalisation of healthcare created a safer and private environment? Perhaps the implementation of safeguard mechanisms, obligated by the GDPR is not the worst thing in the world. Perhaps the medical specialists should look onto this as a chance to regain their patient’s trust.
The Double Meaning of Privacy
Clearly, even though we use the term “privacy” for both definitions, we have to draw the line and make the distinction. While the original meaning of “privacy” in the healthcare sector means keeping the patient circumstances and medical diagnosis secret, the definition of “privacy” in the light of the GDPR is slightly different, as there it means protection of the personal information being collected against unauthorised and unwanted processing.
Furthermore, in times when everything, including the personal data of patients and their medical diagnosis, is digitalised and electronically transferred to relevant local healthcare agencies, can we really expect that medical privacy in the light of the Hippocratic Oath can be followed? So much more could go wrong with this type of sensitive personal information (which is here means the medical diagnosis s of certain patient) then just tipping off on the doctor’s side. There are also data breaches, hacker attacks, and data losses, that should be taken into account. So it is more accurate to look onto GDPR as an opportunity of additional security of patient data, rather than just an administrative burden.
What is GDPR Actually and to What Extent Does it Concern Medical Offices?
GDPR introduces certain additional measures in regards to the protection of personal data, especially if it is sensitive personal data as is the case with medical data/history/diagnosis of a given patient. The health sector, in general, will be affected by GDPR in the following branches:
- Public sector healthcare
- Private healthcare
- Cosmetic surgery providers
- Technology companies providing health and fitness apps
- Any online medical profiling services
- Pharmaceutical companies
- Any patient health researchers
This means that if your practice or any of the above-mentioned ones holds any data whatsoever on EU citizens, including patient data, but also information on staff and contract workers, you are affected by GDPR and as such you need to implement the appropriate measures required there.
Another area that is affected is Consent. Even now most of the medical professionals explicitly ask for consent from patients about the data they collect. These practices may need to be reviewed. This will be the case for example, when your website has a contact form or “Schedule an appointment” form, where patients are required to leave their personal data, such as name, telephone number etc. in order for your staff to contact them. GDPR requires you to give an explanation to your patients about what’s happening with their data, where you’re storing it, what is the purpose of its processing and so on.
One of the other new requirements of GDPR is the “Right to be forgotten” or your obligation to remove all data you hold about your patients. This means that you will need to have the relevant technical abilities to conduct this action.
Healthcare providers must make additional efforts to protect the data that is stored on their systems. The way many healthcare organisations manage patient data has to change by implementing a privacy by design/ privacy by default approach.
The GDPR does permit medical research using existing patient data, yet the definitions of what exactly counts as scientific research is a little unclear. In any case, the personal data of data subjects, subject to medical research needs to be processed in accordance with the requirements of the GDPR – in this case, explicit consent, pseudonymisation of the data, etc. All of those elements and requirements of the GDPR will be discussed in our next articles on the topic!
The GDPR insists that any organisation must report a data breach to the authorities, in case it could result in some form of risk to individuals, the affected individuals should also be notified. Given that a breach of patient data records could be enormously damaging to an individual’s reputation and even lead to them being blackmailed, the chances of a private patient data leak being risky are very high.
The GDPR is a welcome move, and will ensure patients, doctors and researchers can all have a clearer idea of where data is stored, who it belongs to and what is being done with it. The GDPR helps healthcare organisations by removing many of the grey areas that have led to breaches in the past and will ensure that patient data is more likely to be managed successfully.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.