Privacy Regulation and Audiology (II)
GDPR
In the first installment of this series, Geoffrey Cooling provided an overview of the new General Data Protection Regulation (GDPR) that comes into force in May 2018.
This time, he takes a deeper dive into what it will mean for the hearing care profession.
GDPR, what you need to consider
We need to be very clear about the effects of the legislation and what it means to us and our processes. I hope that in this article I can help translate both key terms used in, and key requirements of, the legislation. I also hope that I can make the legislation more understandable by giving examples of where it applies to our current Practice and where we need to change it to comply.
I am approaching this question from a commercial point of view, my main concern and the thrust of this article pertains to marketing communication to a customer. The GDPR will not stand in the way of you calling in a customer for follow up or for a yearly appointment, however, it will remove your ability to communicate marketing fluff.
Don’t forget we deal with data that is regulated as “sensitive”. That means tighter restrictions and probably heavier fines for noncompliance. Let’s take a look at the overreaching requirements of GDPR.
Personal data
We need to understand the definition of personal data, GDPR has in fact made the definition of personal wider than it once was, it now includes any information related to an identified/identifiable data subject, which means name, PRSI number (Ireland) national ID number, National Insurance number (UK), address, IP address and health info.
We all hold personal data pertaining to our Patients, not just names and addresses. We need to review and document what personal data we hold, how and where we collect it, the purposes for which we use it and who if anyone we share it with. Understanding this and outlining it is imperative, because to easily cover us for these actions, we need to get implicit consent for all of it.
To meet the requirement of implicit consent, we need to outline clearly each instance that this data is used and why in plain, easy to understand language. So, why do we gather their data, and with whom do we share it?
- Name, address and other personal details (for communication purposes and record keeping)
- Medical details (a better understanding of their hearing loss)
- Audiological tests (for the purpose of understanding their loss and recommending a hearing aid.
- Sharing information with other medical professionals for the purposes of referral
- Sharing it with the Department of Family Affairs for Grant purposes (Ireland)
- Sharing their information with hearing aid manufacturers for the purpose of buying hearing aids.
I think that probably covers it all, although I will stand corrected and I will probably remember at least one more instance the moment this article is published. Remember all of these instances, we will need to understand them and detail them to outline the consent we need and the explanations of what we do with the data, which leads me onto:
Lawful basis for processing
Up to now, we have held all of our Patient data on the basis of complied consent. By that I mean that everyone in the relationship understood that we would hold their hearing test information and their name and address. While there is a legal requirement to retain medical data, our customers also generally understood that we would use their details to contact them. In essence, it was an opt out system, if they didn’t want us to contact them, or if they didn’t want us to hold data, they needed to tell us that.
That type of consent is no longer legal, if we are to work on the basis of consent, we need to get implicit consent. Not just that, we need to get implicit consent for the different instances we need or use this data for. In accordance with GDPR, before processing any personal data, you will need to identify and document a lawful basis for doing so. This can be simple consent; however, you will need to get consent for every instance that you use their data for. Which brings me funnily enough onto:
Consent
As I hinted earlier, the very definition of consent is changing, and the standard for obtaining consent is far higher. The easiest way for us to comply with the GDPR is via consent, while there is other methods, for instance via a contract if we sell hearing aids to the Patient. The easiest, the most defensible and the most transparent method is via consent.
That means that we need to get implicit consent for all of our activities from every Patient on our database before the 25th of May 2018. It is very simple, if you don’t have implicit consent to send direct marketing to someone and you do so after the 25th of May, you are non-compliant and could face a pretty heavy fine. Direct marketing does not include letters or contacts for follow ups, when I say direct marketing, I mean, direct marketing.
In fact, if you have not received consent to do so and you do any of the normal marketing things we do after the 25th of May you are non-compliant and may face a pretty heavy fine. So, if I were you, I would check your consent mechanisms to ensure that you are going to be compliant from 25 May 2018.
That means, at least a form that outlines clearly and in plain language each of the instances that we collect and use data for, it needs to be easily read and understood and there needs to be at the very least tick boxes for yes and no and signature line on each instance. You can’t just highlight all of the instances and rely on a signature at the end, unless they at least tick yes or no on each instance, it will not be accepted as compliant.
Individual rights
The individual’s rights have been expanded, the GDPR contains both new rights and enhanced rights for individuals. For example, individuals have the right to withdraw consent, the right to data portability and the right to be forgotten. These aren’t the only rights given and you need to understand these rights in order that you can work out how you can enable individuals to exercise them. For instance, data portability, individuals now have the right to get their data from you. I will quote the relevant text:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
That means that we need to consider how we supply their data to them, it also means that we need to consider how we store their data and what we store it in. For instance, if we store all of their data in Noah, we can export that data in a CSV document or an NHAX document which is Noah related.
Under the regulations, an NHAX is probably compliant because everyone (I mean the professionals) use Noah. But what about the halfwits? There are still gobshites (Irish technical term) who don’t use Noah. So how do we provide data portability for them? I believe that most machines and data controllers can access and use CSV documents, so a CSV export might do, however, most Patients won’t even know how to use or access a CSV.
That means we will need to be able to print off all of the information that we have for them. Perhaps that is also the solution for the people without Noah? One way or the other, we need to consider this to be compliant. The other thing is that if the Patient demands their audiogram, you have to give it to them. It is personal data and they have the right to access it. We need to get legal advice to understand clearly if we can still charge for it.
By that I mean, if you charge for medical reports right now, you need to get legal advice about how you outline that in a contract to ensure that you can still do so. The other thing you need to consider is the actual information you record, no more acronyms like NAF (nutty as F@%#k) because the Patient can now demand complete access to what you have recorded.
We still need to consider what we do with the data and how it is processed and used. We also need to consider where it is stored. Again, and I can’t say this enough, data is not just digital, it is also paper records, never, never forget that. Above and beyond what we have discussed so far, what else do you need to consider.
Privacy policies
You need a privacy policy and you need it right now. The key theme in the GDPR is transparency. You are going to have to tell individuals a lot more about the personal data you are collecting and processing. You need to ensure that you have a privacy policy and that it is clear on all of the facts. Your privacy policy needs to be very clear, it also needs to detail all of the instances where you may share information. Your privacy policy will be to a certain extent your get out of jail card, but only if you gain acceptance of it physically. While we are talking about privacy, let’s talk about if you slip up. You have to consider data breaches.
Data breaches
The GDPR now regulates that certain data breaches will need to be reported to the ICO within 72 hours. The individuals affected may also need to be notified. The consequences of failing to notify the ICO will become more severe, with the ICO able to impose higher fines.
So, data breaches are a bad thing, while we are talking about data breaches, let’s talk about where you currently store your data and why it needs to change. Right now, you store a lot of data onto your laptop or desktop computer right?
Probably a lot of it is in Noah, quick question, have you disabled the admin login and set a new login and password? If you haven’t, you are not compliant. Have you encrypted your laptop and set a secure login method. If you haven’t, you are not compliant. Have you password protected an export from Noah? If you haven’t, you are not compliant. I could go on and on, but you get the picture right?
What Patient management system do you use? Because if you are using Blueprint Hearform or Sycle right now, you may not be compliant. While the problem may be with the systems and their architecture, as the controller of the information, you are the one on the hook. Even if you are using a compliant data management and storage system, you also need to consider how you handle the data.
Okay, so that is data storage digitally, what about paper records? Where exactly do you store them, who has access to them, do they in fact need access to them. For instance, do your receptionists need full access to the records of Patients? I think they probably do to cover every eventuality, but if they do, we need to document that fact and the reasons they need access to be compliant.
This is in fact a fundamental element of your privacy policy. Back to data breaches, the simple advice is, if they happen; report them quickly and in an in-depth manner. Don’t mess around here, your willingness to report and co-operate will reduce the impact. Which brings me to:
Staff training
Your staff has always been the key to your success, I guarantee it. Good staff is worth their weight in gold. You need to get your staff ready for GDPR. Start to raise awareness of the GDPR among your employees. Nearer to the implementation date, staff should also be given training on the new law. Depending on their roles, some employees might require more in depth training to handle data storage and or consent compliance.
In synopsis, you need to be compliant, as I said, there are legal basis we can argue, but why bother, get consent, be as transparent as possible, ensure you can secure your data both digital and paper, ensure you can provide that data to a Patient if they want it and ensure that every staff member understands what is needed of them.
Read the first installment of this series of 3 articles here.