Since the General Data Protection Law – LGPD came into force, the protection of personal data has become more challenging for the health sector. Which means that information must be managed with a more holistic approach.
Healthcare organizations should have procedures in place that can be triggered immediately to address GDPR compliance. Starting with being more cautious with personal data, knowing where it is stored and how it is being processed.
This applies to the public and private sector: hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, stores selling pharmaceuticals and all other companies or organizations that process health-related data.
To avoid any breaches, healthcare organizations should implement GDPR compliance requirements, including contract management as well as policies, procedures, documentation and records of patients, healthcare professionals and business partners.
Therefore, records of data processing activity and retention and deletion periods must also be adequate under data protection law.
LGPD compliance: Processing health data in the digital age
Many systems used in the health sector are now fully digital. With the help of cloud-based technology, systems containing patient data are often ‘shared’ between hospitals, pharmacies and other institutions in order to better serve patients.
But how should this sensitive data be processed and shared while still meeting GDPR compliance?
Considering the fact that health data is assembled on confidential patient information, it should be ensured that the principles of data protection and privacy law are duly complied with before processing or sharing.
Under the LGPD, your organization will need to demonstrate that its processing has met specific requirements, which include implementing appropriate safeguards to ensure the protection of this information.
Given the sensitivity of health-related personal information, it should only be processed by authorized health professionals who are bound by the obligation of medical and data confidentiality.
Individuals should be properly screened and reminded of their confidentiality obligations.
In addition, it is especially vital that healthcare institutions carry out data protection impact assessments and put in place specific security measures, such as authentication procedures, use of digital certificates and signatures, and access controls to a patient’s personal data.
In practice, by complying with the LGPD, the patient and persons related to the Hospital and doctors have the following rights:
- Have the right to confirmation of the existence of treatment, treatment is understood as any operation carried out with personal data such as: collection, production, reception, use, reproduction, transmission, distribution, processing, archiving, modification, communication, transfer, dissemination, among others;
- Have the right to access and correct your stored data;
- Anonymization (anonymized data is data relating to the data subject who cannot be identified);
- Deletion of data after the end of processing;
- Information regarding data sharing;
- Possibility to receive information about not providing consent and its consequences;
- Revocation of consent;
If access control is not adequate, it can easily lead to a data breach and according to data protection law to fines and sanctions that can jeopardize the reputation and financial health of any healthcare institution, regardless of its size.
What are the fines and penalties in the LGPD that can be applied to health institutions?
The LGPD provides for six penalties or fines. They are:
- Warning. This warning will come with a deadline for the company to comply with the legislation. Failure to correct by the deadline will result in a penalty;
- Simple fine on top of turnover. This fine can be up to 2% of the legal entity’s turnover. The limit is 50 million BRL per infringement
- Daily fine. This fine will also be capped at 50 million BRL;
- Publicizing the infringement. The infringement will become public and the damage to the company’s image could be enormous;
- Blocking personal data. This administrative sanction prevents companies from using the personal data collected until the situation is regularized;
- Deletion of personal data. The sixth penalty provided for in the LGPD obliges the company to completely eliminate the data collected in its services, causing damage to the company’s operation.
The limit of fines in the LGPD is 50 million. But some of the penalties can be even worse, depending on the organization. For example, publicly assuming the leakage of personal data of thousands of customers can bring down even solid companies, totally undermining the credibility of a hospital, for example.
What steps healthcare institutions can take to ensure compliance and reduce the risk of a breach of personal patient information
After going through the most important aspects of the General Data Protection Law in relation to healthcare institutions, let’s briefly go through three tangible steps that medical organizations should take to protect the personal data processed by them.
1. Ensure awareness
- Among patients
A crucial first step in meeting the requirements under data protection law is that all data subjects, such as patients, must be informed of the details of third parties with whom their information will be shared in order to comply with the transparency requirements set out by the LGPD.
In addition, the data sharing agreement should clearly define the purpose, the legal bases and the information to be shared, together with the necessary details on the treatment of data subjects’ rights and the agreed shared security standards.
All this information should be communicated in a clear and easy to understand way.
- Between Staff
Regular staff training on data protection is advised in order to reduce the risks of human error and therefore internal data breaches.
Meanwhile, in practice, staff must be bound by medical confidentiality, as mistakes and accidents can happen. Therefore, making all employees aware of the importance of data protection, the safeguards that need to be implemented and which typical problematic aspects should be avoided can have a significant positive impact on an institution’s compliance efforts.
In addition, all employees should also be aware of how to recognize a data breach, what steps will be taken in the event of a security incident and which stakeholders should be involved in the process.
2. Process and share only the personal data necessary for the purpose of your work
It is also important that necessary health data is processed minimally and shared only if necessary.
Unauthorized disclosure can have a serious impact on a patient’s life, so it should be ensured that data sharing is done on the basis of any of the lawful bases of processing, with appropriate agreements in place to hold a relevant party accountable.
To add to this, such data should not be shared unless, for example:
- The data subject has given explicit consent;
- If the patient himself makes the data public;
- When it is a life or death situation where patients cannot give consent and it is in the patient’s vital interest;
- For preventive or occupational medicine;
- Assessment of your working capacity;
- For medical diagnosis
- For the provision of health or social care or treatment or the management of health or social care systems and services
Please note that in the case of sharing, health institutions should have safeguards in place to ensure that data is secure.
3. Set strict access controls
Given the shared nature of cloud-based systems often used in the healthcare sector, it is critical to ensure that only those needed have access to patient data.
Implementing measures such as two-factor authentication or single sign-on, as well as the use of digital signatures and certificates can also help provide further measures for data protection when it comes to accessing patient files.
GDPR compliance: a worthwhile investment
With the digital transformation of the healthcare segment, the way information is processed and accessed also needs to be adjusted. This brought several new aspects regarding data protection, requiring healthcare institutions to make data privacy their top priority.
While GDPR compliance requires healthcare institutions to invest time and resources, at the end of the day, it is in the interest of patients and the institution itself.
Complying with the obligation will not only decrease the possibility of a potential data breach, protecting your organization from a hefty fine and reputational damage, but also plays a significant role in gaining patient trust and improving the overall efficiency of how patients are treated.
EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.