Data Protection in Hospitals: How To Rectify GDPR Failings In The Hospital Sector

Not every sector has yet complied with GDPR. One of the biggest is the Hospitals Sector, with the Data Protection Commission highlighting 14 matters of concern it has found in hospitals. But while the situation is serious, some key steps are all that is needed to rectify it.

Many national regulators across the EU are providing those not yet GDPR-compliant with a limited period of grace. But with GDPR terms set be strictly enforced once that period has passed, Irish hospitals are now under pressure to finally make the necessary changes.

Of course, the size of the undertaking is significant. After all, hospitals are required not only to retain large amounts of data in hardcopy documents (much of which is highly sensitive) but to share that data amongst departments, institutions and even individual health professionals.

The good news is that, with some clear guidance and help, hospitals can successfully introduce sustainable data protection procedures, and staff be made fully aware of the existing risks to more effectively avoid data breaches and security failings.

Why Are Hospitals High Risk?

The Commission’s report, Data Protection Investigations In The Hospitals Sector, followed a detailed examination of 20 hospitals carried out by the DPC’s own Special Investigation Unit in November and December 2017.

The investigation examined how each hospital handled the personal data of its patients, especially in departments and hospital areas in which patients and the general public have access to.

The report identified 14 matters of concern:

• Controls in Medical Records Libraries
• Security
• Storage of Patient Observation Charts in Hospital Ward Settings
• Storage of Patient Charts in Trolley Bins in Ward Settings
• Storage of Confidential Waste Paper Within the Hospital Setting
• Disposal of Handover Lists and Patient Lists
• Use of Fax Machines
• Lack of Speech Privacy
• Absence of Audit Trails
• Raising Awareness of Data Protection in Hospitals
• Consent for Research
• The Processing of Private Health Insurance Information in Hospitals
• Maternity Service Users
• Data Retention

A total of 35 risks were identified across these 14 matters, and the report made 76 recommendations to mitigate those risks.

Data Protection in Hospitals ‘Critical’

On the publication of the report, the Assistant Commissioner Tony Delaney stressed the responsibility hospitals have to ensure the personal data of their patients, as well as their employees.

“Given the sensitive nature of the personal data that hospitals process on a 24/7 basis, it is critical that the protection of that data in a busy hospital environment is given the high priority that the data protection legislation requires,” he said.

He added that “ultimately, hospitals should strive to ensure that the importance of data protection and patient confidentiality permeates the hospital culture at all times.”

8 Steps To Improve Data Protection In Hospitals

There are several steps to take to greatly improve data protection in hospitals:

1. Undertake a detailed review of existing record storage environments to identify necessary improvements to achieve best standards
2. Undertake a detailed review of the existing operations so as to indentify a best practice solution for your specific on-site archival system
3. Assess existing document management and retention policies, with special attention to molding policies best-suited to your specific needs
4. Develop new records management procedures that are clearly defined and simple to follow
5. Arrange training programmes for your own staff to build awareness and minimize the possibility of future data breaches and security failings
6. Adopt a central database of all records with the ability of tracking the lifecycle of each record – from creation to destruction
7. Establish a complete audit trail so medical records can be traced easily
8. Introduce a clearly defined reporting structure that strengthen control on the archiving process

At Kefron, we provide bespoke On-Site Document Management Services that address the specific challenges faced by individual institutions.

For more on what Kefron is doing to enhance Data Protection in Hospitals, get in touch.