Does Jane Satisfy GDPR?
You’re a health professional in the European Union (EU) and want to know if Jane meets the requirements of the General Data Protection Regulations (GDPR)?
It’s a great question because, as you know, the regulations will officially take effect on May 25, 2018 and by many standards have already begun being implemented. In this article, we’ll go over some key features in Jane that relate to GDPR’s requirements, summarize those requirements of GDPR for health clinics, and provide a set of action items you can use to get started on compliance.
This information is a general discussion, is not a legal interpretation of the law, and is not binding on the European Parliament and the Council of the European Union. The information in this Guide document provides a summary and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
How Jane Can Help?
Jane was designed with many security features in place that meet GDPR requirements:
Secure servers: Data in Jane is stored in a private server bank located in a secured SOC2, Type2-certified data center, and all data is backed up regularly on secondary servers in Eastern and Western Canada.
Encrypted Data: Jane Data is encrypted using 256 bit encryption when sent between your device and our servers (in the same way as your banking information would be).
Role-based access to Jane Administrators, practitioners and patients each access Jane using their own account secured by a username and password.
Account owner control: Account owners can control access permissions for each user, which includes control of accessing patient charts, billing records, and schedule records.
Tracking: Jane offers a user-activity report to account owners in which they can see a detailed breakdown of all user activity. The report can be filtered by date range, user, and type of access for regular reviews on who is accessing patient charts.
(And yes, although not directly related to GDPR, Jane does have servers in the UK as a safeguard in case clinics upload NHS data to Jane - we can guarantee the data is stored within the UK.)
Choosing a compliant practice management solution for your clinic is just one step you’ll need to take. We’ll get you started on some of the other key steps here, but first, it’s important to understand what your clinic or practice will ultimately be responsible for.
What Does GDPR Require?
Quick Tip: GDPR urges clinics to keep the best interests of patients and clients at the front of your mind at all times when processing health data.
Prior to GDPR, the EU was subject to a set of “directives” that merely laid out a series of goals that each EU country was to be working toward achieving. The directives were more like guidelines, and each EU country was able to apply them as they saw fit.
GDPR brings a wave of change meant to empower individuals with more rights in regard to their own personal data. The new law was created as a “regulation,” which is a legally binding legislative act that must be applied in its entirety in every single EU country. This is an important distinction because previously, health clinics would have had “goals” regarding privacy and protection of personal health information, but no strict requirements.
Further, GDPR’s new regulations place accountability directly on the “controller” of personal health information. In plain language, clinics themselves are directly responsible for complying with the following principles listed in Article 5 of GDPR:
In all ways, handle personal data lawfully, fairly, and transparently.
Where possible, limit the data needed to complete clinical work.
Only collect information for which your clinic and practitioners have a legitimate purpose.
Keep personal information up-to-date, and make every reasonable effort to correct inaccurate data.
Store data only as long as you need it to comply with the legal obligations of your profession.
Use integrity and confidentiality to ensure security of personal data against unlawful processing, accidental loss, destruction or damage.
How do clinics act to uphold these principles?
1 - Consider Appointing a Data Protection Officer
Quick Tip: Most clinics will not be required to appoint an Officer, but you may want to.
Small clinics handling small quantities of personal health information are not obligated under GDPR to appoint a Data Protection Officer (DPO), but some legal advisers say it’s probably a good thing to do anyway. Here’s why:
GDPR requires organizations that carry out large-scale processing of special categories of data, such as personal health information, to appoint a DPO. Many health clinics using Jane likely are not processing health data on a large scale, however, GDPR also states that any organization is welcome to appoint someone as DPO.
While smaller-scale processors aren’t obliged under GDPR to appoint someone to this position, it’s often going to be the easiest way of ensuring your clinic has met all of GDPR requirements and that you have documented that you met the requirements. Should any questions arise about your clinic’s compliance with GDPR in the future, you’ll already have created the proper structure, processes, and documentation to handle the situation.
GDPR recommends that the DPO be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices. The position can be a current staff member or an external service provider. The DPO will be responsible for reporting their contact details to the relevant Data Protection Authorities for their region. In their clinic, the DPO must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge of EU privacy regulation. The DPO must report directly to the highest level of management, and the DPO must not be required to carry out any other tasks that could results in a conflict of interest.
But again, for most clinics this will be your choice.
2 - Identify the Lawful Basis on Which You Process Health Data
Quick Tip: If you collect health data, you may not be required to obtain consent to PROCESS clinic notes and other data for your clinic. There’s an alternate lawful basis for PROCESSING health data.
Under GDPR, clinics will need to determine the grounds or lawful basis upon which they collect and process personal data. GDPR offers 6 lawful bases for clinics and health practitioners to choose from, and none of them are any better than the other by default. The lawful basis for processing health data chosen should be the one that ensures a clinic is compliant with GDPR.
The 6 lawful bases for processing personal data are:
1 - You have the consent of the person for whom you are processing data.
2 - Processing is necessary to uphold a contract.
3 - Processing is necessary for compliance with a legal obligation.
4 - Processing will protect the vital interests of another person, where it is literally a matter of life or death.
5 - The impact of processing data will have minimal impact on an individual, but you are upholding your own legitimate interests.
6 - Processing is necessary to provide health care or make a medical diagnosis.
At first glance, it can seem like GDPR is going to require clinics to obtain consent to process personal data, but as you can see, there are a handful of options establishing a legal basis for processing personal data.
Many Jane users are clinics that process health data. GDPR considers this kind of data a “Special Category of Sensitive Data.” The nature of the data you process is highly significant here in choosing from numbers 1-6 above as your basis for processing.
Let’s look closer at number 6 above. This choice offers a lawful ground for processing sensitive health data under GDPR Article 9(2)(h). Sounds complicated, but really the bottom line is that clinics processing health data can do so without consent.
- The International Commissioner (ICO) is clear that no one, single option in points 1-6 above will satisfy every situation. The one chosen will depend on the specifics of your business and the nature of the information that you will be processing. ICO advises explains that consent is appropriate to use as a lawful basis for processing personal data when your business is structured so that you can truly offer people real choice and control over how you use your data. For many allied health clinics that are required to comply with laws and bylaws about the creation, storage, protection and ultimate destruction of health and medical records, relying on consent won’t be appropriate because it would be misleading and unfair.
Therefore, as long as clinics create appropriate policies and communicate those policies, they can justify their collection and processing of health data in cloud-based practice management solutions, such as Jane, under Section 9(2)(h) of the law because that processing of health data is allowed if it is necessary for the purpose of preventative or occupational medicine, medical diagnosis, or the provision of health care or treatment.
Note: Using GDPR Article 9(2)(h) is not the same as enacting “implied consent.” Implied consent is, for example, what many healthcare providers rely on when disclosing a patient’s health data to another practitioner for the purpose of the other practitioner providing further care to the same individual. In that scenario, it is implied that a patient consents to sharing their health data with an additional practitioner from which this individual will seek treatment. The point in this section, however, is not about disclosing health data under healthcare-related circumstances, it is about creating a foundational policy - literally the lawful basis - upon which your clinic will process all personal data in compliance with GDPR.
Also Note: This section is not discussing consent to treat. Refer to your regulating body or licensing agency for information on that type of consent. Here, we are only referring to processing data.
Reminders if you choose Article 9 as your lawful basis for processing:
Remember that even if you are not asking for consent, you will still need to provide clear and comprehensive information about how you use personal data.
If in your geographic region, your profession is not one that is considered to be offering treatment for the above health or medical reasons, you’ll need to identify, document and disclose to your clients a different lawful basis on which you will be processing their personal data.
In other cases, clinics who do not process sensitive personal health data may need to rely on consent as the lawful basis for processing general personal data. This would fall under GDPR Section 9(2)(a) that allows the processing of personal data when the clinic or practitioner has explicit consent from the individual. Read our Guide document on this for more information: Consent under GDPR.
3 - Uphold the Right to Erasure
Quick TIP: GDPR is clear, the Right to Erasure is not absolute, and where heath records are concerned, clinics handling health records will need to follow the recommendations of the licensing or regulating organization for their profession in their region of practice.
Under Article 59 of GDPR, individuals have the right to erasure, also called the “Right to be Forgotten.” This means that individuals have the right to request the deletion or removal of personal data from your records as long as there is no compelling reason for its continued processing. But this is not an absolute right to be forgotten, and GDPR is very clear that the Right to be Forgotten has limitations.
What this means for clinics:
You should not delete or erase or request a third party processor to delete or erase your health records during the time period for which your legal obligation as a professional healthcare provider is to collect, maintain, and protect them.
Where health records are required to meet legal requirements of your healthcare discipline, clinics will likely be required by law to retain electronic health records until their legal obligations expire, and this will be true despite a request for erasure by an individual. A legal consensus is forming that this will be the case because health records are a particular kind of data - the collection and processing of this data is necessary under GDPR’s “medical care” ground, which means the data is required for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health services, under a contract with a health professional or another person subject to professional secrecy under law.
Legal experts also have expressed a growing consensus that there is no black and white interpretation of the Right to Erasure component of GDPR. Many expect that the Right to Erasure is going to require case-by-case assessment. Keep in mind:
- Are your clinic’s practices doing the right thing under GDPR for the individuals to whom you provide care?
- Would your clinic be able to justify your policies and practices in front of the European Commission or a judge?
- Would your clinic be able to justify your policies and practices to your local professional regulating body?
Where you are uncertain for your specific clinic, consult your regulating body or seek legal advice.
4 - Plan for Breach Notification
Quick Tip: All organizations are required to report within 72 hours certain types of personal data breaches. The first step, however, is to assess the level of risk that will result from the breach.
A data breach is an accidental or deliberate unlawful destruction, loss, unauthorized disclosure or access to personal data.
When a breach is identified, the first step will be to assess the severity.
If a breach will result in significant physical, material or non-material damage to natural persons, the breach should be reported to EU’s Information Commissioner’s Office (ICO). Examples:
- Theft of a customer database
If a breach is merely an inappropriate alteration of personal data or minor exposure of personal data, you may not need to report to ICO, but you may still need to report to your local privacy authority. Example:
- Inappropriate alteration of a staff telephone list
- Loss of staff contact information
If the breach will only result in an inconvenience, it must be documented, but does not need to be reported.
When a breach is reported to either your local Information Privacy Officer or the EU IPO, certain information must be included:
- A description of what happened including who and how many people are involved
- What kind of and how many records are involved
- A contact person for your organization - this should be the Data Protection Officer if you have one
- Your own description of the likely consequences of the breach
- A description of what you have done to deal with the breach
You also must inform all individuals involved as soon as possible.
The EU ICO has more details here: Personal Data Breaches.
5 - Uphold the Right of Access
Quick Tip: GDPR gives individuals the right to ensure the lawfullness of their personal records through the Right of Access (Article 63).
Individuals have the rights to:
- Confirm their data is being processed
- Access their personal data
Most requests must be met free of charge. If, however, requests are being made in excess, you may charge a nominal fee.
Information must be provided without delay and at least within one month of the request.
If the information is stored electronically by your business, you should provide it to the individual in an electronic format.
EU ICO has more information here: Right of Access.
7 - Uphold Patient’s Right to Data Portability
Quick Tip: GDPR gives individuals the Right to Data Portability (Article 68), but there are important limitations.
Individuals have the right to:
- Obtain and reuse their persona data
- Move their data to another system
But this Right only applies to:
- Data the individual provided to the clinic or practitioner
- In almost all cases where the collection and processing was legally based on consent under GDPR
- When processing is carried out via automated measures.
You must comply with requests as soon as possible and within one month.
EU ICO has more details here: Right to Data Portability.
Finally, many of the links in this article send you to specific sections of EU ICO’s data protection guide. If you’d like to scroll through all the topics yourself: Guide to Data Protection. And as always, Jane is here to help. Let us know if you need a hand.