Privacy. Security. Experts United.
As important as medical confidentiality. Data protection made easy.
WE SUPPORT YOUR MEDICAL PRACTICE IN THE IMPLEMENTATION OF DATA PROTECTION
Our external Data Protection Officer are at your disposal as regional contact persons. Together with the Data Protection Officer, you implement the data protection documentation for your medical practice.
Robin Data has a Data Protection Management Software specially developed for medical practices. Profit from an already preconfigured Record of processing activities. Suitable templates, e.g. for information duties, are available free of charge on request.
Also included in the data protection software:
Especially when processing sensitive patient data in medical practices, there are processing activities, such as the reception of patients or the stay of patients in the treatment room, which require special security measures.
In this case, special technical and organizational measures of information security are required. In this case we analyse and design an information security management system (ISMS) based on the information security standard ISO/IEC 27001 together with you.
In consultation sessions we often hear that medical practices have already implemented initial data protection measures, but are unsure whether these are correct. With internal audits you can check the status of data protection implementation in your medical practice. These audits are carried out by our Data Protection Officers, after which you will receive information about improvements.
The sensitization of employees is essential for the implementation of sustainable data protection in the medical practice. Our data protection officers will be happy to train your employees.
Implementation of the GDPR
We would be pleased to send you a non-binding offer for the deployment of an external Data Protection Officer in your medical practice.
TECHNICAL AND ORGANISATIONAL MEASURES
Access to personal data of patients processed on a computer must be protected. This applies equally to the patient reception area and the treatment room.
Medical practices must instruct their employees to use secure passwords. At best, a password policy is created for this purpose.
Patient files are to be locked up immediately after use in file cabinets provided for this purpose.
If patients are in the treatment room or reception area, the doctor's practice must ensure that no foreign patient files are left lying around.
Before providing sensitive personal patient data over the phone or by e-mail, medical practice staff must ensure that the requestor is authorized to receive the data.
Encrypted data storage, regular backups and a secure firewall protect your patients' data. Medical practices must ensure sufficient IT security when processing patient data.
Does your practice meet the minimum requirements for technical data protection when connecting IT systems? Test yourself and answer the following questions.
LEAVE DATA PROTECTION TO THE PROFESSIONALS!
Our data protection officers are:
STEP 1 TO THE DATA PROTECTION COMPLIANT MEDICAL PRACTICE
Privacy compliance of the website
Obligation of data secrecy
Existing documents in the course of patient communication (consent, information, etc.)
Existing legally required documents (TOMs, deletion concept, etc.)
LEAVE DATA PROTECTION TO THE PROFESSIONALS
Robin Data implements the data protection measures for your medical practice. In a non-binding meeting we will discuss which concrete measures we will take to make your medical practice compliant with data protection.
STEP 2 TO THE DATA PROTECTION COMPLIANT MEDICAL PRACTICE
Patient registration process
Patient call process
Process of patient file flow
Process of telephony with patients
Administration and archiving of patient files
Administration of consent, information to patients
Conversion of deletion periods
Dealing with patients' requests for information and deletion
Use of the management system in practice
Dealing with data breaches
STEP 2 TO DATA PROTECTION COMPLIANT MEDICAL PRACTICE: PRACTICAL TIPS
Patients are treated on a legal basis for routine treatments. It is not necessary to obtain consent for data processing. However, if patients' health data is further processed by third parties, a declaration of consent may be necessary.
We will be happy to advise you in which cases declarations of consent are useful and provide you with the appropriate templates.
Medical practices must inform their patients that their data are processed by the medical practice. For this purpose, forms can be displayed in the medical practice. The information duties of the GDPR are defined in Art. 12–14 listed.
We provide our customers with forms for information requirements.
Medical practices are obliged to allow patients to view patient files or to provide information on personal data. The right of inspection is defined in § 630g BGB (treatment contract), the right of information in Art. 15 GDPR is regulated.
We offer our customers to create an appropriate processing activity for the internal privacy policy. In this way, you can respond to requests for information quickly and in compliance with data protection regulations.
The right of cancellation is defined in Art. 17 GDPR and states that the patient concerned has the right to ask the doctor's office to delete personal data immediately. Again, it is advisable to prepare appropriate processing activities in order to respond quickly to requests.
We would be happy to work with you to develop appropriate instructions and processing activities for the staff of your medical practice.
STEP 3 ON THE DATA PROTECTION COMPLIANT MEDICAL PRACTICE
Recording of locations (e.g. for ÜBAGs)
Recording the relevant employees of the data protection organisation
Acquisition of external contacts
Checking contractual bases for data exchange (e.g. laboratories, insurance companies)
Structure of the procedure directory
Structure of the extinguishing concept
Carrying out data protection impact assessment
Implementation of necessary technical-organisational security measures
Implementing the documents for patients and staff (consent, information)
Optimization of the processes from 2 regarding conformity to data protection
PHYSICAL PRACTICES
In addition to the consequences in the event of a breach of the applicable basic data protection regulation, medical practices must also observe professional confidentiality. If medical practices violate § 203 of the German Criminal Code, a fine or one year imprisonment is to be expected.
Do medical practices need a declaration of consent from patients before treatment?
No. Medical treatment is provided on a contractual basis.
This basis entitles the medical practice to process patient data in accordance with Art. 9 paragraph 2(h) and paragraph 3 in conjunction with Article 6 (paragraph 1 sentence 1 letter b) of the GDPR.
This legal basis covers all processing necessary for the treatment of the patient.
Excluded from this legal basis are processing operations that are not necessary for the treatment. For example, the transfer of personal patient data by private billing agencies. Consent must be obtained from the patient for this processing.
When do medical practices need a Data Protection Officer?
In general, the basic data protection regulation provides for the appointment of a Data Protection Officer when a medical practice regularly employs 20 persons to process personal data.
However, it should be noted that a Data Protection Officer must also be appointed when sensitive health data are processed. As a rule, the processing of health data poses a high risk to patients and their rights and freedoms. Under data protection law, a data protection impact assessment must be carried out when processing health data.
We recommend the appointment of a Data Protection Officer even if the practice size is less than 20 employees.
How must patients be informed about data processing in the medical practice?
Medical practices must inform patients about the extent to which their personal data are processed. For this purpose, a notice in the practice is sufficient, a signed notice is not required. We recommend that patients also provide the information duties in writing upon request.
When must patient data be deleted?
Personal data of patients are to be deleted if they are no longer needed to fulfil the treatment contract and if there is no legal retention period that prevents deletion. In principle, patient files must be deleted after 10 years, even if the patient does not expressly request this.
Patient files can be kept longer, insofar as
Is it advisable to assign the role of Data Protection Officer within the medical practice?
No. Firstly, we recommend that the DPO should be independent of the doctor or medical practice in order to avoid an internal conflict of interest.
Assigning the role of Data Protection Officer to medical practitioners is also not recommended, as implementation is not compatible with the actual tasks due to time constraints.
Request a quote for Robin Data ComplianceOS®
We will be happy to provide you with an offer that suits your needs.
The Robin Data GmbH team will advise you on our solutions without obligation and free of charge and answer your questions by phone or e-mail.
In the one-hour appointment, we present a function of our software solutions, such as the deletion concept or the TOMs, to you in detail.
Information Robin Data solutions, events and developments in compliance, data protection and information security.
Find out more about the functions of our Robin Data software and legal texts in the area of data protection in our Help Centre.
 |
 |
 |
 |
 |
