Extremely sensitive personal data are processed in our medical routines. Human errors often lead to data mishaps, which almost exclusively occur due to limited knowledge of security protocols and basic digital procedures. We provide ten common sources of error, which can be avoided with little effort.
Extremely sensitive personal data, that is worthy of extreme protection standards are frequently used or managed in the medical field in particular. It is therefore extremely important that this data is handled carefully and correctly. In data protection processes, it is mainly human errors that lead to data mishaps, which occur almost exclusively due to ignorance or unfamiliarity of basic and critical standards of security, be it digital or not. Jennifer Schuld, attorney and External Data Protection Officer at KINAST Attorneys at Law (Germany) lists ten common sources of error that can be avoided with little effort.
At the patient reception desk, physicians and/or employees like to talk about the test results of patients or other personal data. Usually, these conversations are overheard by waiting patients at the registration desk or by patients sitting in the waiting room not far away.
It is recommended to create a discretion area. Once a patient registers or an employee enters the reception area, a certain discretionary distance should be maintained. In addition, the waiting room should be separated in such a way that third parties cannot overhear conversations at reception or in the treatment rooms.
The reception desk may at times be left unattended, so that cabinets, patient files, computers, and shelves in the reception area are accessible to everyone. It is recommended that the reception desk be occupied continuously by arrangements among the staff to protect screens, faxes, telephones, etc. from the view of third parties.
Patients sometimes stay alone in the treatment room because the physician is looking after several patients at the same time, answering a personal call or sorting an issue at the reception desk. Patient documents can be compromised in such situations if they are misplaced on the desk, or a screen is left open, or folders are stored in easy-access cabinets.
It is recommended to avoid unauthorized access by always storing the patient documents in lockable cabinets. The PC should be equipped with a screen saver with a password so that access protection is guaranteed within seconds of the physician leaving her/his desk.
Physician surgeries sometimes have so-called cabins for the treatment of patients, which are usually open at the top and separated from the rest of the practice only by thin walls or curtains. It is advisable to pay attention to sound insulation so that third parties cannot overhear the conversations held inside the treatment cabin.
Information is sometimes given over telephone or email, without a concrete assurance that the person on the line is the patient concerned, or is someone with credentials to view the data. It is rather complex and problematic to legally secure the identification of the person requesting any information over such media. In principle, it is advisable as far as possible to apply a “no data over the phone/email” approach that is made very clear to patients, physicians, and employees.
Health insurance companies and other organizations may receive more information about a patient than is permitted or required. It is advisable to always check when data are transmitted to any organization, whether the personal data is handed over in compliance with legal requirements, data protection consents and other formats that can ensure that the patient, the medical practice and the organization involved are aware, compliant and responsible for the information to be handed over. It may also be necessary to blackout certain parts of a document, as there is no need to transmit such data.
Patient data is transmitted to third parties via various means of transmission such as postage mail, email, or fax. Unfortunately, this often results in incorrect information transfers that result in data breaches or compromised privacy affecting patients.
The health data of patients should only be sent by letter post or encrypted email. Incorrect fax transmissions due to dialing errors and misdirected email addresses are data mishaps that must be reported in case of doubt. It is recommended to coordinate contact information with recipients on a regular basis (such as addresses. phone numbers, a preferred mode of contact) regularly.
Prescriptions are handed out sometimes to relatives or sent directly to pharmacies. For such information transfers, the consent of the patient is required, and this must be verifiable. The consent should specifically name the relatives authorized to collect the prescription or the pharmacy(ies) authorized to receive it.
Often, the data protection declarations on a medical practice homepage, and patient data protection protocols may not be complete or up-to-date. Especially in an era in which online medical appointments, digital questionnaires, scheduling platforms, or prescription requests are moving to the internet, there may not be enough clarity on the data protection and privacy protocol issues from the software used for such physician-patient-practice interactions.
The medical practices may overlook the fine print, the patient may not feel the need to check on such digital legal (and often complex) matters, and as technologies change, the rules, laws, and guidelines in digital health technologies change very frequently. It is recommended to always check that the data protection information/statements, once created, are up to date.
A secure password should be as long as possible, consisting of upper and lower case letters, numbers, and special characters. It is recommended to constantly check across devices (PC, tablet, service mobile phones), and software for sufficient password protection, and to renew whenever necessary.
Last but not least an extra matter to consider: Employees that are trained on issues of data protection, reduce risks. Having basic protocols and instructions on all relevant aspects (keyword: data protection training for employees) should, therefore, be part of any standard operating procedures of your medical practice.