The General Data Protection Regulation (GDPR), which has been in force since May 2018, has redefined data protection throughout the EU and placed it in the hands of companies. Violations of data protection can be subject to very high fines.
Melanie Gassler-Tischlinger recently spoke about the new data protection regulations in the context of the pharmaceutical group Lundbeck’s lecture series “Current issues at the intersection of medicine & law” .
Data protection for specialists in psychiatry
Melanie Gassler-Tischlinger, attorney, explained the new data protection law to registered physicians and specialists in psychiatry working in hospitals, paying particular attention to those aspects that are important for doctors.
Work in medicine involves the processing of so-called “special categories of data” according to Art. 9 GDPR (e.g. health data, sex life data, genetic data, etc.). For this type of data there are special rules which are stricter than the general rules.
Accordingly, the processing of sensitive data is prohibited unless the data subject has given his or her express consent or the processing is permitted on the basis of any other justification specified in Art. 9 GDPR (e.g. for the protection of vital interests, for reasons of public interest, for the purpose of preventive health care, etc.).
A doctor always has to check whether processing is permissible. Specific provisions apply to the transfer of data to third countries.
From a data protection perspective, physicians therefore bear particular responsibility in relation to others who do not process sensitive data. Data subjects whose data are processed by a doctor have various rights and must be informed when the data is collected. Physicians must also take technical and organisational measures (TOMs) to establish an appropriate level of security. This also includes the creation of a processing directory.
To whom may or to whom must a doctor transmit data? What has to be considered when transferring data to insurance companies? When is the patient’s consent required? Under what circumstances does a doctor need a data protection officer? When does a doctor have to carry out a data protection impact assessment? What has to be considered because of the recording obligations standardized in the Physicians’ Law? Who processes data on behalf of the doctor and what is important when concluding a processing contract? What effects will the Research Organisation Act, which regulates register research and the use of Big Data in research from 2019 (anonymous access to ELGA) have? What data protection obligations do hospitals have?
These and many other topics were discussed extensively.
Conclusion – what should doctors consider?
Doctors should prepare data protection well and be particularly careful when transferring patient data. It is advisable only to send unencrypted emails to patients with their consent. Encrypted emails can also be sent without consent. Emails to medical institutions may only be sent with the patient’s consent, provided that vital interests are not affected.
It makes sense to have patients sign ready-made declarations of consent and file them in the patient file. Oral declarations of consent should be documented in the patient file.
Incidentally, data protection must also be observed in court proceedings. If documents that contain personal data of third parties are to be submitted, these data must be blacked out or a request for exclusion of the public must be made.
The lecture documents can be found here:
- Presentation Data Protection 17102018
- Checklist GDPR of the Austrian Medical Association
- Example documentation obligations GDPR of the Austrian Medical Association
- General Data Protection Regulation (pdf)