It was marked by a flurry of emails – many from companies you’d never before heard of – all reminding you that they have your data and asking, ‘Is that OK?’
That’s right, we’re talking about the, now very familiar, General Data Protection Regulation (GDPR). In general practice the regulation – which requires you to process data fairly and transparently – means that practices must make available to patients information on how the practice processes patient data in the form of practice privacy notices (PPN). If you do not already have a process in place, the BMA has published some useful guidance as to how you can do so effectively.
On May 25, 2018, the GDPR came into force and with it came new responsibilities and considerations when it comes to the storage and processing of people’s data. The aim is to improve and simplify data protection and, importantly, to define a single set of rules fit for the digital age. It returns to the individual clarity about their rights concerning how their data is held and processed and it should also give organisations clarity in relation to how they should be controlling the data they hold on individuals.
Now, in general practice this is a big task; the practice must provide information to all patients on how the practice holds and processes patient data; the means by which this is to be achieved is by using PPNs. The Information Commissioner’s Office suggests a layered approach – one strategy for delivering this information is to display a PPN poster in the waiting room and publish a digital version on your practice website – so that the information is also accessible to those who have not attended the practice.
Practice privacy notices
Four template PPNs have been developed as suggested ways that practices can provide more detailed information to patients; these cover four areas:
- Practice privacy notice 1 – Provision of direct care
- Practice privacy notice 2 – Medical research and national clinical audits
- Practice privacy notice 3 – Legal requirements to share data
- Practice privacy notice 4 – National screening programmes
The documents, the BMA advises, should be formatted so that the information essential to patients is displayed first and the ‘legal small print’ is shown separately – perhaps on the reverse of an information sheet/leaflet.
Due to variations in data sharing arrangements across local regions and across the UK, there is no ‘one size fits all’ template so it is essential that practices amend and add wording to the templates so that they are relevant to their setting.
NOTE: Your practice’s PPNs should be regularly reviewed to ensure that they remain up-to-date and relevant.
An additional option, the BMA suggests, is to play a recorded message on your practice’s telephone answering system which directs patients to the information on how the practice manages their medical records and what their rights are. For ease of access this should be your website.
What happens when patients request access to their medical records?
Under the GDPR patients have the right to request access to their medical records – this is known as a Subject Access Request (SAR) – without charge. This extends to situations where a patient gives consent for a third-party – for example, solicitors – to access the data. The practice is obligated to provide a response in 30 days – as opposed to the previous 40 days response time.
While this does provide a fair and open process for data subjects, Survindar Chahal, group content and customer experience manager at First Practice Management, notes in an article on SARs that this can lead to increased workload and additional costs incurred by practices.
You can read the full article here.