It has become a necessity for the data processors to keep memorizing regarding the expectations that GDPR has from them. If any infringement occurs with any data, it will lead to a heavy compensation. With this, the regulator might start off with action as a result of the observation of non-compliance.
GDPR in Medical Transcription
This blog is about what all regulations are the medical transcription services are going to undergo in with GDPR policy. The overall structure of the policy is just to protect the data of the customers. This will give them a sense of security and they can rely on such services.
1. The criteria of consent
A consent will be considered as invalid if there is an imbalance between the data subject and the controller. This is a bit difficult for the medical professionals. Because sometimes it is not about agreeing on the same things. For instance, if a doctor is telling a patient to make use of the application as the hospital uses it to keep an eye on the distant patients. If the patient refuses to use it then technically it becomes an invalid consent. So there is an imbalance and invalidation of the consent even if the patient is ticking all the boxes in the app.
So this is an important aspect that the medical industry will have to look into. There are many other instances where the consent of the patient will be the priority and the industry will have to think about it.
2. Data related to health scope
GDPR interprets ‘health status’ as:
“all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person;”
“A number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.”(recital 35)
3. Right to be forgotten
This right has become one of the important factors of GDPR regulation. So in this case, a patient can request the medical services to erase all his or her personal data. This is not only for medical services but all types of companies that fall under EU. If a patient is withdrawing the consent then the medical transcription company must erase all the data. And the process is made easier under the GDPR.
4. Assessment of the impact
The GDPR has a requirement of conducting a Privacy Impact Assessment before processing any kind of data. The data can be personal or related to health or any other stream. If a medical services company has already performed a PIA where they are addressing the new functionalities. They will only perform if the new functionalities are presenting new risks.
The minimum requirements of PIA are:
- A complete description of the foreseen processing operation along with its purpose.
- Assessment of the required and consistent processing operations in regard to the purposes.
- An overall study of the risks involving the data of the individuals.
5. Requirement for profiling
Personal data in healthcare gets relevant with profiling. It is very simple to understand. For instance, let’s see a patient’s journey. The health of the patient develops with time and to note that the profiling has to be done. And it will be done only with monitoring that patient. According to GDPR, monitoring is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Therefore every medical transcription services company will have to be in sync with all of the profiling requirements.
6. The right of data portability
It is must for the medical transcription services company to tell their customers about the data portability right. In this, a patient as per his or her wish can request the service provider to transfer their data to another provider.
This right is going to make it compulsory to the service providers to make necessary changes in their prevailing system. All the companies must adapt to this system by May 25, 201.