In today’s world, almost all businesses are subject to a degree of regulatory burden, but few sectors face such an arduous compliance challenge as healthcare.
In England, the watchful eye of the Care Quality Commission supervises the healthcare sector, ensuring providers meet and hopefully exceed, a set of minimum standards, known as the ‘fundamental standards.’ By means of regular on-site inspections, the CQQ delivers detailed, publicly available reports pertaining to the quality of care provision at individual establishments. These feature ratings, ranging from ‘outstanding’ to ‘inadequate,’ pressing the case for all healthcare providers to strive for excellence in their service delivery.
While as a care provider, making every effort to satisfy and exceed the standards expected by the CQC is your top concern, like every other business that handles personal data there is no escaping the demands of the GDPR and the UK’s 2018 Data Protection Act.
Operating in harmony with multiple sets of regulatory guidelines can be a challenge for the best of us, but we understand that for healthcare providers one task takes precedence over all others: providing the best possible patient experience. Therefore, in this short blog series we want to help by attempting to rationalise and simplify the key regulations, and explain what they mean for your business’s IT. We’ll examine key legislative clauses, considering the implications each has on your data processing IT infrastructure.
What data are you required to hold? What does the CQC say?
The CQC doesn’t make any explicit demands in terms of type of patient data you hold. There is however an expectation that you hold enough data to facilitate the processes, checks and balances that enable a high standard of care to be maintained.
The CQC’s fundamental standard of ‘Good Governance’ however, compels strict adherence to Regulation 17 of the Health and Social Care Act 2008. This makes provisions for the processes and systems that should be instituted in order to enable effective management.
In respect of data, the legislation states:
17(2)(c) maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided;
17 (2)(d) maintain securely such other records as are necessary to be kept in relation to— (i) persons employed in the carrying on of the regulated activity, and (ii) the management of the regulated activity;
It also states:
“Information in all formats must be managed in line with current legislation and guidance.” and “Systems and processes must support the confidentiality of people using the service”
and that information should be:
“created, amended stored and destroyed in line with current legislation and nationally recognised guidelines”
The legislation compels adherence to current data protection legislation (which we’ll introduce shortly), whilst also stipulating the types of patient information you should fastidiously record. This includes:
- The results of diagnostic tests
- Consent Records
- Decisions pertaining to treatment options
- Communications of a sensitive nature with the patient, relatives, guardians or care providers.
- Personally identifiable information, such as an address and contact information.
The Health and Social Care act itself doesn’t make any recommendations specifically relating to data security, which begs the question…
Why is data security so critical important in the healthcare sector?
It’s because the vast quantities of patient data you hold fall under the most stringent provisions of 2 other pieces of key legislation: the GDPR and the Data Protection act 2018. Each of these legislative documents set out enforceable boundaries, instructions and guidelines for the handling of personal information, designed to give data subjects greater control in terms of how their information is managed, used and stored.
Healthcare data is considered ‘special category data’ under GDPR, meaning the legislation applies tighter restrictions and controls to it than more common forms of individually identifiable data.
What special restrictions are applied to “special category data?”
In order to lawfully possess and process special category data, The GDPR requires you satisfy at least one of the following 9 conditions:
1. You have obtained explicit consent
2. Handling is for the purposes of employment, social security or social protection
3. Vital interests – data is needed to protect someone’s life
4. Data is being used by a not-for-profit body (with conditions)
5. The data has been made public by the subject.
6. Data is required for legal claims or judicial acts.
7. Data is needed for reasons of substantial public interest
8. Data is needed for health or social care purposes.
9. Data is required for reasons of public health.
10. Data is needed for archiving, research or statistical purposes.
N.B. Conditions 7-10 require a basis in the law of the country where the data processing is being carried out.
Depending on which criteria from the above list you are citing as your lawful purpose, you may have to satisfy further criteria within the scope of the UK’s 2018 Data Protection Act. Conditions 2,8,9 and 10 require you to satisfy criteria of the corresponding conditions as set out in part 1 of schedule 1 of the DPA 2018.
Similarly if you contest that your data processing is a matter of ‘substantial public interest’ (condition 7), you’ll have to satisfy the condition of the same name within the Data Protection Act 2018.
As a healthcare provider, justifications you may give for your handling of ‘special category data’ might include:
- ‘for the safeguarding of children or other vulnerable groups.’
- ‘to meet the healthcare needs of individuals with certain disabilities or medical conditions.’
For some of the lawful bases listed above, the DPA also requires the attachment of an “appropriate policy document,” and processing any form special category data requires the completion of a data protection impact assessment (DPIA).
Once the lawful bases for data processing are verified, you must then ensure that all storage and processing activities comply fully with every other aspect of the GDPR legislation.
There is no substitute for becoming comprehensively familiar with GDPR, but as a basis to ensure compliance considering the following:
Take Cybersecurity seriously
Take every viable measure you can to protect data from misuse, misplacement, theft and corruption.
Store only essential information
Exercise ‘data minimisation’ by storing the minimum amount of special category data required for your purposes. Bear in mind that in the event of an audit you may have to substantiate your reasons for holding certain data types.
Appoint a Data Protection Officer
Install someone to oversee your data management strategy, whose job it is to ensure all personal data is handled and stored in accordance with all relevant legislation. Ideally this person should have prior experience in a similar role, or be well versed in the likes of GDPR and the 2018 DPA.
Keep records of consent
In instances where explicit consent has been sought for the processing of data, ensure that the appropriate evidence of consent can be supplied on request.
Instate supporting documentation
It’s vital to have policy documentation in place outlining the reasons for data processing, plus the methods of sharing, processing and storage that will be implemented. Details of how you intend to maintain and audit the process should also be set in writing.
Another vital consideration: GDPR’s ‘Security Principle”
Once you’re satisfied that the data processing you’re compelled to undertake under the Health & Social Care Act is compliant with the relevant data protection legislation, it’s time to turn your attention to the GDPR’s security principle. Located within GDPR article F, the ‘security principle’ states:
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unlawful or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This requires organisations to implement procedural and technical controls to safeguard sensitive data, protecting it from unauthorised intrusion and ensuring robust checks, balances and system management tools are deployed to safeguard your systems against malicious actors.
Hold on to that thought, as in our next article we’ll explore the implications of the aforementioned legislation for your IT systems. We’ll talk you through the actions you can perform, and the checks you can implement to ensure your data handling is performed in accordance with your compliance objectives.
Why choose JMV solutions?
Since 2012, JMV Solutions has provided IT Support for a wide range of small and medium sized businesses throughout Devon and Cornwall. Our company is formed of a personable, friendly and expert team of IT and Security experts that have your best interests at heart. We protect your business, your valuable data, and help sustain your compliance requirements against a rapidly growing cyber threat. Contact us today to learn more.
