Effective communication between hospital staff and patients in compliance with personal data protection regulations
Abstract
Secure communication between patients and health care facilities is especially important In 2016, the European Union (EU) introduced a new regulation — the General Data Protection Regulation (GDPR), applicable in all EU member states — aimed at improving protection of personal data. The GDPR provides broad guidelines on data protection, but generally lacks specific details. Consequently, although member states must comply with the GDPR, there is some flexibility to develop new regulations to suit national characteristics and practices, especially in key economic sectors, such as health care. The aim of the present article is to discuss the benefits and limitations of legal provisions governing the patient identification (both in person and remotely). This analysis is based on Polish laws that were recently passed to comply with the GDPR. In some cases, these data protection regulations may be unnecessarily strict, making routine care more difficult than intended by the GDPR. National legislation in Poland imposes strict data protection measures, such as prohibiting the public display of patient names or calling out the patient’s name in public. However, after health care personnel around the country criticised many of these measures, the law will be modified to address those concerns. For example, the patient’s name can be displayed on a wrist band and on containers with the patient’s medicines. Nonetheless, numerous questions still need to be resolved to adapt the general data protection rules to ensure the effective operation of the hospital to avoid problems related to accurate patient identification.
Keywords: personal datapatientshospital carecommunicationpatient rightsHospital Information System
References
- Friese KV, Wienke A. [Don't be frightened of the "bad wolf" : The new EU general data protection regulation in hospitals and medical practices]. HNO. 2019; 67(4): 299–303.
- Groenewegen WA, van de Putte EM. [General Data Protection Regulation and medical research: friend or foe?]. Ned Tijdschr Geneeskd. 2018; 162.
- Qiu H, Qiu M, Liu M, et al. Secure Health Data Sharing for Medical Cyber-Physical Systems for the Healthcare 4.0. IEEE J Biomed Health Inform. 2020; 24(9): 2499–2505.
- Kruse CS, Frederick B, Jacobson T, et al. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol Health Care. 2017; 25(1): 1–10.
- Nasseh D. The Mishandling of Anonymity in Terms of Medical Research Within the General Data Protection Regulation. Stud Health Technol Inform. 2020; 272: 43–46.
- Coventry L, Branley D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas. 2018; 113: 48–52.
- The Act of 18 July, 2002 on Rendering Electronic Services.
- The Act of 6 November, 2008 on Patient’s Rights and Ombudsman of Patient`s Rights hereinafter UPP, the Act of 15 April, 2011 on Medical Activities, the Act of 5 December, 1996 on Profession of Doctor and Dentist, the Act of 15 June, 2011 on Profession of Nurses and Midwives.
- The Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April, 2016 on the Protection of Natural Persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general regulation on data protection) hereinafter GDPR.
- The Act of 10 May, 2018 on the Personal Data Protection.
- The guidelines regarding the implementation of the right to information by the persons who are remotely authorised as a result of cooperation of the Ombudsman of Patient`s Rights with the Personal Data Protection Office of 21 July, 2020.