10 Simple Steps to a GDPR compliant Dental & Medical Practice

Written By Maeve Dunne

Introduction: 

You are an expert in your medical field. You run a successful busy practice. You understood the importance of data protection, long before the introduction of GDPR. Hey, you work with sensitive personal information every day. 

So, it's ok to put GDPR compliance back onto the top of your ‘to do’ list, as I bet you are halfway there already! Here are some practical steps to get you going. Starting with the Data Audit…

 

Data Audit:
The first step is to map out your interaction with personal information. This can be a simple spreadsheet, mind map or start with paper and pen. List all the areas that data comes through your door:- website enquiries, phone calls, referrals, patient registration sheets, x-rays, photos on camera, phone etc. 

Then, list where you store personal information: patient management system, filing cabinet, dictaphone, dusty boxes, cameras, online folders, phones.
Identify areas/activities that are potentially vulnerable, be honest and be prepared to adapt your routine, just a little!  

Identify practical steps to mitigate privacy risks:-

  • An unlocked filing cabinet sitting in the reception area (move it…lock it!) Dictaphone tapes lying around (use them, wipe them)

  • Is your website set up that it downloads any enquiry data onto your patient management system? Avoid duplicate data sitting dormant on the internet.

  • Do you use Healthmail for referrals? Or at least password-protect sensitive documents emails.

  • If you download/attach spreadsheets (with personal data) for reporting or referring, password protect the sheet. It’s easy! File ->Info ->Protect.

  • Do you scan then securely destroy the registration sheets, ensuring you retain clear consent for x-rays, photos etc?

  • Are your Registration Forms similar to an extract from War & Peace? Ask only what you need to perform your service. If you feel you need to ask ‘nice to know’/lifestyle questions then state these are not compulsory. Keep it simple!

Remember your employee and associates' personal information must be kept securely too with restricted access to this information from other team members.   

 

10 Simple Steps:

  1. Identify a person within the team to take on the responsibility of data protection – Privacy Officer. Ensure they have a basic level of data protection training and confidence to ‘speak up’ if an incident or activity may cause a potential breach.

  2. Support your Privacy Officer to carry out a Data Audit. An overview of all sources and types of personal data, highlighting areas of potential risk and practical steps to mitigate these risks.

  3. From the audit process, prepare a Retention Log and Data Retention Policy. Decide how long you are keeping patient information, then document it.

  4. Prepare a Privacy Notice, this is a user-friendly commitment to patients and staff that their privacy is your priority.

  5. Get clarity around access and responsibility to personal data and ensure you have Data Processing Agreements in place with Associates, Partners & Suppliers who handle personal data.

  6. Ensure you have a process in place that a patient or employee can access, amend or ask you to delete their personal details. This is your Subject Access Policy and your Practice must action and respond within 30-days. If everything is stored in your patient management system, you are good to go!

  7. In the event of a data breach or a complaint about privacy, ensure you have a Breach Handling Policy. This can be a simple step-by-step action plan. The key thing is to avoid panic and over-reaction. Have a patient response template that reassures and avoids escalation. This policy also outlines the potential requirement to notify the Irish Data Protection Commission within 72-hrs of a breach incident.

  8. IT Security. Minimise the use of movable applications when accessing patient information e.g. phones, laptops, USB sticks. Use them, encrypt them, lock them!

  9. Ensure all team members have a basic knowledge of the regulation and their responsibility to keep the Practice safe from fines or negative publicity.

  10. Stay calm. It is ok to engage with your patients!

If you feel Privacy has been compromised in your practice or you wish to clarify if an incident is a data breach contact us privacy@mddm.ie

10 Simple Steps was produced on behalf of our trusted partner Dr Jane Renehan expert in her field of dental compliance Dental Compliance Limited

Maeve Dunne
Previous

How to Juggle the Many Hats of a DPO
Next

EU to UK personal data transfer post Brexit update