GDPR Compliance Process for Health Care Providers

June 21, 2018

GDPR Compliance Process for Health Care Providers

June 21, 2018

Miloš Velimirović

Miloš Velimirović

Partner

Dunja Tasić

Dunja Tasić

Senior Associate

Confidentiality is a key aspect of health care provision, and health professionals must take extraordinary care in order to protect their patient’s privacy. GDPR introduces significantly stricter general rules for personal data processing in comparison to the previous ones and its extraterritorial application for non-EU data controllers in cases which we previously wrote about. The strictest data processing rules related to personal data concerning health, i.e. related to the physical or mental health of a natural person, including the provision of health services, which reveal information about one’s health status.

GDPR generally prohibits the processing of data concerning health, giving an exhaustive list of exceptions to such prohibition – personal data concerning health may be processed in cases such are: giving an explicit consent to processing, protecting vital interests of natural persons, protecting public health or for the purposes of giving medical diagnosis, fulfilling specific legal obligation of data subject and data controller, etc.

GDPR in Healthcare – Transparency

One of GDPR’s leading principles is transparency for the data subject’s benefit, and transparency does promote trust. However, some reports show that only 30% of global healthcare organizations have remained untouched by a data breach, making them vulnerable to cyber-attacks. The fact is that many health care institutions are not properly equipped to tackle GDPR. The key issue for such institutions is how they manage and secure patients’ personal data, which is extremely sensitive, and too much focus on GDPR compliance might take away from the provision of healthcare in systems that are already under pressure, mostly state-led healthcare institutions within EU.

GDPR may influence a whole range of participants which business entails providing services to health industry – insurance companies, pharmaceutical companies, as well as med tech companies – stakeholders must find the right balance to implement GDPR in order to safeguard data subject’s health information, without hindering the use of the data for research purposes, which is the greater good. GDPR allows the processing of data related to health if necessary for scientific research, provided that such processing is subject to appropriate technical and organizational measures aimed to ensure, amongst others, GDPR’s principle of data minimization.

GDPR in Healthcare in Serbia

GDPR may well effect Serbian private practices which target EU citizens, especially in the day and age of health tourism. If you are a private practice company registered in Serbia and have EU patients pursuant to your efforts to target such patients in order to provide them health services, it might be a good idea to determine whether you should be GDPR compliant or not.

One of the first things a health services providers must do is to improve its understanding of the data categories they process, invest in right kind of technology to secure the information and is easy to use, as well as implement appropriate technical and organizational measures for data protection. Initial legal steps must entail updating consent forms and developing procedures for data breach notification, as well as reevaluating legal grounds and purposes for the data processing. GDPR compliance process is never-ending and especially hard on health providers, which is why evaluating whether one falls under GDPR scope is a burning issue.

This blog post is for informational purposes only and should not be considered as legal advice. Should you require any additional information, feel free to contact us.

Contact:

Miloš Velimirović, Partner
milos.velimirovic@sog.rs

Dunja Tasić, Senior Associate

OTHER NEWS

The New Serbian Legal Framework for Internships to Be Adopted

The New Serbian Legal Framework for Internships to Be Adopted

 At the end of 2021, a public debate was held in the National Assembly on the Draft Law on Work Practice. The Draft itself is a reaction to relatively unfavourable basic labour market indicators, which predict that young people in Serbia lag behind their peers in...

read more
NFTs in the Light of Trademark Law

NFTs in the Light of Trademark Law

 Recently, non-fungible tokens (“NFTs”) have become the subject of significant public attention, primarily due to the high amounts of money allocated for their purchase. For example, it is estimated that the worth of the global NFT market in 2021 was about 41...

read more
What Is a Data Protection Officer (DPO)?

What Is a Data Protection Officer (DPO)?

 Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...

read more

Let's connect

Let us know how we can help you and your business.