GDPR Compliance Process for Health Care Providers
GDPR Compliance Process for Health Care Providers
Confidentiality is a key aspect of health care provision, and health professionals must take extraordinary care in order to protect their patient’s privacy. GDPR introduces significantly stricter general rules for personal data processing in comparison to the previous ones and its extraterritorial application for non-EU data controllers in cases which we previously wrote about. The strictest data processing rules related to personal data concerning health, i.e. related to the physical or mental health of a natural person, including the provision of health services, which reveal information about one’s health status.
GDPR generally prohibits the processing of data concerning health, giving an exhaustive list of exceptions to such prohibition – personal data concerning health may be processed in cases such are: giving an explicit consent to processing, protecting vital interests of natural persons, protecting public health or for the purposes of giving medical diagnosis, fulfilling specific legal obligation of data subject and data controller, etc.
GDPR in Healthcare – Transparency
One of GDPR’s leading principles is transparency for the data subject’s benefit, and transparency does promote trust. However, some reports show that only 30% of global healthcare organizations have remained untouched by a data breach, making them vulnerable to cyber-attacks. The fact is that many health care institutions are not properly equipped to tackle GDPR. The key issue for such institutions is how they manage and secure patients’ personal data, which is extremely sensitive, and too much focus on GDPR compliance might take away from the provision of healthcare in systems that are already under pressure, mostly state-led healthcare institutions within EU.
GDPR may influence a whole range of participants which business entails providing services to health industry – insurance companies, pharmaceutical companies, as well as med tech companies – stakeholders must find the right balance to implement GDPR in order to safeguard data subject’s health information, without hindering the use of the data for research purposes, which is the greater good. GDPR allows the processing of data related to health if necessary for scientific research, provided that such processing is subject to appropriate technical and organizational measures aimed to ensure, amongst others, GDPR’s principle of data minimization.
GDPR in Healthcare in Serbia
GDPR may well effect Serbian private practices which target EU citizens, especially in the day and age of health tourism. If you are a private practice company registered in Serbia and have EU patients pursuant to your efforts to target such patients in order to provide them health services, it might be a good idea to determine whether you should be GDPR compliant or not.
One of the first things a health services providers must do is to improve its understanding of the data categories they process, invest in right kind of technology to secure the information and is easy to use, as well as implement appropriate technical and organizational measures for data protection. Initial legal steps must entail updating consent forms and developing procedures for data breach notification, as well as reevaluating legal grounds and purposes for the data processing. GDPR compliance process is never-ending and especially hard on health providers, which is why evaluating whether one falls under GDPR scope is a burning issue.
This blog post is for informational purposes only and should not be considered as legal advice. Should you require any additional information, feel free to contact us.
Miloš Velimirović, Partner
Dunja Tasić, Senior Associate
At the end of 2021, a public debate was held in the National Assembly on the Draft Law on Work Practice. The Draft itself is a reaction to relatively unfavourable basic labour market indicators, which predict that young people in Serbia lag behind their peers in...
Recently, non-fungible tokens (“NFTs”) have become the subject of significant public attention, primarily due to the high amounts of money allocated for their purchase. For example, it is estimated that the worth of the global NFT market in 2021 was about 41...
Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...
We are delighted to announce that Legal 500, one of the world’s leading legal directories, has once again recognized SOG as one of the top Serbian law firms in their latest release of Legal 500 EMEA rankings. SOG has been ranked in the areas of Banking and...
The Government of the Republic of Serbia enacted the Decree on Establishing the Investment Program “Recovery and Development” (the “Program”) to establish a new credit line for the allocation of favourable credit funds to entities for the implementation of new...
We are thrilled to announce that Dragana Stanojević, Sandra Rodić, and Aleksandar Zarić joined SOG as consultants. They will be the core members of the team focusing on international and local business development, cooperation with international and domestic...
Let us know how we can help you and your business.