The first in a series about GDPR and how it may impact on your practice.
Unless you have been in a coma for the last six months, you will almost certainly have heard the term GDPR. Hopefully you are starting to get your head around the idea that you need to be thinking about the way that you handle “data” and how you “communicate” with patients and clinical colleagues.
You can be forgiven for thinking it’s all a bit of a snore-fest and for wanting to bury your head in the sand, especially if the idea of having to fiddle with tech brings you out in hives.
The trouble is, failing to comply with the requirements could see you end up in a spot of bother, and having to pay a hefty fine – which would be a bit pants.
In actual fact, we are all supposed to be GDPR compliant right now, but the government isn’t currently allowed to beat you with a big stick for failing to comply. All that changes on the 25th May 2018 and it’s going to come around pretty quickly.
GDPR isn’t just about keeping data safe, it’s also about holding onto data (that we shouldn’t be holding onto) and need to be transparent about the which data we hold.
In the clinical world, this means a patient needs to have access to that data and know how it is going to be used. Anything that identifies a patient or is deemed to be “sensitive” comes under scrutiny. To make it simple, it pretty much means any flippin’ thing at all to do with a patient.
The GDPR boys and girls are potentially going to be tough on Clinicians because, in their “Article 32 ” it states that…
“Data processing must have a level of security appropriate to the risk.”
…You’ve guessed it – anything to do with medicine is considered high risk.
If this sounds new, it isn’t, and in fact, we have all been protecting patients’ confidentiality (hopefully), so it’s just a case of getting your use, storage, and movement of data, GDPR shiny.
If we’ve digital data on a patient and we are storing it (e.g. on a server), that data is described as being at rest, and it needs to be securely stored. When data is on the move (for example when we are sending an email about a patient), it also needs to be safe from prying eyes. This literally means pretty much anything that relates to the patient, so the patient’s name, treatment plan, any photography linked with that patient, or address needs to be transferred securely, and confidentially.
So… what does this look like for the majority of us?
Do you need to change your emailing system?
What if you are already using an email system that you are perfectly happy with?
Like it or not you are going to have to start encrypting emails, and let’s face it, a huge proportion of patient communication occurs that way.
The good news is that it may not always be necessary to change your current email provider. There are several software options that can integrate with email systems to encrypt it. For example if you use Outlook, Google apps or Office 365 to send your emails, you could consider using a product such as “Egress switch”. This can encrypt and send email messages securely.
Patients receiving an email from you will initially have go through a brief sign up process – a bit like setting up an account with a password, via a web platform. Patients then have to go through a double opt-in process, to validate that it’s truly them who’ll be opening the mail. It will all be much less clunky after that. Patients will get used to this, because …they are going to have to. It’s the law.
You are also required to encrypt any data that’s in the body of emails, so it’s not just a case of encrypting documents. It’s equally important that you keep any patient data out of the email title. It’s going to make for some pretty boring emails in your inbox, such as “Referral of a patient”, rather than “I want to refer Mr. John Jones with a fantastically enormous boil on his bottom – please see and advise.”
As well as clinical emails, we also have marketing emails. So what’s that going to look like?
To put this in a nutshell…yup… we need to be able to prove that the people on our emailing list actually want to be on it. They need to be added at their request and not merely because we fancied adding them because they were a patient, someone we met at a lecture, or a nice person who followed you on Facebook.
The best way to do this is to ensure that you use a double opt-in process for your email marketing system.
For example: if you have a pop-up box or a link that gathers emails, it needs to be set up so that the person receiving it has to go to their inbox to click to confirm that “Yes, they really do want to be added to this list.” If the GDPR police were to come knocking on your door, you would then be able to demonstrate that person signed up on that particular day, by clicking on, X or Y link, and signing up.
Your email followers need to also be able to unsubscribe from your list, and if they approach you, you have to be able to show them how they got to be on your list and what data is being stored about them. What this really means is, you don’t want to fall into the trap of collecting data that’s not relevant. For example, telephone numbers or bank account details (duh!) should not be asked for, or kept (if someone was daft enough to hand it over).
If you have people who are on your email list who arrived there via a non-double opt-in process, you must make contact with them to ask them to re-opt-in; so, send them an email and ask them. You can expect a substantial fall out from your email list numbers, but don’t worry; instead be reassured that those people probably aren’t interested in receiving your stuff anyway. Shame on them.
Even if you are feeling smug because you have a double opt-in process with your email marketing machine, you should consider having a clear out of all the contacts who have never opened an email of yours since they signed up.
Start now to make some of these changes and get ahead of those GDPR teeth !
If you have any questions,
are looking for guidance and advice ?
We are waiting to help you gain more patients and boost your referrals
email or call us 0207 993 6425