Healthcare: Identifying your regulatory compliance obligations
Nowadays, no sector escapes the reach of compliance regulation in one form or another. Few sectors however are covered by such a broad scope of regulatory legislation as the Healthcare sector.
The bulk of regulatory oversight is undertaken by the Care Quality Commission. This regulatory body has a valuable role in ensuring that Healthcare providers meet and strive to exceed a basic set of standards known as the ‘Fundamental standards.’ The CQC acts as a point of contact through which complaints can be raised and it also performs on-site inspections of Healthcare locations to produce reports that aim to drive good practice and high standards across the entire health sector.
Striving to meet and exceed the CQC’s standards is a goal of most diligent Firms in the sector, but it’s not the only regulatory framework to consider.
As a Healthcare provider you are required to hold a vast amount of information about the patients in your care as well as the staff you employ. Much of this data is highly sensitive personal data that requires handling with great care. It is therefore critical that healthcare firms take great care in adhering to their data protection obligations, enshrined in the Eu’s GDPR and the UK government’s Data Protection Act 2018.
Deciphering complex legislation can be a daunting task – it can be hard to wade through the jargon to find the sections that specifically apply to your business. So, in this series of blogs we’ll look at how healthcare firms can satisfy CQC standards while maintaining compliance with Data protection legislation and what all this means for your business’ IT.
What data does the CQC say Healthcare firms should hold?
The Care Quality Commission mainly concerns itself with frontline patient care but they do also pay attention to the procedures, processes, checks and balances in place to ensure the quality of care provided.
The CQC’s Fundamental standard of ‘Good governance’ demands adherence to Regulation 17 of the Health and Social Care Act 2008. This legislation outlines the responsibilities of firms in relation to business processes and systems that should be in place to ensure effective management.
So what does it say about data?
17(2)(c) maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided;
17 (2)(d) maintain securely such other records as are necessary to be kept in relation to— (i) persons employed in the carrying on of the regulated activity, and (ii) the management of the regulated activity;
The legislation also states:
“Information in all formats must be managed in line with current legislation and guidance.”
“Systems and processes must support the confidentiality of people using the service”
Information must be: “be created, amended stored and destroyed in line with current legislation and nationally recognised guidelines”
The legislation makes clear that firms should securely hold a wealth of data relating to both patients and staff. Patient data might include:
- Diagnostic test results
- Consent records
- A record of all decisions relating to treatment including correspondence with friends, relatives and carers.
- Personal information such as contact numbers, addresses etc.
Why is data security so important in the health sector?
GDPR is relevant to any firm that holds personal data. From accountants to retailers, Architectural firms to logistics companies, all fall under the scope of GDPR to some degree. This legislation has only been around since 2018 and its aim is to give individuals greater control over their personal data and create a baseline that all firms using personal data must adhere to.
The healthcare sector however, faces some particular challenges due to the highly sensitive nature of much of the personal data they hold. Data pertaining to health is classed as ‘special category data’ and as such requires extra protection.
Processing Special Category Data – your responsibilities
Firstly, you need to meet certain criteria in order for the processing of data to be considered lawful.
Article 6 of the GDPR sets out the ‘lawful bases’ for the processing of all personal data. Your reason for holding the data in question must accord with one of these criteria.
Article 9 of GDPR sets out the conditions pertaining specifically to the processing of ‘Special Category data.’ Your processing should also satisfy one of these criteria in order for it to be considered lawful.
This is where things get a little trickier! Depending on the conditions of processing you are relying on you may be subject to further criteria. Conditions (b), (g), (h), (i) or (j) of article 9 of the GDPR require the data processor to satisfy further conditions as contained in schedule 1 of the Data Protection Act 2018.
When relying on condition (g) of GDPR article 9 ‘substantial public interest,’ you also have to meet one of the ‘substantial public interest conditions’ set out in the DPA 2018. In Healthcare terms the most applicable might be:
“Safeguarding of Children or individuals at risk”
“Support for individuals with a particular disability or medical condition”
The DPA 2018 also stipulates that some conditions for processing require an ‘appropriate policy document’ to be in place. This is the case for example, if you are relying on a ‘substantial public interest condition.’
Special category data also carries a requirement for processors to carry out a Data protection Impact Assessment (DPIA).
In addition to some of the special treatment required for special category data mentioned above, you also have to ensure your data processing activity complies with the broader scope of the GDPR. Bear in mind the particularly high-risk nature of the data you’re gathering and consider the following:
- Consider going above and beyond in terms of security for special category data. Consider access permissions and cyber security in particular.
- Data minimisation. Keep special category data collection to the absolute minimum level that is required. Bear in mind that an audit may require you to explain why you hold certain types of data.
- Appointing a Data Protection Officer. Someone in your firm should be appointed the ‘Data Protection Officer’ if you process or intend to process special category data on a large scale.
- Autonomous decision making. If you are using special category data to make decisions which might significantly impact the data subject you should either; acquire their explicit consent, or ensure that you’ve identified a ‘substantial public interest condition’ for doing so.
- Supporting documentation. Highly sensitive data often requires supporting documentation. You may need to create an appropriate policy document under DPA 2018, in which you will have to outline your justification for processing the data. Perform a data audit to ensure you are aware of all the personal data you hold and where it is stored.
Once you have ensured your data processing activities are lawful under the GDPR and DPA 2018, it’s vital to ensure that any processing is done in a secure manner. This is a requirement outlined in the GDPR’s security principle (Article 5 (F):
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unlawful or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This means ensuring that your IT is up to the job of safeguarding the sensitive data you hold and that it gives you adequate control over it. In our next blog we’ll look at what the regulations mean for your IT and data and explore some of the measures you can take to ensure data remains tightly controlled in order to uphold compliance obligations.