Contents
Medical data is particularly sensitive and therefore is highly protected. Despite the introduction of the GDPR regulations on May 25, 2018, it turns out that Polish hospitals still do not properly protect patients’ personal data. The Supreme Audit Office has carried out an inspection of several dozen facilities, and its results are alarming – almost none of the hospitals properly comply with the provisions of the GDPR, which leads to scandalous situations.
On May 25, 2018, the provisions of the GDPR and related regulations came into force. The obligation to apply these standards applies to all medical facilities – public and private. The scale of operations of such an entity does not matter. The GDPR applies to both large hospitals employing many doctors, nurses and midwives, as well as offices with one or more doctors. Despite the fact that the new regulations have been in force for over a year and a half, and their introduction was preceded by many months of preparations, it turns out that almost none of the facilities inspected by the Supreme Audit Office is properly protected.
«Almost in none of the inspected medical entities patients’ personal data were not properly protected and processed after entry into force GDPR provisions. As a consequence, the managers of these entities and Data Protection Inspectors did not provide patients with full protection of their data. Medical and administrative staff followed routinely according to patterns developed before the new regulations entered into force »- we read in the latest report of the Supreme Audit Office.
- Read also: The Supreme Audit Office found irregularities in the diagnosis of tumors with the use of PET-CT
NIK report: many hospital negligence
The NIK report shows, among other things, that hospitals they store incorrectly confidential documentation, they issue copies of medical records to unauthorized persons whether they authorize the processing of personal data of service personnel, e.g. orderlies and paramedics, who should not have access to data regarding e.g. the patient’s medical history or the course of treatment.
However, there is much more neglect of health care facilities. These include the failure to guarantee patients the right to privacy during registration, posting patients ‘personal data on hospital beds in a visible way to outsiders and transferring patients’ personal data to IT companies servicing hospital systems when reporting software defects.
“In more than half of the audited hospitals there were violations of personal data protection, of which in six the situation was so serious that it was necessary to notify the President of the Office for Personal Data Protection” – reads the report.
Scandalous situations in hospitals
The Supreme Audit Office cites in the report scandalous situations that should never have occurred. «At the Specialist Hospital of Ludwika Rydygiera w Krakowie Sp. z o. o one patient inadvertently took another patient’s medical records one of the clinics, and in the Provincial Specialist Children’s Hospital St. Ludwik in Krakow a man with a mental disorder stole three patient files from the registration room – two of them were not found. Paper in 9 out of 24 audited hospitals documentation of patients in hospital wards was stored in unlocked cabinets or on shelves » In the opinion of the Supreme Audit Office, inadequate securing and storage of medical records by medical personnel results primarily from routine.
- Also read: Hospitals are still drowning in debt. According to the Supreme Audit Office, the new system did not work
It turns out that as many as ¾ hospitals still have not implemented adequate measures to protect patients’ personal and medical data stored in electronic form. «It was information about the patient, his diseases, tests, treatments and other treatment procedures performed during his stay in the hospital. NIK emphasizes that such data requires special protection. Electronic medical records are not yet widely used in all hospitals. However, currently every hospital is required to submit reports containing personal and medical data in electronic form to the National Health Fund ».
NIK audit conclusions in hospitals
NIK conclusions:
1) to the President of the Personal Data Protection Office about:
- conducting systemic controls of compliance with the principles of personal data protection in units from the healthcare sector, and
- immediate completion of activities related to the adoption of the Code of Conduct for the healthcare sector and introduction of regulations on certification referred to in Art. 42 GDPR.
2) to the founding bodies of hospitals about:
- supervising issues related to the protection of patients’ personal data in subordinate medical entities.
3) to managers of medical entities for:
- analyzing the risk related to the protection of personal data, in accordance with the current technical knowledge, and then applying solutions adequate to the identified threats,
- regular training of people involved in information processing processes, with particular emphasis on information security threats, the effects of information security breaches, legal liability and the application of measures to ensure information security,
- granting employees rights in computer operating systems and HIS systems to a degree adequate to the tasks performed by them,
- introducing personalized authorization of access to possessed IT resources,
- storing a backup copy of possessed information resources in a place other than production data,
- ensuring physical security of the IT infrastructure, preventing access of unauthorized persons and ensuring protection against the effects of random events (e.g. fire, flood, storm),
- ensuring that persons who gain access to personal data have appropriate authorizations of the personal data administrator in this regard,
- providing service providers only with the data necessary to remove software defects.
Also check:
- For 16 years they couldn’t recognize my illness. Symptoms? As it turned out, they were bookish
- Elves do exist. There are less than 100 children like Amelka in Poland
Source: NIK