Newsflash | Decryption of the RGPD applicable to physicians

As Mr. JOURDAIN was writing prose without knowing it, a doctor, in his daily practice, is called upon to handle personal data at any time. Those of his patients of course, those of his colleagues involved in the care, those of his service providers, those of his employees ... Thus, everyone is a collector of personal data within the meaning of the General Protection Regulation. data (RGPD) of April 27, 2016, in force since May 25, 2018, supplemented by the law of June 20, 2018.

A set of new rules which opens up a whole field of duties and responsibilities for the doctor.

INCREASED RESPONSIBILITIES

These new texts make the doctor a “data controller” for the personal data that he collects, uses, stores and even transmits to third parties. The protection of this data even goes so far as to concern, what the RGPD calls, “subcontractors”, for example, health data hosts, IT service providers, appointment booking platforms, platforms telemedicine, etc.

The doctors, during their installation in private, made a declaration to the CNIL, insofar as they collected data. Today, they will have to "keep a register". To understand how to concretely translate this new obligation, it is imperative to familiarize yourself with the model register proposed by the CNOM and the CNIL, which joined forces to publish, in June 2018, the "PRACTICAL GUIDE ON THE PROTECTION OF PERSONAL DATA" . There is a model for a register of "treatment activities" for a private practitioner. Of course, it is to be adapted according to each situation linked to a particular exercise, but it must be completed with precision. This register can be kept in paper or computer format and the help of your software publisher or your IT service provider will be invaluable to you….

This register is a series of files to be established for each activity of the doctor, when he collects personal data: the follow-up of his patients, the contacts with his correspondents, the making of appointments, the management of his employees (payroll, employment contracts ...), contacts with its suppliers, securing its premises, etc.

If you work in a health establishment, a nursing home, a nursing home or a care center, contact the management or the data protection officer (DPO). one has been designated. Responsible for verifying the compliance with the regulations of the data collection system used and assessing its security, the DPO will be your point of reference in the matter.

A TARGETED DATA COLLECTION

Whether the collection of personal data is carried out on computer software or in paper format, the doctor is required to:

- collect and process data "fairly and lawfully", which assumes that the patient concerned has been informed of the collection of his personal data (display in the waiting room or delivery of a written document such as the one given to him to inform him of the care he is receiving ).
- collect data for "specific, explicit and legitimate purposes" : the doctor can collect this personal data only to carry out his activity of prevention, diagnosis and care. Any use for personal purposes and even more, any commercial use (as in a coaching activity), is strictly prohibited.
- collect data "adequate, relevant and not excessive with regard to the purposes for which they are collected and their subsequent processing" : Only patient monitoring is concerned. It does not matter whether the latter is adultery or deadbeat, if this data is not useful for his medical follow-up.
- collect "exact, complete and if necessary, updated" data : The patient must be able to ask you for access to his personal data, rectify them in the event of an error, and even ask you to erase them in certain cases.

LIMITED DATA CONSERVATION

Personal data must be kept by the doctor for a period that does not exceed that necessary for the use he makes of it. The CNOM recommends that the liberal doctor align with the deadlines set for the conservation of medical records from health establishments, namely:
- 20 years from the date of the patient's last consultation, even if the patient requests to erase his personal data or to recover them in the event of a change of doctor;
- if the patient is a minor and this 20-year period expires before his 28th birthday, the retention of information concerning him must be extended until this date;
- if the patient dies less than 10 years after his last consultation, the information concerning him must be kept for 10 years from the date of death;
- in the event of an action tending to call into question the doctor's liability, these retention periods should be suspended;
- treatment sheets, whether electronic or on paper, must be kept for 3 months.

CONTROLLED DATA TRANSMISSION

All these obligations and prohibitions sometimes give way in the interests of the patient when it is necessary to transmit, to third parties, the data concerning him. It is then in a perfectly regulated and secure form.

You will need to ensure that your appointment-making platform, the one you may use for telemedicine or the software for managing your patient files also respects the obligations of the GDPR. This will appear in the written contract signed with your service providers, thus guaranteeing the security and confidentiality of the data entrusted.

The doctor may also be required to transmit the health data of his patients to “third parties authorized” by law: the tax administration, social security organizations, the DGCCRF, a bailiff, etc. He then does so under strict and supervised conditions.

Watch out for standard messaging! If you send personalized health data by email, you will ask your IT service provider to organize the security of your transmissions (passwords, read receipts, data encryption, etc.)

These cautions extend to the use of a mobile phone or tablet when it comes to communicating with other health professionals or with your patients: use of passwords in accordance with the recommendations of the CNIL [I], automatic locking after a short time of use, encryption of health data. The use of mobile media (USB key, external hard drive) is strongly discouraged in the CNOM and CNIL report.

A SENSITIZED PENALTY RESPONSIBILITY

A doctor can be criminally convicted for failing to comply with this regulation. Thus, even before the appearance of the GDPR, a hospital doctor was sentenced for having implemented the processing of health data relating to premature babies, without the prior authorization of the CNIL.

Even before any criminal procedure, the CNIL may be required to penalize deviant behavior: warning, call to order, injunction to bring into conformity accompanied by a fine the amount of which cannot exceed 10.000 euros, administrative fine of which the amount does not may exceed 10.000.000 euros. As for the penal sanction, pronounced by a repressive court, it can go up to 5 years of imprisonment and 300.000 euros of fine.

Bringing yourself into compliance with this new GDPR is therefore a complex, daunting and demanding process. You are nevertheless required to do so. Support is undoubtedly necessary.

[I]  12 characters including uppercase, lowercase letters, numbers, and special characters