In the April issue of the Independent Practitioner Today Jane Braithwaite and Karen Heaton discuss GDPR and reveal medical practices did not properly understand whether they were required to ask patients for their consent for certain processing activities or how to do so.
Consent and GDPR
In the medical sense, ‘consent’ is very clear. But in the latest EU General Data Protections Regulations (GDPR), the question of consent has been one of the most confusing and frustrating issues to come to terms with.
How many emails did you receive in the run up to the GDPR deadline about ‘opt ins’ for marketing or just ‘opt ins’ in general?
Our experience is that medical practices and businesses in general really did not properly understand whether or not they were required to ask patients or clients for their consent for certain processing activities or how to do so.
On a personal level, it was a very useful opportunity to clear out unwanted junk email and compel organisations to take unsubscribe requests seriously. This had clearly not been the case in the past.
But were all these emails about consent necessary?
Well, that depends on a number of factors:
The lawful basis you have for processing an individual’s data;
How you received an individual’s data;
What you have told individuals – patients, clients or employees – about how your practice handles their personal data.
For medical practices who act as data controllers, there is the potential for nontrivial reputational damage and large fines from Information Commissioner’s Office (ICO) investigations regard ing poor consent practises.
So, to answer this question, let’s look at:
a) Your lawful basis for using that data; b) The data you process and how it is processed.
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. Designated Group, including Designated Medical is well aware of its role in providing the right tools and processes to support its users and customers meet their GDPR mandates.
Designated Medical’s Commitment
At Designated Medical, we have always given our clients and contacts’ the right to data privacy and protection. We have never relied on advertising as a means to generate business and we have never sent direct advertising to our contact database, and never will. This means that we have no necessity to collect and process our contact database’s personal information beyond what is required for the delivery of our services and to ensure we optimise how we can help and support them.
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for data protection. All client sensitive data is saved in an encrypted storage facility which is tightly regulated. We have also made significant investment into our IT infrastructure and we recognise that the GDPR will help us move towards the highest standards of operations in protecting customer data.
How is Designated Medical preparing for GDPR?
We have reviewed all our data and touch points where we collect data and have ensured that we are fully compliant by the time the regulation comes into effect. Designated Medical also understands its obligation to help clients and contacts get ready for the big day and has published useful information to assist them in the process.
We have thoroughly reviewed GDPR requirements and have put in place a dedicated internal team to drive our company to meet them. Some of our ongoing initiatives are:
Identifying personal data – All our data is categorised and integrated with our marketing systems to ensure consent and accessibility. We have invested in systems to ensuring accuracy and control of data across all systems.
Providing visibility and transparency – The most important aspect of GDPR is how the collected data is used. Designated Medical’s key role is to provide our clients and contacts (the data subjects) with the access to effectively manage and protect their user data. Designated PA has contacted each and every contact allowing them access to opt in and out and update their personal information.
Enhancing data integrity and security – Data privacy and data security are two sides of the same coin. As our clients tighten their data security measures, Designated Medical would like to extend a helping hand and have a team of marketing experts who can assist with GDPR compliance. We have invested heavily in our IT infrastructure to ensure we maintain a high level of security and integrity.
Portability and transferability of data – GDPR gives data subjects the right to either receive all the data provided and processed by the data controller or transfer it to another controller depending on technical feasibility. With this new right in mind, Designated PA is able to export data at an individual level as required.
What does this mean for our clients?
We understand that meeting the GDPR requirements will take a lot of time and effort. And as your partner, we want to help you make your process as seamless as possible, so that you don’t have to worry about compliance and can focus more on running your business. If you need assistance with implementing processes that are GDPR compliant, get in touch and our team of marketing experts can assist. The Information Commissioner’s Office (ICO) have a self assessment tool for businesses which is definitely worth a read.
What should you do to be GDPR-ready?
If you are just getting started with GDPR compliance in your business, here’s a quick to-do list to keep in mind. The ICO have also produced a 12 step process to preparing for the regulation here.
Create a data privacy team to oversee GDPR activities and raise awareness
Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
Identify the Personally Identifiable Information (PII)/Personal data that is being collected
Analyse how this information is being processed, stored, retained and deleted
Assess the third parties with whom you disclose data if
Establish procedures to respond to data subjects when they exercise their rights
That pile of receipts and invoices is getting bigger AND you haven’t updated your cash flow spreadsheet in 2 months! You know roughly where you are financially with your business but how do you get a clearer, accurate and more up-to-date picture? Most SME’s live and die by their cash flow so employing effective bookkeeping and accountants is invaluable to the overall growth and stability of your business. What is the difference between a bookkeeper and an accountant and which one is the right one for you?
Accountant vs Bookkeeper
An accountant will generally look at your ‘books’ on a quarterly basis and advise on VAT, Corporation Tax owed and other such legal requirements for your business. As well as classifying, reporting and summarising financial data. A bookkeeper will work on day-by-day basis recording financial transactions chronologically and advise on any cashflow problems or late payment invoices and in some cases, can help with classification and financial reporting.
Most business will really need both services, but often they only engage an accountant largely because they feel they can handle the day to day activity themselves but also to help reduce costs. But is this a sensible decision?
Business owners are so busy running their business, that the task of recording of financial transactions and performing a reconciliation get left to the end of the quarter when the VAT return is due. That also means that for much of the time their view of their company’s finances is several weeks out of date. Some business owners get so behind that their accountant is brought into clear the backlog and this can be a significant expense as it’s not the core business of an accountant to handle this type of work.
At Designated Bookkeeping, we would strongly recommend that all business owners employ a highly trained bookkeeper as soon as they are able to afford to do so. A good bookkeeper brings two distinct advantages: –
Relieves the pressure on the business owner to manage the day to day finances freeing him/ her up to grow their business
Ensures financial control with accurate up to date data.
The Elixir June 2017 is out NOW! … read our latest interview with Andrew Vallance-Owen, Chairman of PHIN, check out our new online health checks and social media services, not forgetting all the latest events to add to your diary and news from the DMed Blog.
You spent many years as the Group Medical Director at BUPA before joining PHIN, what attracted you to your current role as Chairman at PHIN?
I retired about 5 years ago from BUPA and then moved on to do non-executive work. One of the areas I was involved in when I was with BUPA was the question of clinical governance, data collection and outcome measurements and for many years I have been talking within the private sector about the need for transparency and for more information to be made available to consumers.
In particular, I was very involved with the whole question of encouraging outcome measurements involving patients directly. I chaired the Department of Health patient reported outcomes group which supported the development of that programme.
Knowing the work I was doing, Matt James, our Chief Executive asked very early on if I could now take on the Chairmanship of PHIN, and I was delighted to do so. This was a continuation of the work that I had been doing for all those years. I was very keen to bring my knowledge and experience particularly around the use of patient reported outcome measurements, and I was delighted to be part of the organisation bringing this important work to life.
The private healthcare sector is well established in the UK but in 2014 the CMA found that the information available to patients considering this option was inadequate, how will PHIN help patients make better informed choices?
In 2014 the CMA started their investigations into the private healthcare sector. They were saying what many of us have been saying for a long time, that patients in the private sector just did not have enough information to make informed decisions about where they could go and who they could see. There is a wealth of this sort of information available in the NHS but the CMA found that similar information was not available in the independent sector. It was absolutely right, and we very much supported what the CMA were saying, it is crucial to have this information. Today patients are much more discerning and demanding and they want to have information before they make their decision, this is often in consultation with their GP and so PHIN absolutely agreed with what the CMA was trying to do.
Now we have a situation where the private sector will submit data to one information body PHIN, and we will work with the private hospitals and NHS PPUs to produce consistently high quality information for patients – the consumers, on the PHIN website. In the past patient experience information was to be found on many, many websites but not in a consistent way, now PHIN is able to publish accurate, robust, and standardised information in a sensitive way that is helpful for patients.
The CMA requires that all hospitals providing privately funded healthcare including NHS hospitals are members of PHIN and that they submit patient episode data, what will you do with this data?
The data submitted to PHIN will be used to produce 11 performance measures (as specified by the CMA), which will be published on the PHIN website – supporting patients with greater information about the range, quality, and safety of care services available to them. Currently there are three performance measures published at hospital site level only – patient numbers, average length of stay, and patient satisfaction, based on the NHS Friends and Family Test (FFT). Next year this will be expanded to include additional measures – such as adverse events and patient reported outcomes (PROMs), and published for both hospitals and individual consultants.
But before publication we give every opportunity to ensure the quality and accuracy of the data. After collecting the data hospitals have the opportunity to check that the data is accurate – it is important that they trust us to get it right.
PHIN will publish consultant performance measures from next April. Consultants will want is to ensure that their data is right and we will be encouraging them to start to engage with the portal and check their data to ensure that their practice is fairly represented. We want to be as fair as we possibly can to everybody and we are doing a lot of work on engaging with the consultants to tell them that this is coming. We are not going to make judgements we are simply the facilitator to enable them to get accurate high quality data onto the PHIN website. We want to help provide clarity around healthcare data and healthcare information specifically around the 11 performance measures outlined by the CMA. The data is aggregated performance measures which provide really helpful information, context and benchmarks from which patients can arm themselves for conversations with their GP’s or referring clinicians.
Our readers will be particularly interested in the data that will be published at consultant level. Can you outline the deadlines?
At the end of April 2018 we will publish performance measures for consultants. Before that we are engaging in a process of communicating much more clearly and openly with consultants, encouraging them to come onboard with our online portal from this summer.
The consultant portal will launch this summer, it is available for hospitals now and they are already using it and we are seeing a lot of benefit for them in terms of checking and improving the accuracy of the data. The consultant portal has been piloted and the feedback from that was positive, the idea is to give the consultants six months to enable them to do their checks before publication.
Traditionally there has been little transparency in the publication of consultant fees. How are you working with doctors to ensure that what is published is valuable to patients and fair to consultants?
Absolutely – transparency in terms of fees (Article 22) is needed, and this is one of the areas the CMA identified in their report. It is a complicated area, one thing we are very sure about is that we are going to be working closely with the medical profession to come up with the best way of doing this. But the important thing is, with the publication of consultant fees now delayed till April 2019, we have been given the time to do this properly.
We have already gone out and piloted the portal once and we have used that feedback to make sure it is user friendly and to tidy it up as much as possible. When it is rolled out to consultants of course it will no longer be in pilot phase, but we are always open to improvements and want to work proactively and productively with consultants. Working with them over the next year we will be introducing them to their data and making sure that that portal is as robust and user friendly and helpful to them as possible. As we progress both for hospitals and consultants, it is very much making sure that they can check their data for accuracy and they can see what the performance measures (Article 21) are going to look like and how that has come to be.
As we move forward there is a real question in there about what other value consultants can get from this data. Consultants are generally very proud of their practice in the private sector and being able to see and publish their data is an important step forward. All doctors now have revalidation and this will be a chance for them to present a complete set of their data to appraisers, that is going to be very helpful.
– Andrew Vallance-Owen
Designated Medical would like to thank Andrew for taking the time to answer our questions.