Data privacy reform in health care



Health care related information is sensitive, so strict rules have to be followed when processing such information. The basis for data protection in health care was established some 2,400 years ago in Hippocrates’ Hippocratic oath. Today, almost every group of health care professionals has their own ethical guidelines, in addition to the requirements set by legislation applicable to the sector. These require health care professionals to commit to professional secrecy and confidential treatment of patient data.

Current privacy practices in Finland will be significantly modernized as a result of several on-going projects, including the EU General Data Protection Regulation (GDPR), Customer Data Act, and social and health care services reform. The GDPR, which will apply from May 2018, further highlights the responsibility, accountability and documentation obligations of data controllers, and brings with it hefty fines for breach of requirements. The obligation to notify of data breaches will also be expanded. The on-going reform of social and health care sectors will affect, for example, record keeping and processing of personal data when public social and health care services are transferred under the responsibility of self-governing provinces at the beginning of 2019.

The challenge of digitalisation

The fast developing digitalisation of health care also poses challenges to the current way of working and the associated legalities. Telemedicine is increasingly involved in services and health technology is on the rise. One of the current projects is Kela’s adoption Kelain, a service for issuing electronic prescriptions, introduced as of 28 September 2016. Electronic prescriptions will become compulsory and replace paper-based prescriptions completely in early 2017. Most electronic prescriptions are prescribed from a patient information system, which not all doctors are using. Kelain is a certified application developed by Kela that allows these doctors and also dentists to issue electronic prescriptions. In addition to the functionality of the service, special attention has been paid to achieving a high level of data protection and security.

Data protection risks

Multiple data protection risks exist in health care. These relate to, for example, possible deficiencies in the processing and destruction of personal data, as well as the electronic disclosure of such data, in which case personal data must be adequately protected and the right of the recipient to receive the information ensured. There may also be deficiencies in the training of staff and management of access rights, where the permissions do not necessarily correspond to the person’s work duties. The daily tabloids periodically publish news on, for example, patient records being found in landfill, the poor soundproofing of examination rooms, or a nurse receiving a fine for prying into patient information. The public discussion of these cases has increased people’s interest in privacy issues and the appropriate treatment of their data.

The management’s role – what should be focused on?

The management’s attitude is key in managing data protection risks. The results of a recent survey on data protection, carried out by Kela and the Data Protection Ombudsman’s office, show that public health care organisations and the pharmacy sector have taken care of privacy issues the best and possess a good attitude to data protection. The public sector needs to develop the most in the implementation of data protection matters despite the fact that almost everyone perceived data protection as important or very important.

In preparation for these reforms, the current state of data protection in the organisation must be in order. It should, if necessary, be surveyed with the help of a lawyer. Examples of note worthy topics are:

  • organising how the administration of personal data files are managed and data protection/register descriptions

  • written instructions concerning the processing of patient data

  • reserving adequate resources and defining the job description of the data protection officer

  • identification, classification and analysis of data protection risks

  • written contracts of service purchases

The implementation of data protection requires co-operation

Privacy is an individual’s basic right in Finland and improves the legal protection of patients. The implementation of data protection requires that changes in legislation applicable to health care are monitored and communicated. Training staff within the organisation, and drawing up and implementing instructions is key, as well as monitoring the processing of personal data and reporting possible deviations in data protection to management. Damage prevention is cheaper than repairing any damage caused. Investing in data protection is a clear competitive advantage for a health care organisation:

  • the organisation appears as a reliable service provider and a desired partner

  • the organisation’s productivity and efficiency increases

  • the probability and impact of risks are reduced.

Interested? At Fondia, we are happy to help with legal questions relating to health care and data protection in a rapidly changing business environment. This year, we too are focusing on digitalisation and the development of new, more efficient ways of working.