When using patient data, strict rules apply with regard to data protection. We will provide you with a brief overview of digital patient files, the transfer of patient data to third parties and the necessary declaration of consent.
The storage of patient data
Whether in a doctor’s surgery, a pharmacy, hospitals or other medical facilities in the health care system – large amounts of sensitive patient data are stored daily at all these locations.
Information about patients is part of the personal data and is also subject to medical confidentiality. They may only be recorded, stored, used and processed under certain conditions. Here, the patient’s consent is normally required in the form of a written consent.
In addition, the processing must serve a specific purpose, such as the current treatment of a disease or prevention. In the following, we will take a closer look at the form in which the patient’s data is secured.
How patient data is collected and processed
More and more practices are modernizing their patient systems and transferring written documents to digital patient management. The digitization of documents is permitted under certain conditions in accordance with § 630 f Para. 1 of the German Civil Code (BGB).
The conditions include, for example, chronological traceability and appropriate data security to prevent access by unauthorized third parties.
Nowadays, digital patient files are frequently used, which enable faster exchange and networking of medical services. For this purpose, the “electronic patient file” (EHR) was created, which ensures permanent availability of the patient file. At this point, you may be wondering how long patient data can be stored?
Retention periods for patient data
Patient files are subject to a retention period. Patient data is normally retained for up to 10 years after treatment. However, this depends on the individual case. Particularly in the case of serious and chronic illnesses that last a long time, the laws often require even longer periods, some of which can last up to 30 years.
The encryption of patient data
In principle, the electronic patient file faces completely different challenges than written documentation.
In order to ensure the data protection of patients’ sensitive data, it is possible to transmit the information using a secure VPN tunnel. Closed networks with encryption systems are also used.
Legislation in the medical sector fundamentally prohibits the sending of e-mails without appropriate end-to-end encryption. The sender and recipient receive a special key that prevents unauthorized access to sensitive data. However, this is still permitted in other digital communication channels and in cloud computing.
Here, security expert Detlef Schmuck calls for “end-to-end encryption without gaps”. You can read more about the recommended end-to-end encryption and the associated current medical data scandal here.
Is the transfer of patient data to third parties permitted?
In principle, patient files consist of sensitive and personal data, which are subject to medical confidentiality and data protection. Anyone who passes on information from patient files to third parties without consent and authorization commits a breach of data protection and is even liable to prosecution. Under Section 203 of the German Criminal Code (StGB), prison sentences of up to one year or fines may be imposed.
The transfer of patient data to external third parties is therefore strictly protected. In most cases, it requires the consent of the individual person. We will explain more about the declaration of consent below.
How does the declaration of consent for the transfer of patient data work?
Perhaps you have already experienced it yourself? If your doctor refers you to a specialist or if you change your family doctor, you will usually receive a form for “Consent for the collection or transfer of patient data” at the practice. Only if patients sign this declaration of consent does the new doctor have legal access to the health data.
Current developments in digital patient data
The current trend with regard to patient files is towards mobile devices. For example, many doctors use tablets for quick the retrieval of findings or for mobile rounds. They can store the entries temporarily and store them in a secure cloud.
For example, a patient must be x-rayed after an accident. By transferring x-rays to the doctor’s tablet, he can care for the person much more quickly, as there is no longer any need to travel between the specialist departments and the operating room.
This development entails risks and, at the same time, many IT security requirements. Should an employee lose a mobile device, the medical data stored on it could fall into the wrong hands. This calls for IT experts and data protection officers with professional encryption strategies.
Find out more about reliable encryption methods that can secure even very sensitive medical data here: Encryption methods at a glance.