Data Protection for healthcare organisations

Companies in the healthcare sector (e.g. medical practices, group practices, hospitals, care facilities, etc.) process personal data and must therefore comply with extensive data protection obligations under the DS-GVO and the BDSG. The OBSECOM GmbH team supports you as an external data protection officer and advises you personally and competently regarding your obligations under the DS-GVO and other data protection regulations. We advise your medical practice as externally appointed data protection officers in the regions of Stuttgart, Reutlingen, Tübingen, Rems / Murr, Pforzheim, Karlsruhe and Freiburg.

Our services at a glance:

• Appointment of an external data protection officer;
• Initial inventory and annual reviews with report without interrupting practice operations;
• Creating and continuously updating data protection documentation (e.g. processing directory, order processors, …);
• Create privacy notices for website, patients and staff;
• Supervision in the event of data protection breaches;
• Provide ongoing personal advice (e.g., on transfer of patient data, telemedicine);
• Collaboration with IT service providers to optimize technical and organizational security;
• Training and sensitization of your employees;
• Access to the OBSECOM platform for checklists, documentation and processes.

How can an external data protection officer support the practice?
How can an external data protection officer support the practice? An external data protection officer has special expertise in data protection issues in medical practices and is the contact person for practice management and employees. He or she maintains documentation and directories. He or she can handle data protection-related inquiries and complaints from patients. Whereas employees were previously assigned to deal with data protection issues, the appointment of an external data protection officer will allow them to concentrate on their core tasks again in the future. Appointing an external data protection officer reduces costs for internal training and education.

When must a medical practice appoint a data protection officer?
Pursuant to Section 38 of the German Federal Data Protection Act (BDSG), physicians, pharmacists or other health care professionals must appoint a data protection officer if at least 20 persons are permanently employed in the medical practice with the automated processing of personal data or if data processing is carried out that is subject to a data protection impact assessment. If less than 20 persons are employed in joint practices with the processing of personal data, there is usually no special obligation to appoint a data protection officer, provided there is no extensive processing of special categories of personal data.If large group practices employ additional physicians, pharmacists or other health care professionals or use new technologies with a high risk for data subjects (e.g., telemedicine), the appointment of a data protection officer may be required due to the large number of employees or the obligation to prepare data protection impact assessments.

What are the consequences of the GDPR for medical practices?
The GDPR requires medical practices to be attentive to data processing and also protects personal data that was previously not covered by professional confidentiality obligations (e.g., employee data, data processing on the practice website). The focus is on the protection of personal data, transparency and data subject rights. The GDPR requires an examination of one’s own data processing and promotes awareness of the places in the practice where personal data is processed. The GDPR imposes further documentation and accountability obligations on the medical practice.

What must corona test centers observe in terms of data protection law?
Corona test centers must inform patients in accordance with data protection requirements and adequately protect patients’ personal data, including test results, with technical and organizational measures.The software used to process test results is intended to protect the privacy of patients. If health data are transmitted to online platforms for retrieval by the patient, this shall be done in a pseudonymminisized manner. Corona test centers shall comply with the retention periods of the Corona Test Regulations when storing data. The OBSECOM GmbH team supports corona test centers in complying with data protection regulations.