Medical data—keep or delete?
From 25 May 2018 Polish healthcare institutions will face conflicting rules on how to handle medical documentation under the EU’s General Data Protection Regulation and Polish healthcare laws. The inconsistencies could be eliminated by the new Personal Data Protection Act, but it appears unlikely that work on the new act will end on time. So what should institutions do to limit their regulatory risk?
Health information—a special category of personal data
Under the Personal Data Protection Act in force in Poland through 24 May 2018, information about a person’s health condition, genetic code, addictions and sexual life are treated as “sensitive data.” There is a general prohibition against processing data of this type, with strictly defined exceptions. These include processing of data for purposes of protection of health, delivery of medical services, treatment of patients, and administration of the provision of medical services by entities professionally involved in treatment or delivery of other medical services, or administration of the provision of such services.
The GDPR largely departs from the notion of sensitive data by establishing a catalogue of special categories of data such as information concerning health, genetic code, and biometric data, while maintaining a general prohibition against processing data of this type as well as basic exceptions allowing such data to be processed in specific situations, particularly connected with the delivery of healthcare. In practice, however, any irregularities with respect to the existence of valid grounds for processing or securing data of this type, or timely deletion of the data, could result not only in a reprimand by the Inspector General for Personal Data Protection (GIODO), but also harsh financial penalties.
Medical data and medical documentation
There are no general definitions of medical data or medical documentation in Poland. The Act on Patients’ Rights and the Patients’ Ombudsman does indicate, however, what information may be included in medical documentation.
The Healthcare System Act employs the notion of electronic medical documentation to mean documents generated in electronic form and bearing a qualified electronic signature or a signature confirmed by a trusted profile in the ePUAP system. This act also states that medical documentation contains “individual medical data,” i.e. personal data and other data of natural persons concerning rights to past, current and planned healthcare services, state of health, and other data processed in connected with past, current or planned healthcare services, preventive healthcare, and implementation of healthcare programmes.
In practice, information contained in medical documentation (traditional or electronic) and medical registers represents a huge quantity of personal data—both ordinary data (such as names and PESEL identity numbers) and information about patients’ health condition subject to special protection.
The basic principles of the GDPR require minimalisation of data and storage times. This means that as a rule, data contained in medical documentation should not be stored in a form enabling identification of the data subject and should be retained for no longer than necessary to achieve the purposes for which the data are processed, e.g. for the purposes of delivering medical services.
Meanwhile, Poland’s Act on Patients’ Rights and the Patients’ Ombudsman provides for mandatory periods of retention of medical documentation, for example:
- 20 years from the end of the calendar year in which the last entry was made—general rule
- 22 years in the case of medical documentation concerning children below age 2
- 30 years if the data are essential for monitoring the destination of blood and blood components or if a patient has died from bodily injury (in which case the period is calculated from the end of the calendar year when the death occurred).
How to proceed?
Although the GDPR ranks as an EU regulation, the provisions of the Act on Patients’ Rights and the Patients’ Ombudsman take priority because regulations on the duty to maintain medical documentation should be understood as an exception to the general rules provided in the GDPR. They are special sectoral regulations, meaning that as a rule, the obligations imposed by this national act should be applied first, and then the GDPR.
Anonymisation, or more precisely pseudonymisation, of the data contained in medical documentation is an open issue. Total anonymisation does not appear to come into play, as that operation would defeat the purpose of maintaining the medical documentation of individual patients. But the level of security for documentation of this type must be very high, in light of the seriousness of the consequences of any leak of medical data (as we discuss here).
The optimal solution could be outsourcing of storage of medical documentation. As under existing law, under the GDPR it will still be possible to hire an external service provider to maintain medical documentation. However, contracts of this type will have to meet heightened requirements applicable to contracts for processing of personal data as set forth in Art. 28 GDPR, also reflecting the specific nature of the documentation, enabling the data controller to effectively enforce the rights of the individuals involved—as data subjects and as patients.
Joanna Krakowiak, legal adviser, Life Science & Regulatory practice, M&A and Corporate practice, Wardyński & Partners