04 Apr GDPR and Dental Practices : What You Need To Know
General Data Protection Regulation
GDPR (General Data Protection Regulation) is a European Union regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It repeals Directive 95/46/EC (General Data Protection Regulation) and replaces much of the UK’s Data Protection legislation. The regulation comes into full effect in the UK on the 25th of May 2018.
What does that mean to a dentist?
Read that definition again. ‘The protection of natural persons with regard to the processing of personal data and on the free movement of such data.’ That means you have new rules to follow regarding the information you keep on your patients. When you dig into the regulation, it also means that you have new rules to follow about how you communicate with your patients.
This last part has caused huge concern within the medical and dental community. So let’s look at the different areas affected one by one and try to unravel fact from fiction about this piece of legislation that affects everyone in Europe.
Why is GDPR necessary?
- Do you get direct mail at home?
- Is it always useful?
- Can you always remember how the sender might have got hold of your home details?
The answers to those questions are almost certainly: ‘YES’, ‘NO’ and ‘NO’.
GDPR aims to change those answers to: ‘IF I CHOOSE’, ‘ALMOST ALWAYS’ and ‘YES, OR AT LEAST I CAN FIND OUT’.
So, how does impact dentistry?
Do you:
- Keep patient records?
- Send patients reminders and recalls?
- Send patients marketing information (about new treatments, special offers, tooth brushes, etc.)?
GDPR impacts all three of these things, but each in a different way.
Patient Dental Records
GDPR impacts the security of patient records. Essentially, you are still allowed to keep patient records (obviously, or else you couldn’t do your job) but there are new rules regarding the way those records are stored. We will look specifically at how those records are kept digitally, since you are likely to be reading this blog if you already keep them digitally or else you are about to digitise your records.The regulation now specifies that you must keep any personal details held about a patient secure. Details include personal details (name, age, address, etc.) and patient medical/dental records. It also includes copies and back-ups of those records. In Pearl, this is done through well managed passwords, and encryption of back-ups.
The secured records can only be read by authorised staff for authorised purposes – so clinicians, hygienists/therapists, technicians and nurses. If you’re not dealing with a patient’s clinical and treatment needs you shouldn’t be looking at their patient records. Practice management software (and associated imaging and CAD/CAM software) such as Pearl Dental Software should now manage access and encrypt to this data automatically.
Back-ups
GDPR also stipulates that all personal data MUST be backed-up regularly and a secure copy must be kept. It’s good practice to encrypt your backups. This is done automatically in Pearl Dental Software and online backups option for older versions of Pearl such as Pearl Plus. So if you are backing-up to ‘pen drives’ or similar media you should now encrypt those too (there’s a manually selected option in older versions of Pearl).
Patient Personal Details
Patient personal information is used for two purposes within dentistry. It’s main purpose is to form part of the patient dental record to identify the subject of those records. It is also used to manage ongoing care of the patient so that patients can be sent reminders and recalls. This information must be treated in the same way as the rest of the patient record. So when used as part of the patient record for ongoing treatment and care, consent to use these details is implicit – no explicit consent is required.
When you set-up a patient record in Pearl Dental Software it defaults to mark the record with all the necessary agreements and record dates to be able to send reminders, recalls and to store the data (see below). It will additionally ask how the patient would like to receive this information (options being any of email, SMS, post and telephone).
However, patient personal details are often used for marketing purposes, and the rules are different for this. To do this, you must explicitly ask the patient for permission to send marketing information to them. Additionally, you must also record when and how that permission was granted.
When you set-up patient personal details (as part of a patient record) in Pearl Dental Software it defaults to mark the record that you HAVE NOT obtained permission for marketing purposes. All the necessary agreements and record dates to be able to send marketing information are set to NO or blank. However, if your patient agrees to you sending marketing information you can change the permission fields to YES and how and when the permission was obtained. Again, Pearl Dental Software will additionally ask how the patient would like to receive this information whether it’s via text, email or phone call.
Patients can give, withdraw or change their permissions any time, and Pearl Dental Software allows you to record this.
Right to Delete Personal Records
The NHS specifies that dentists MUST retain patient records until the record is 10-years-old since last updated (whether that’s last contact with the patient or since the last appointment date is up to your data protection officer). However, GDPR specifies that individuals have the right to request their personal details are deleted. So how do you square that circle?
Fortunately, the regulators thought about that. Essentially, a patient may request a record deletion, but you (the practice) are obliged to refuse if the record is required to be retained under NHS rules. The patient may then appeal to a higher authority (Court, Information Commissioners Office, etc.). Only if that higher authority rules that there is a case for deletion may that record be removed.
However, the patient retains the right to remove any data that refers specifically to marketing activity.
It’s worth noting that removing a record is going to cause your system a huge headache. For example, how is it going to reconcile financial transactions that the patient might have made? To manage this in Pearl Dental Software we have created the facility to switch the patient personal information to an anonymised record which can’t be identified.
Right to Review Data
As well as a right to delete, GDPR provides a right to review data. We have also created a report that presents the patient record upon request as either a printed item or an electronic file. While some patients might want to know what is on their record out of curiosity or if you are in dispute with them, the most likely reason is patients wanting to take their records with them to a new dentist – for example, when they move house or go away to university.
Something to think about here is the accuracy of notes, and the ‘professionalism’ of what you write. Always write them up with the assumption that the patient will read their notes – do not put in personal comments that are not relevant to the patient’s treatment.
As a dentist, if you write up you notes in rough (maybe dictate for your nurse to type in) and finalise them later, we’ve allowed you TWO DAYS in Pearl Dental Software before we lock the record. This ensures security of the patient record, and ensures the record is accurate. You can’t alter that note after it is locked.
So, what does it mean to you?
If you’re using Pearl Dental Software you’re pretty much taken care of. The software will be fully compliant with GDPR on the 25th May, and any changes to the regulations will be reflected in the ongoing update schedule as we maintain your software.
For Pearl Plus users we will issue software updates to help you become compliant, but there will also be manual processes you need to bring to your data management. We recommend upgrading to Pearl Dental Software immediately for private practices and when it becomes available for NHS practices later this spring.
If you’re not using Pearl Dental or Pearl Plus the we recommend you speak to your software provider as soon as possible to ensure you have a compliance plan in place. If they can’t help you then we would be very pleased to discuss how you could switch to Pearl Dental Software.
More Information
This is the best resource for dentists on GDPR https://bda.org/dentists/advice/gdpr. If you’re a BDA member, sign in and you have access to all their expert documentation to use at your practice to ensure you comply.
You can find more information about GDPR on the website of the Information Commissioner’s Office, but warned that this is general information – there is little specifically about medical or dental records so you have to read and interpret the information about exemptions.
Perhaps more relevant (but be prepared for a lot of reading) is the ‘General Data Protection Regulation (GDPR) guidance‘ published by the NHS.
However, most of what the GDPR requires is common sense and good practice. Both the ICO and the NHS have indicated that ‘enforcement’ will be in the form of guidance for all but the worst and repeat offenders. So, if you make the effort to have compliant software, secure back-ups and appropriate use policies in place you’re probably pretty much compliant.
For more information about the compliance features of Pearl Dental Software and Pearl Plus, please get in contact. We’ll be glad to offer advice to current and prospective users alike.
Pearl does not encrypt data stored on the computer. GDPR states that log in details and passwords that are regularly changed and only accessible to relevant employees (kept to a minimum) is enough to comply with the regulation. The back-up of Pearl data taken on USB sticks or backed up to the cloud is fully encrypted – these are usually done daily, every afternoon or lunch time. Encryptions means that If a USB is misplaced the data is safe as it is encrypted and can’t be read by unauthorised 3rd-parties.
The regulation requires that some level of risk mitigation needs to be applied such as passwords, physical locking of data or encryption. Suggested mitigations include:-
“…implement measures to mitigate those risks, such as encryption.” (P51. (83))
“…appropriate safeguards, which may include encryption” (P121 (4.e))
“…including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
“…unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))
Edit 19th of November 2019: Prior to 2016 the rule was patient data could be kept for up to 10 years and/or up to the age of 25 years (whichever was longer). That is no longer the case and the article has been amended to take account of this change.
