Share this article on:
Healthcare organizations that market their services to residents in the EU or provide medical services to EU residents that requires the collection of their personal information are required to comply with the EU General Data Protection Regulation (GDPR).
One aspect of compliance that is of particular relevance to healthcare organizations is the GDPR right to access personal data. Any EU resident has the right to request access to all of their personal data and view any supplemental data attached to their file.
Data subjects are more likely to exercise this right with healthcare organizations that other organizations that hold their data as it is especially important that this information is correct. They may also require the data to pass on to other healthcare organizations.
The rights of data subjects with respect to subject access requests (SARs) are detailed in GDPR Article 15.
The GDPR Right to Access Personal Data
If a data subject chooses to exercise their GDPR right to access personal data, the request must be honored within 30 days.
The data subject is permitted to obtain confirmation about whether his or her personal data are being collected, used, and stored; the types of data involved; the reason for data processing; the categories of person with whom the data have been or will be disclosed; whether those data will be transferred to another country or an international organization; and the length of time that data will be processed or stored. The information can be provided in writing, verbally, or electronically.
Once the right to access has been exercised, other rights then apply, such as the right to request alteration of personal data, erasure of data, the right to be forgotten, and requests for restriction of the processing of personal data.
When copies of data are requested they must be provided and the entity that holds the data is not permitted to charge the data subject for providing access to the information.
If such a request is made electronically, the data must be provided in a commonly used electronic format – Office documents and PDF files for example.
While companies are not permitted to charge for access to personal data, reasonable fees can be charged for providing multiple copies. It is also permissible to request a reasonable fee if any request is deemed to be excessive, such as if a SAR is made too frequently.
Get Prepared for SARs
It is important for healthcare organizations to develop policies that will allow them to respond to SARs promptly. Healthcare organizations need to be aware of all locations where personal data are stored. In contrast to HIPAA, which requires copies of health information to be provided as a data set, all information stored will need to be provided on request.
In addition to being able to obtain those data, a mechanism must be developed that will allow the identity of a data subject to be verified. It is essential that a personal data file is only provided to a person authorized to receive it.
Noncompliance with GDPR
GDPR requirements have been enforceable since May 25, 2018. Any healthcare organization required to comply with GDPR can face massive financial penalties for noncompliance. The maximum penalty for noncompliance is €20 million or 4% of global annual turnover, whichever is the greater.