General Data Protection Regulation (GDPR) and Clinicea
GDPR is now in effect and we wanted to let you know that we have completed all internal changes to be GDPR compliant.
What is GDPR?
GDPR is a new regulation designed to strengthen, simplify and unify data protection for all individuals within the European Economic Area (EEA), effective 25th of May 2018.
This means a person will have better control over how their data is used, how their data is stored, and most importantly, how can they have their data deleted.
Let me explain with an example. As a Medical Clinic, you store health data of your Patients in a software like ours e.g. Clinicea. GDPR is geared to ensure that your Patients will now have the peace of mind that the data being stored is secure, portable and that the Patient now has rights on data retention and purpose of usage.
My Clinic is not in the European Union, do I still need to be concerned about GDPR?
It does not matter if your Clinic is located in EEA or outside of EEA. What matters is, where is that person located whose data you are storing i.e. if you handle or process the data of any person in the EEA, GDPR will apply to you. As an example, if you provide teleconsultation for alternative medicine from India via video calling to Patients from the EEA, you are essentially storing data of a person who is based out of EEA, hence you need to be aware of, and be compliant with, GDPR.
So what is my Clinic’s responsibility under GDPR
How is Clinicea preparing for GDPR?
Since we are custodians of your Patient’s data, we are considered to be “Processors” of the data in your account. You enter, edit and control the data, and are considered to be the “Controller” of the Data. Being the “Processor” of data it is our responsibility to assist you to fulfill your needs as a controller, by providing tools to you which will help you stay compliant with your patients’ requests. Here are the set of tools and measures that Clinicea has added for your use to prepare for GDPR:
1. Formalized Internal Processes
We have been using the “Compliance Manager” tool from Microsoft to conduct a thorough review of internal processes on how we handle data. It helped us identify the most effective way to comply with the data protection obligations and meet individuals’ expectations of privacy. Based on what we learned, where required we revised in-house policies on how we handle your data, how we access your data, how we communicate with one another and how we handle incoming requests from you.
2. Released Data Processing Addendum (DPA)
The DPA includes Standard Contractual Clauses (also known as “Model Clauses”). These are an approved set of provisions which offer sufficient safeguards and protection for data that is processed outside of the EU.
For example, our servers are located in Singapore —but as long as we have the right documentation in place, this is allowed by GDPR standards. When you agree to our policies and terms, you’re abiding by GDPR’s requirements around data that is processed outside of the EU. This means that despite your patient data being physically stored outside of the EU zone, you are still allowed to use Clinicea.
4. Appointed a Data Protection Officer
We have designated a team member to be a “Data Protection Officer”. This is someone in our business who acts as an independent advocate on your behalf, for the proper care and use of the data. Our DPO can be contacted at firstname.lastname@example.org
5. Setup mechanism for Data Breach
We do our very best to protect your data, and should ever a data breach take place, we are committed to always being fully transparent and notifying the supervisory authority and all affected parties according to the GDPR requirements.
6. Ensuring that third-party vendors meet compliance
In order for Clinicea to function, we use several third-party tools (“subprocessors”), and we have ensured that all of them are compliant with GDPR.
The role of these different third-party tools is to help Clinicea run efficiently, such as cloud-based data storage and cloud-based email delivery services. Sub-Processors being used can be seen on the Clinicea Website.
We are also in the process of appointing an EU representative.
Can Clinicea be GDPR Certified?
Before I answer that, I would like to draw a really important distinction between the concept of “certified” versus “compliant”. These words get interchanged a lot but are not the same thing. Let me explain with an example.
In the US, people often interchange the words “HIPAA Certified” with “HIPAA Complaint”. When you say you are Compliant, it means that as an Organization you have put in place all the requisite processes you believe are required to be compliant with the guidelines of the framework. “Certified” on the other hand means that a 3rd party entity has reviewed your processes against the framework, and issued a certificate stating your compliance. The veracity of such a “Certified” badge is based on the issuing body. You will find a lot of private individuals and organizations offering HIPAA Compliance certificate, however, these have no standing, as these are private bodies, not any governmental agency or backed by any legislative authority. Such certificates end up being a marketing tool
Similarly, we do hear some organizations offering “GDPR compliance and certification” courses or similar training. These are mostly private efforts to ready individuals or firms for the implementation of GDPR. Most are just for training data protection officers or familiarizing individuals with the GDPR guidelines. These can help businesses become compliant, but any certification you get from them won’t make an organization immune from penalties or the likes, in case the Organization has not followed the requirements as listed under GDPR.
So, Compliance is something that currently we have to do internally i.e., we have to review our current data structure, audit our processes, and change practices that put your customers’ data privacy at risk. No company can become GDPR certified as currently there does not exist a governmental authority that can certify any organization for GDPR compliance.
Clinicea and Microsoft Azure
Clinicea has been exclusively using Microsoft Azure for all its Cloud infrastructure from Day 1. This makes Microsoft Azure a data processor under the GDPR, and the tenant i.e. Clinicea, a data controller.
Microsoft Azure has provided for ongoing risk assessment, to get actionable insights, and simplify our GDPR compliance process by offering a tool, “Compliance Manager”.
Microsoft Azure has also released data from third-party audits of its services against ISO 27001, and ISO 27018 to demonstrate its compliance with the GDPR regulation.
Clinicea as the Processor of Data
As the processor of your data, Clinicea will help you to meet your needs as a controller—we provide you with the tools needed to comply with your patients’ requests.
These are the features and tools we have added to make you compliant as a Controller
- Right to be Informed & Right to Consent
- Right to be Forgotten or Right to Erasure
The Patient has the right to ask you to delete all of their data stored with you in Clinicea. This is important for people who do not have a legal requirement to retain records, or if that legal requirement has lapsed. Clinicea supports this for you, by adding an option whereby in 1-Click you can delete all of Patient’s data. Since deleting is a sensitive topic, we have taken care of the fact that you do not end up deleting someone accidentally. Please note that If you are legally required to retain patient records, we do not advise permanently deleting any patient.
- Right to Access and Right to Portability
A patient may come to you and request a copy of all personal information you have (which is stored in Clinicea). We have added the option to export all of the individual patient data in 1-click. This generates a zipped file containing all of Patient’s data including medical, as well as financial and administrative, in an easy to read format.
- Right to Object
A patient has the right to ask you to stop sending marketing messages. We have added the option to segregate Marketing SMS from Need-to-Know SMS in Clinicea. If a Patient wants to opt out of marketing SMS, you simply need to mark a Patient’s communication preference as “Do Not Contact”. Such a patient will no longer receive marketing messages. However need-to-know SMS’s such as appointment reminders, lab results, billing and so on, will still be sent to such a patient.
- Right to Rectification
A patient has the right to ask for personal information to be rectified. In Clinicea you already have access to the Patient Details area to help a patient change any incorrect details in Clinicea. Furthermore, we have added a complete audit trail of every change in the Patient Details section, to ensure data changes can be validated.
Clinicea as a Controller of Data
Clinicea is also a controller of data: your information that you provide to us. This can include but is not limited to, your email address, phone number, business details, and more. As a controller of data, we have similar responsibilities to you as you do to your patients. We have also made the internal changes necessary to be compliant in this regard.
- Full deletion of your Clinicea account
You can ask us to hard delete your complete Organization account with us. Once done this process cannot be undone. You must ensure you export out all your data before making such a request.
- Allow you to opt out of any marketing communications from us
You can opt out of receiving an email from us by selecting “Unsubscribe” in the emails we sent to you. Please note that you will still get critical emails e.g. bill is due, SMS is running low, stock alerts and so forth.
Liability and Compensation for Data Breaches
For the scope of liability and compensation, as applicable can be found in the document attached below
Liability and Compensation for DATA BREACHES under GDPR v1.2
Liability and Compensation for DATA BREACHES under GDPR v1.2
In Summary, we welcome changes that strengthen data security and compliance. We believe these changes should be core features of Clinicea and will go beyond just what is required by compliance to keep introducing best practices in data safety and security. In case of queries please drop us a line at email@example.com