Enforcement of the GDPR is looming and healthcare organizations face new requirements. Healthcare organizations must be in compliance with the new regulation in order to avoid facing steep penalties. As a result, they will need to assess key security components and processes like data breach detection and notification, data controller and data processing procedures and training to ensure they meet the mandates of the GDPR. The "right to personal data" and "right to be forgotten" are additional measures that organizations must be prepared for.
After four years of extensive preparation and debate, the European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. U.S. healthcare systems globally expanded or actively marketing and delivering care to EU patients will need to comply. While few U.S. healthcare providers have expanded globally, those that have include prominent organizations such as Johns Hopkins Medicine, Cleveland Clinic Foundation, Mayo Clinic and UPMC. Other healthcare systems are likely to follow suit in the coming years as demand for U.S. healthcare expertise grows worldwide, and the EU emerges as a prime target market.
Healthcare systems needing to comply with GDPR are likely focused on the two most pressing requirements – securing patient consent to use their personal data for business purposes not directly related to care and ensuring the ability to erase all instances of personal patient data upon a patient’s request. While that may sound reasonable, GDPR is a large, complex bill with vines reaching into often overlooked corners of the healthcare enterprise, specifically paper documents. What are the top document management priorities for healthcare providers striving to become GDPR compliant?
More than 40 percent of healthcare organizations report having paper reduction initiatives in place, according to research from IDC. Despite this, paper remains prevalent in the healthcare enterprise. Even hospitals that have achieved late-stage Meaningful Use continue to process high paper volumes. In many cases, paper and print volumes have increased. One reason for this is because people naturally prefer absorbing long, complex information from paper as opposed to on a screen.
Many hospitals have accumulated filing cabinets full of paper and the prospect of digitizing it all is daunting. However, digital documents are inherently more secure and support greater levels of consumer data protection and privacy than paper – giving them the advantage in a GDPR world.
Hospitals continue to rely on paper to support a wide range of work processes, including admissions, prescriptions and discharges. When workflows are paper-based, they are less secure and more time-consuming than digital processes. Advantages of automated workflows include the ability to access a complete, verifiable audit trail of what data is sent to whom, and where it resides in the funnel at any given point in time. This augments a hospital’s ability to locate personally identifiable information quickly and accurately, even within in-transit data, and ensure data is not being routed for any business purpose other than patient care.
Secure the Printer
Information security initiatives are often focused on mitigating cyber security threats, server hacks and database vulnerabilities, ensuring data both at rest and in flight is protected. Numerous industry sources have found that paper documents are often overlooked. However, with the GDPR’s intense focus on data privacy, paper documents represent a newly rediscovered security risk.
The multifunction printer (MFP) is a standard piece of office equipment but is a hub for sensitive personal data as it transitions from digital to paper and back again. If it is not properly addressed, it has the potential to become a major data security and GDPR compliance blind spot. To alleviate the security risk at the MFP, healthcare organizations can apply a variety of device-level controls. Two examples include user authorization, which releases print jobs only when an authorized worker validates at the device; and file destination control, which restricts scanned documents to pre-approved destinations.
GDPR Opens the Door
Improved document management – particularly efforts to reduce paper – offers many benefits. These include greater data security aligning with the governing rules of GDPR (and HIPAA), and improved operational efficiency. Whether or not U.S. healthcare organizations find themselves reckoning with GDPR compliance, the bill’s mandates present a valuable opportunity for all healthcare systems to digitize and automate their document management processes.