The entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) caused a substantial regulatory shock and confusion over practicalities for many industries. The reform of personal data protection legislation turned out to be particularly taxing for health sector entities.

We have been hearing about struggles related to the GDPR’s entry into force for many months now. Time for a brief summary: how do health sector entities deal with implementing the new provisions in practical terms? We can currently witness considerable levels of disorganisation within those entities, as their employees complain of many obstacles they have to face in their everyday work – patients’ names crossed out from IV labels, charts disappearing from hospital beds, doctors not knowing whether patients at the ward can be addressed by their full name or whether office door signs can contain information as to the doctors’ specialties, and, finally, immediate family members barred from learning over the phone to which facility their seriously injured children have been admitted. How to solve these problems? With this question in mind, we are launching a series of articles that will discuss provisions on personal data protection from the perspective of real problems reported in the industry.

 

Situation 1: A hospital receives a call from a father whose child has sustained an accident. He does not know whether they have been admitted to that very hospital, and asks whether the child is there and what their condition is. What should a hospital worker do in this case? Should they provide any information? If they should, how much information can they give?

One of the basic rights a patient has is the right to be informed about their condition. Given that children have legal guardians who have custody of them, it is the father who exercises this right in such a case. Therefore, he has the right to be provided clear information about their child’s condition from a health practitioner.

GDPR does not prohibit providing information over the phone. What may be questionable is the process of verifying the caller’s identity. The hospital staff should verify the caller’s identity in the first place by asking for the child’s name, date of birth and PESEL number. If this cannot be done, the staff should only confirm whether or not the child has been admitted to the facility. Without that kind of information, the parent will not be able to reach the hospital where he could present his identity documents and establish his right to receive detailed information on the child’s condition.

It is worth mentioning that in accordance with Article 9(2)(c) GDPR, processing of special categories of personal data (including data concerning health) is allowed if it is necessary to protect the vital interests of the data subject, in cases where the data subject is physically or legally incapable of giving consent. This provision thus serves as a basis for processing personal data of adults who are rendered unconscious. Contacting close friends or relatives of such patients is essential for obtaining information about their illnesses or providing family care. This means that hospital staff does indeed have the right not only to inform relevant people of the patient’s condition but also to actively search for friends and relatives of the patient, for example by using the patient’s mobile phone when the patient is unconscious.

 

____

Check what we refer to:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union of 2016, L 119/1;
  • The Act on Patient Rights and Patient Rights Ombudsman (Journal of Laws of 2017, item 1318).