Healthcare: Understanding regulatory compliance obligations and what they mean for your IT and Data

As well as being the platform on which your data resides, your technology may well also aid as a driver to helping you meet your compliance obligations to Regulation 17. By systemising the processes from which you track and monitor your compliance, the right application of a technology-based solution will help you keep to deadlines and manage the accountability of individuals responsibilities within this process – all while minimising room for human error.

17.2.A

What does it say?

This paragraph indicates a need to assess, monitor and improve on areas of services delivered. To collect the quality of experience of service users, you will likely need to collect surveys that will be stored and assessed.

What does it mean from a data and IT standpoint?

You will need to consider how you collect those surveys (whether digitally or on paper), where and how they are accessed by service users, what data you collect – whether personally identifiable in any way, where you store that information, who has access to it and how long it is retained for. If these surveys can be anonymised (and therefore not be deemed as personally identifiable information) the controls and legal obligations surrounding the data will be considerably reduced.

What is personally identifiable information?



‘Personally Identifiable’ is the term used by GDPR legislation to determine personal data records that can be used together to identify an individual person. A name alone cannot identify a specific individual, however when matched with other contact or sensitive information could directly or indirectly make them become identifiable, such as telephone number, email address or home address.

17.2.C

What does it say?

Requires you to store and maintain complete and relevant data records for the service rendered in that moment of time for each user of your service.

What does it mean from a data and IT standpoint?

The creation, storage, processing and deletion of patient data falls within the scope of GDPR as personally identifiable information. As the requirement obliges you to store information beyond contact information, such as medical history, treatment and medications related to that specifically identified individual, this data falls within the enhanced scope of special category data within GDPR and is subject to an additional level of scrutiny.



The storing of personal data puts a considerable level of expectation on an organisation to have comprehensive cyber security defences. It is worth asking yourself, what solutions do you have in place to – network security? User access control? Encryption?

What is special category data?

Are data records that require further protection because it could not only be used to identify an individual, it may contain data that would be private and personal and less commonly known, even to those personally close to the individual. A lawful basis must be identified for the processing of said data, which in the nature of the delivery of healthcare services and in compliance with the Health and Social Care Act 2008 it is. The Data Protection Act 2018 stipulates additional controls that must be in place while collecting, storing and processing special category data; these can take the form of a documented policy that determines the legitimacy for handling said data, and that it is stored, processed and deleted in-line with GDPR legislation.

17.2.D

What does it say?

Requires you additionally to hold personal data on those employed by the organisation and information that may be sensitive to the management of your services.

What does it mean from a data and IT standpoint?



Holding data, whether on patients or staff, will be subject to the same GDPR legislation. Any data that you hold which you would deem to be sensitive (and perhaps only for the eyes of management), would not be subject to specific legislation, but may require IT controls to be in place to ensure sensitive information is stored in specific locations and access is limited to authorised individuals.

17.2.E

What does it say?

Further to 17.2.A, feedback is mentioned again as an important aspect to you in continually seeking to evaluate and improve your service.

What does it mean from a data and IT standpoint?

In acting on collecting and processing feedback given by individuals, you may generate further sensitive data or re-process the personal data of individuals that have given feedback or those employed by the organisation. In compliance with GDPR, you may need to justify the processing of this data for legitimate reasons or anonymise the data to lessen your regulatory obligations (if identifying the individuals that have either provided, or are the subject of, the feedback be deemed not relevant).

17.2.F

What does it say?

You must evaluate and improve the practices you use to process the pieces of information listed in the aforementioned paragraphs.

What does it mean from a data and IT standpoint?



In practical terms, we deem the “process” from 17.2.F to mean collect, store, amend, access, process and delete; covering the full scope of the obligations within GDPR. To comply with 17.2.F, we recommend you document the processes you have in place to meet your obligations to Regulation 17, while meeting GDPR obligations, by identifying what types of data you handle, where those data records are stored, who has access, how that access is controlled and how it is kept secure.

17.3

What does it say?

Should it be requested, you must send a comprehensive report to the Commission within 28 days setting out how you are in compliance with Regulation 17.

What does it mean from a data and IT standpoint?



From a technical standpoint, should the Commission require you to submit such a report, you must be able to quantify how you meet you obligations to securely store and evaluate the processing of these personal data records. To comprehensively answer this question, you must first have an understanding of the items we recommend against 17.2.F – answering what, where, who, why and how about all of the data points collected, stored and processed within Regulation 17.

How do I get started?

To meet your compliance obligations you must have a strong grasp on your data and where it resides within your IT infrastructure, in addition to the safety controls in place to prevent data from being misused, stolen, lost or deleted; whether accidentally or maliciously.

In our next blog, we look at the practical best practice steps we take in helping our healthcare clients make a breeze of their compliance obligations.

If you have any questions, concerns or would like to discuss how we might help you with your regulatory challenges, we’d love to chat. Please click the banner below to book a call, or contact us straight away on 0118 926 0084 or by email to info@1-fix.com.

Thank you for reading.