Health Data Protection

Health data protection is applied in hospitals, medical facilities and doctors’ offices. In addition to medical confidentiality, numerous data protection regulations must be observed. The federal states have enacted hospital laws whose legal standards must also be implemented. Establishing hospital administration that complies with data protection regulations and protecting patient data on wards is an important task that must be implemented by those responsible for running the hospital. The use of information technology, such as an electronic hospital information system (HIS), telemedicine through the use of video cameras and Wi-Fi networks for use by patients, also means that the IT- and TC-specific requirements for technical and organizational data protection must be ensured. Data protection requirements also apply to the transfer of data to numerous public or private bodies, e.g., general practitioners, health insurers, the medical service of the health insurers, external service providers in the context of commissioned data processing, law enforcement authorities, etc.

Our law firm offers the following services in the area of health data protection, for example:

• Position of external company data protection officer for hospitals, medical care centers, doctors and pharmacies, medical technology companies, etc. (DS-GVO)
• Support for internal company data protection officers (DS-GVO)
• Position of the external company data protection officer for church hospitals, medical care centers, other medical facilities, etc. (KDG, DSG-EKD)
• Support for the church’s in-house data protection officers (KDG, DSG-EKD)
• Creation of a plan of measures to implement the DS-GVO, KDG, DSG-EKD according to liability risk
• Annual planning meeting on data protection with management, commercial management or vicar general
• Conducting an as-is survey or audit on data protection
• Data protection during administrative admission (medical history form, consent)
• Data protection requirements on ward, base
• Implementation of data protection in hospital administration
• Requirements for physicians and medical staff in the context of medical confidentiality
• Obligation to inform relatives versus medical confidentiality
• Data protection in the doctor’s room, psychologist’s room, support point
• Effective and comprehensible consent management
• Data protection-compliant patient record management
• Implementation of data protection in the hospital information system (HIS)
• Data protection at the hospital reception/gate
• Data protection around the patient room (labels, patient wristband, ward rounds, patient interviews)
• Power of attorney lists for child visitors
• Authority to transmit patient data to other treating physicians in the hospital
• Data protection when transmitting patient data to the hospital administration
• Data protection-compliant transmission of patient data to the family doctor, relatives, health insurance company, medical service, external service providers of the hospital, etc.
• Behavior in the event of a risk to the well-being of a child, representative
• Data protection-compliant handling of the topic “mobile working” (agreement on mobile working, work instructions on mobile working)
• Creation of visitor form with questions on the pandemic
• Creation of company/service agreement/company policy on the pandemic
• Creation of documents for the fulfillment of information obligations
• Creation and conclusion of agreements for commissioned processing
• Fulfillment of requirements for international data transfer and group data processing (HR systems, ERP systems, etc.)
• Data protection and IT security for cloud applications
• Recording of existing files and IT procedures and creation of the required directories of processing activities (data mapping)
• Implementation of the required data protection impact assessments (MS-Office 365, video surveillance, electronic personnel file, applicant management)
• Implementation of employee data protection requirements (electronic personnel file/ paper file, applicant management)
• Fulfillment of legal requirements for access control and time recording
• Retention requirements for patient documentation and concept for deletion of patient data and personal data in administration
• Data protection in appointment scheduling, access authorizations to the appointment calendar
• Data protection at the workplace
• Data protection-compliant destruction of paper and data media
• Review of technical and organizational measures (IT security measures)
• Review of website (data privacy statement, imprint, cookie alerts, tracking tools)
• Creation and negotiation of service agreements (e-mail/internet use, access control/time recording, video surveillance, MS Office 365, cloud solutions, electronic personnel file, etc.)
• User regulations for Wi-Fi use and telephone use by patients
• Creation of training documents and implementation of data protection training (general classroom training, special training for managers, HR, IT, marketing, sales, public relations, etc.)
• Creation of training materials on data privacy as e-learning
• Creation of training videos on data privacy and IT security
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consents, especially for filming and photographs
• Data privacy in public relations, press, marketing and sales
• Data protection in social media (social media guideline, implementation of the ECJ’s Facebook ruling, WhatsApp)
• Regulation of legal conditions for video surveillance (IT security, product assessment, service agreement, AV contract, pictogram)
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection topics (data protection forum)
• Creation of work and organizational instructions (mobile working, systems for video conferencing, dealing with social media, etc.)