GDPR compliance & EXACT
For the UK, Ireland and Netherlands these rules are formulated and managed by the EU-driven General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
Failure to comply with the rules and guidelines in these regulations could put dental practices at risk of prosecution. Patients are also likely to become more educated on what businesses can and cannot legally do with their personal data, so dental practices need to optimise knowledge and procedures around these regulations.
Compliance is not a one-time upgrade but a continuous activity. To effectively meet the GDPR requirements your practice processes need to be continuously amended, tightened and monitored.
It is also advisable to measure compliance so that you have an objective benchmark against which to maintain and improve it.
Note that practitioners may require retraining on amended procedures.
For example, it is advisable to compel practitioner login under unique usernames because allowing them to share usernames negates the effectiveness of the Contact Preferences Audit and User Activity Audit.
Listed below are some of the EXACT features that help your practice achieve GDPR compliance.
Terminology
EXACT terminology is better aligned with GDPR
Business Communications replaces "Newsletters"
Under GDPR "Newsletter" is not a valid category as it could be either marketing or business communications, so historical EXACT consent around "newsletters" is ambiguous. The category "Newsletters" therefore becomes "Business Communications" in line with GDPR terminology. On upgrade to v12.12, your historical patient opt-ins and opt-outs for Newsletters are configured as "unknown", and patients are only sent marketing information if they have specifically opted-in.
Preferences replaces "Permissions"
Preferences to Contact Patient window (previously "Permissions to Contact Patient"):
The Contact Preferences tabs in this window replace the previous "Contact Permissions" tabs.
Preferences button in the Patient file Details Tab (previously "Permissions" button):
Contact Consent replaces "Marketing Consent"
Option to include "patients without recorded consent" in marketing communications
"Without recorded consent" refers to settings for which the patient has made no explicit choice on communications preferences.
In anticipation of GDPR regulations, when you upgrade to EXACT v12.12, the marketing to patients without their recorded consent is disabled by default by means of a field in the Practice Settings window:
However, practices who wish to continue with general marketing before the GDPR regulations need simply tick this checkbox:
User Activity Audit records user actions that potentially breach patient privacy
Accessible by authorised Software of Excellence/Henry Schein One only, on request.
To track practice actions relating to GDPR regulations, EXACT keeps a record of user actions that potentially breach patient privacy.
The User Activity Audit logs practitioner actions that in any way touch on or enable viewing of patient data.
GDPR Compliance (per Practice Role)
- Patient
- Receptionist
- Clinician
- Practice Manager
- GDPR Data Controller (possibly the Practice Manager)
- Practice Owner
Patient
- Patients can record their contact consent via Clinipad & Patient Portal
- Patients can see via Clinipad Patient Data Use or via Patient Portal, The Terms Of Use or in a physical printout how their personal data will be used
- Patients can request that practitioners unsubscribe them from any or all communications that require their preference Opt-in
Receptionist
Arrival & Departure
- When the patient arrives at Reception the Receptionist responds to the Arrival Task List prompt to secure the patent's signed Contact Consent by printed form or by Clinipad electronic form
- On patient departure through Reception the Receptionist responds to the Departure Task List prompt to secure the patent's signed contact consent (by printed form or by Clinipad electronic form), to help the practice to be compliant with GDPR when sending communications to the patient
At any time (not constrained to the workflow)
- The Receptionist can customise the text for the Clinipad Patient Data Use disclaimer
Monitoring and reporting features:
To aid GDPR compliance, practice management are advised to track practitioner actions in relation to opting patients In or Out of communications, securing consents at arrival and departure, and in any way viewing or accessing patient private data.
Management tools to this end include:
- Appointment Workflow Compliance Report
- Contact Preferences Audit
Clinician
Clinician EXACT procedures are not typically affected by GDPR.
Practice Manager
- By default, the setting Market to patients without recorded consent is disabled to help with GDPR compliance
- The Practice Manager can override the default setting (Configure, Practice Settings) and start marketing to patients without their recorded consent but this is not recommended
- You can enable or disable the prompt for collection of signed Contact Consent from Configure, Appointment Book, Arrival Options
- The Practice Manager can customise or oversee customisation of the text for the Clinipad Patient Data Use disclaimer from Configure, Appointment Book, Arrival Options
- By means of the MPC Reception Workflow Compliance Report or by means of the Appointment Workflow Compliance Report, the Practice Manager can view the success rate of signed contact consents collected by Reception
This is in order to ensure that contact consents are being effectively collected in the practice, to help the practice to be compliant with GDPR.
- The Practice Manager can view the Contact Preferences Audit to view the history of a patient's Opt-ins and Opt-outs
(EXACT tracks practitioner Contact Preferences actions in the Preferences to Contact Patient window > Contact Preferences Audit tab)
-
By means of the Contact Consent Query the Practice Manager can differentiate patients who have given contact consent from patients who have not given contact consent
The practice can then structure queries to automatically send different templates to patients with and to patients without contact consent, while remaining GDPR compliant
Configuration.
The Practice Manager may need to manage the following configurations relating to GDPR:
Preferences to contact patient
Configuring Contact Consent with Clinipad
Editing the Receptionist prompt for Contact Preferences
GDPR Data Controller (possibly the Practice Manager)
GDPR Data Controllers may need to use any of the above-listed Practice Manager procedures in the performance of their duties.
Practice Owner
- The Practice Owner optionally customises the GDPR textual content presented to patients so that it best reflects the corporate image of the practice
- The Practice owner optionally oversees the application of EXACT features to help with GDPR compliance
Comments
0 comments
Please sign in to leave a comment.