5 Privacy measures and the Act on Quality, Complaints and Conflicts in Healthcare

This article was originally published on Medisch Ondernemen (in Dutch). Click here for the original article

The Act on Quality, Complaints and Conflicts in Healthcare (Wet kwaliteit, klachten en geschillen zorg, Wkkgz) entered into force this year and work has to get done, especially for smaller practices.

Patients and employees from healthcare providers have to be able to report incidents by January 1st, 2017. That is easier said than done. The legislation around the Wkkgz, sharing information and confidential data and protecting that kind of information, could pose major hurdles for smaller undertakings.

A lot has been written about the Wkkgz, but it comes down to the fact that the new law has to provide more openness on complaints and incidents. Patients, but also employees from healthcare providers need to be able to report incidents in healthcare. Patients can file complaints at a designated complaints officer from a healthcare provider while employees from healthcare providers should have an internal policy where such incidents can be discussed with colleagues.

Collaborating with smaller health undertakings

The new legislation applies to all providers of healthcare, smaller ones and larger ones. A GP with a small practice at home is equal to a hospital according to this legislation. Smaller providers of healthcare have to collaborate with other healthcare providers when they cannot comply with the Wkkgz. For example, a designated complaints officer has to be appointed and incidents have to be discussed with colleagues by getting together.

The tough part in all of this is that someone who works individually is being forced to discuss details from incidents and complaints with colleagues, hence competitors. That contradicts with sharing sensitive information as few as possible as stated in privacy legislation and sending privacy-sensitive information through channels that comply with safety regulations. Or it could be possible that specific details have to be shared that are traceable to the concerning patient. Personal data from patients is generally considered to be medical data, which is subject to strict privacy legislation. Such data is not meant to be shared with others. Whoever does so could receive a hefty fine. If the watchdog imposes fines, the watchdog usually also sends out press releases on the fines.

Five measures

A health professional is always responsible for data from patients and who sees this data, also when the data is shared for the Wkkgz. Privacy in the healthcare industry is always a hotbed. Stated below are five measures that are advisable to take to limit the risk of violating the privacy legislation.

1. Share as little as possible about the patients

Limit the information that is being shared as much as possible. The fewer data you share, the harder it becomes to trace the data to someone

2. Anonymizing goes beyond leaving names

Age, profession and specific pains are also included in patient data. Anonymize all data as much as possible. For example, replace “harbor worker” with “a profession that requires heavy physical effort”.

3. Make sure that data from patients is shared under supervised circumstances

You are at any time responsible for data from a patient, also when a colleague loses a USB-stick or a laptop. The best way to prevent this is to keep everything for yourself and not sharing data electronically. Also WhatsApp for example, a popular platform. Even their encryption is not sufficient regarding this.

4. Choose the people you share information with wisely

It is easier to recognize someone with little information from a second GP in a small town than from a GP who does not operate in the same town. By collaborating with colleagues who live further away, chances are smaller that anonymized data can be traced back to the concerning person.

5. Ask permission to your patients for sharing their data with colleagues

Sharing personal data from patients is only allowed if the patient has explicitly granted permission to do so. Processing such data without permission is only allowed if it is necessary for a proper functioning of the safeguarding, maintaining and improving the quality of healthcare. With every report, one has to evaluate whether it is necessary to process personal data from the report. Avoid this vague line by asking permission to your patient.