When you use Horos to capture or maintain patient information related to a patient who is a resident of the EU, you are responsible for ensuring that your organization complies with GDPR.
In advance of receiving information into Horos, be sure that you have “explicit consent” from the patient whose data you are capturing. This means that the patient must “actively consent.” While this is not well defined, we view this as the act of signing their name to a clearly worded statement that their data will be kept and that it may be transferred (if you intend on doing so) to other third parties. This includes your use of the Horos Cloud. Be specific in the consent if you are going to store patient data in the Horos Cloud. In this consent, be sure that you also make it clear that this data may be stored in a location outside of the borders of the EU. In fact, it is good practice to provide your patients with Purview contact information if they have any questions or wish to revoke this permission or have their data “forgotten” or erased and you are not available.
With regard to health care data, GDPR holds “data concerning health” to a higher standard of protection than other personal data. When processing of health care data is necessary for the purposes of medical diagnosis or other public health benefit, the need to retain this data by a medical facility may trump a patient’s wish to have this deleted. So, we do foresee situations where a patient may object, but you may find it compelling to continue to hold their data – that is of course if you originally received explicit consent.
When you hold data in Horos, you must ensure that the data is protected. This generally means that any data on a device that can be stolen should be encrypted. It also means that you need to maintain passwords to protect access to data, the display of data and/or the transmission of this data. Generally, any communication of personal data should be encrypted or should be done via a protected “pipe” like a virtual private network (VPN) and should not be emailed over the internet.
If data is sent to the Horos Cloud, we store this data in a secure manner. Data sent to the Horos Cloud from Horos is also secure. Reports that you generate in the Horos Cloud may be shared via email. However, this sharing does not involve the actual transmission of information, only a “pointer” to this information. However, the email address you direct the report to should be carefully checked to ensure it is correct, otherwise the recipient of the email may have unauthorized access to private patient information.
Purview, which maintains the Horos Cloud, has applied for Privacy Shield authorization to store data on EU citizens. It also has procedures in place for securing patient data and for reporting any unauthorized disclosure in that unlikely occurrence. For information about Purview’s privacy and compliance policy please consult our web site at www.purview.net.