Healthcare providers’ broad data access authorisations lead to fines of over 2.9 million euros in Sweden.
The Swedish DPA, after reviewing eight healthcare providers found that there were deficiencies in the way that they protected access to electronic health records. The assessments primarily examined whether the health care providers had conducted the needs’ and risk analyses required in order to adequately assign an access authorisation for personal data in the electronic health records.
The healthcare providers’ privacy deficiencies were mainly due to the fact that they neglected to carry out sufficient assessments to determine adequate access authorisation.
All health care providers must be able to demonstrate a sufficient level of security for the personal data in the electronic health record systems. They must carry out a thorough analysis and assessment of the personnel’s need to access information in the health records and the risks that accessing patient data includes, as outlined in the Swedish Patient Data Act, which complements the GDPR. It is through these analyses that healthcare providers are able to appropriately assign the personnel their level of authorisation. Without this, organisations cannot guarantee patients’ right to privacy protection.
The healthcare providers’ privacy deficiencies were mainly due to the fact that they neglected to carry out sufficient assessments to determine adequate access authorisation to electronic personal health records in seven of the eight reviewed cases. While the eighth healthcare provider may have conducted the needs and risk assessment, the analysis included some shortcomings.
Seven of the eight healthcare providers assessed, were hit with administrative fines of varying amounts, up to EUR 2.9 million.
Seven of the healthcare providers’ deficiencies were so serious that they resulted in administrative fines of between approximately a quarter million euros to EUR 2.9 million. The decision on the amount of the fine differs significantly based on whether the fine is charged to a private company or a public authority. For companies, the maximum fine is EUR 20 million or four percent of the company’s global annual turnover, whichever is higher, while the maximum fine for authorities in Sweden is approximately 1 million euros.
Based on the conclusions of these audits, the Swedish DPA has developed guidelines regarding the obligation to conduct needs and risk analyses.
The Swedish DPA has developed guidelines indicating the importance for healthcare providers in ensuring that they carry out needs’ and risk analyses. This is in an effort to ensure that patients are given the privacy protection that they are entitled to, by helping healthcare providers to conduct these analyses. It is important to note that these assessments must be carried out before any access authorisation is assigned to personnel in a health record system.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.