Have you ever been thinking about what happens with the medical records of a GP who passes away and there’s no other GP taking over his practice ? Where do all these records go to ?
Well to be honest I hadn’t… until last week… when during a between friends conversation GDPR came on the table and a friend of my partner asked her what the impact of this knew regulation could be on the medical files that he inherited (yes, inherited) from his mother when she died. He isn’t a GP nor does he practice any other medical profession and now all of these medical records are stored in boxes in his cellar. Technical and organizational measures you say ?
As you can imagine I was all ears. For the record : what I describe here is a Belgian situation and may be different in any other member state.
It seems that this person’s mother died rather unexpectedly and her practice was not continued. He was the only family and inherited all her belongings including her medical records. What did he know about data protection or GDPR…
One would expect that these records should have to be transferred to the medical association or some comparable institution but that isn’t the case at all. After contacting the medical association, he was informed that they have no service to collect and store all of these records and that he has to guard the files himself. He is not allowed to open them, read them or destroy them and when another GP would ask access, he should grant it.
Right. So a plain normal natural person (is he a processor under GDPR now ?) is expected to implement adequate organizational and technical measures to protect medical records (yes, sensitive data by all means) from unauthorized use. All over LinkedIn, every seminar, training or any legal advise stresses the importance of protecting sensitive data professionally and the fact that you can’t process it without strict legal grounds. What is the meaning of all this when this type of sensitive data is lying around by the thousands in cellars of houses ?
Is this person accountable under GDPR when his little children open the files of maybe the neighbors while playing doctor ? Is this person accountable when someone who claims to be a GP passes by and asks the medical file of a certain patient because this patient would now be a patient in his practice. How can this person verify his identity ? And would you let anyone in your house to look through cases you by yourself are not allowed to open ? How to make sure that this visitor only removes one file ?
Should there not be a legal requirement imposed on the medical associations to collect and store these data under the right conditions; conditions you can’t expect from a natural person ? If he hadn’t been talking to my partner he wouldn’t even have known there was such a thing as ‘GDPR’. We still have some work to do…