Home Advice New GDC standard – Transmission of Confidential Information

New GDC standard – Transmission of Confidential Information

AdminPosted on Posted in Advice

Website and email communication of sensitive patient data

New GDC guidance, due to come into effect at the end of September 2013, incorporates a new clause covering the transmission of confidential patient information, whether via email or from a contact form on a dental practice website. Here is the wording of clause 4.5.2:

“If you are sending confidential information, you should use a secure method. If you are sending or storing confidential information electronically, you should ensure that it is encrypted”

At Dental Media we have been researching this subject for the last 6 months given that we had some prior knowledge of the pending standard. As with all “standards” there is an element of interpretation and in this case, the key appears to be what is considered to be “confidential” or sensitive information. Also what constitutes a reasonable and proportionate response to the perceived problem?

GDC clarification

Basically there isn’t any! Despite several attempts to contact them to gain clarification and clear definitions, no reply has been forthcoming. Consequently it appears to be down to the dental community to try to determine what it means and hence determine an appropriate response. In line with this, we stimulated debate on a couple of well-known dental forums to gauge opinion – this generated quite a lot of interest and pragmatic feedback. I will try to summarise this here:

  • the over-riding feeling is that “sensitive/confidential” refers to any transmission of personal patient information, for example medical records. This type of data may well need additional protection.
  • non-sensitive information might be a day-to-day enquiry about an appointment or to ask the price of a particular treatment – this type of information was considered suitable to be transmitted by conventional means, i.e. the consensus was that it is not sensitive.

One contributor to the debate actually contacted the ICO regarding appropriate data protection in this context and what they found was in agreement with the summary above.

What to do?

The practical approach to the new guidelines appears to be:

  • label any standard contact form on your dental practice website with a statement that advises patients that the form must not be used to transmit personal, sensitive information e.g. medical records
  • where transmission of medical information is required, for example a referral form, then use encryption (SSL)
  • consider using encrypted email for sensitive practice communication
  • avoid paying monthly fees for services that offer a disproportionately complex  solution to the “problem”

The practicalities

Setting up in line with the above recommendations is actually quite straightforward. It does not require you to register with any of the expensive web based services which offer to protect your communications for a princely set-up fee and ongoing monthly fees on top. There have been a number of recent communications playing up this requirement in an obvious attempt to sell services – you may well have received emails to that effect? Our advice, until the GDC elects to clarify, would be to ignore any company who suggests that you need to encrypt everything – this is all about a proportionate response and not burdening the industry with additional cost.

Where you may need to encrypt, e.g. a referral form, this can be done using a readily available secure certificate (SSL technique) which encrypts information between a user’s browser and the web server. It is also easy enough to configure the practice email system to use encrypted mail to retrieve communications. All of Dental Media’s servers support this type of information transfer.

The risks

Contrary to some articles you may have read, the risk of having your email intercepted is very small indeed. Most email “hacks” occur where users fail to choose a secure password or leave it lying around – not from hackers actually compromising servers. The chances of your postman actually mislaying your mail or pushing it through the wrong letter-box are probably much higher. If the GDC are reasonable and have undertaken any form of risk-assessment on this subject, one would hope this should be clear enough.

Disclaimer

Admittedly there is some lack of clarity around this topic – I have just tried to distil the contents of recent debate and offer practical, inexpensive tips for how a dental practice should be able to comply with the recent GDC guideline. However, ultimately you should form your own opinion.

How Dental Media can help

We propose to make the following services available:

  • all standard contact forms to be marked up with a disclaimer stating that personal, sensitive information should not be transmitted.
  • referral forms to be modified to transmit using SSL encryption – the same technology used to protect you when you enter credit card details. This is cheap and simple to set up and does not require payment of monthly fees.
  • we offer encrypted email facilities and will provide advice on how to use them.

We will be contacting clients individually to make recommendations based on their own circumstances. However, if you are not a current client and need a cost-effective way to demonstrate due diligence in-line with the latest GDC guidelines without paying excessive monthly fees, please get in touch on 01332 672548.