After four years of extensive preparation and debate, the European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. U.S. healthcare systems globally expanded or actively marketing and delivering care to EU patients will need to comply. While few U.S. healthcare providers have expanded globally, those that have include prominent organizations such as Johns Hopkins Medicine, Cleveland Clinic Foundation, Mayo Clinic and UPMC. Other healthcare systems are likely to follow suit in the coming years as demand for U.S. healthcare expertise grows worldwide, and the EU emerges as a prime target market.
Healthcare systems needing to comply with GDPR are likely focused on the two most pressing requirements – securing patient consent to use their personal data for business purposes not directly related to care, and ensuring the ability to erase all instances of personal patient data upon a patient’s request. While that may sound reasonable, GDPR is a large, complex bill with vines reaching into often overlooked corners of the healthcare enterprise, specifically paper documents. What are the top document management priorities for healthcare providers striving to become GDPR compliant?
More than 40 percent of healthcare organizations report having paper reduction initiatives in place, according to research from IDC. Despite this, paper remains prevalent in the healthcare enterprise. Even hospitals that have achieved late-stage Meaningful Use continue to process high paper volumes. In many cases, paper and print volumes have increased. One reason for this is because people naturally prefer absorbing long, complex information from paper as opposed to on a screen.
Many hospitals have accumulated filing cabinets full of paper and the prospect of digitizing it all is daunting. However, digital documents are inherently more secure and support greater levels of consumer data protection and privacy than paper – giving them the advantage in a GDPR world. Fortunately, technologies are available to enable hospitals to digitize paper documents in bulk and automatically classify them according to the information contained in the document with minimal administrative intervention. Digital documents are also more efficient. Not only are they searchable, but they can easily be incorporated into streamlined electronic workflows. This makes it easier for healthcare organizations to identify all personal information and easily delete all instances of a certain patient’s information upon request.
Hospitals continue to rely on paper to support a wide range of work processes, including admissions, prescriptions and discharges. When workflows are paper-based, they are less secure and more time-consuming than digital processes. Consider a doctor prescribing medication. If a doctor writes or prints a prescription on paper for the patient to bring to a pharmacy, there is opportunity for it to be lost or misplaced. Conversely, if a doctor submits a prescription electronically from within the EHR, sensitive information is far less prone to fall into unauthorized hands. Additionally, digital security measures can be applied including encryption or redaction until the prescription is opened by an authorized recipient.
Other advantages of automated workflows include the ability to access a complete, verifiable audit trail of what data is sent to whom, and where it resides in the funnel at any given point in time. This augments a hospital’s ability to locate personally identifiable information quickly and accurately, even within in-transit data, and ensure data is not being routed for any business purpose other than patient care.
Secure the Printer
Information security initiatives are often focused on mitigating cyber security threats, server hacks and database vulnerabilities, ensuring data both at rest and in flight is protected. Numerous industry sources have found that paper documents are often overlooked. However, with the GDPR’s intense focus on data privacy, paper documents represent a newly rediscovered security risk.
The multifunction printer (MFP) is a standard piece of office equipment, but is a hub for sensitive personal data as it transitions from digital to paper and back again. If it is not properly addressed it has the potential to become a major data security and GDPR compliance blind spot. Workers can print documents containing sensitive information to the wrong printer, or forget to retrieve them. Workers can also route scanned sensitive documents to unauthorized locations or users. To alleviate the security risk at the MFP, healthcare organizations can apply a variety of device-level controls. Two examples include user authorization, which releases print jobs only when an authorized worker validates at the device; and file destination control, which restricts scanned documents to pre-approved destinations.
GDPR Opens the Door
Improved document management – particularly efforts to reduce paper – offers many benefits. These include greater data security aligning with the governing rules of GDPR (and HIPAA), and improved operational efficiency. Whether or not U.S. healthcare organizations find themselves reckoning with GDPR compliance in May, the bill’s mandates present a valuable opportunity for all healthcare systems to revisit their document management processes.
Chris Click is the Sr. Healthcare Solutions Manager for Nuance Document Imaging, where he is responsible for driving the worldwide print and capture marketing strategy for the division’s healthcare solutions. Prior to his current role, Chris worked as the Nuance Healthcare Division solutions marketing director and previously headed up sales and marketing at Client Outlook Inc. a provider of healthcare enterprise imaging applications sold through a global partner network.