Checklist GDPR Compliance for Healthcare Messaging Apps
With the European General Data Protection Regulation (GDPR) coming into effect on the 25th of May this year, we get a lot of enquiries these days from healthcare institutions and professionals that seek a compliant and secure alternative for their current communications via social media messaging apps.
With the European General Data Protection Regulation (GDPR) coming into effect on the 25th of May this year, we get a lot of enquiries these days from healthcare institutions and professionals that seek a compliant and secure alternative for their current communications via social media messaging apps. With the potentially high fines of the GDPR and the related reputitional risks, many professionals and institutions are not willing to tolerate WhatsApp as part of the shadow IT anymore. And rightfully so.
To help you understand the relationship between the GDPR and messaging apps in healthcare, we will publish a few items (blogposts like this, powerpoint slideshow, and a privacy impact assessment) in the coming few weeks between today and the GDPR. To kick this off, we hand you the checklist below. Use this checklist to base your decisions regarding what messenger app you should use.
A provider of a secure messaging app in healthcare has two main sources of information that are subject to the GDPR:
- The information that is shared between the users (i.e. patient information)
- Information of the users of the platform (healthcare professionals)
These two sources of privacy sensitive information have different consequences and requirements. You should realize that because we are in the healthcare space, we touch on (many) other legal frameworks as well. For instance, to use a messenger service in “incognito mode” is very good for your privacy as a user, but it is unthinkable to not know from whom exactly an important piece of information for the care of your patient came from. Nonetheless, principles of privacy-by-design and security-by-design of such a messaging platform should be leading. So without further ado, the checklist:
Patient information shared on the messaging platform
- The security protocols should focus on controlling access, spread and lifespan of the shared information on the platform. And this should be the case for both the data in transit as well as the data at rest (see our security white paper for cryptographic details)
- The users of the app should be protected from social engineering (e.g. somebody impersonating a medical professional) as much as possible and therefore users should be checked and verified as healthcare professionals
- The provider of a messaging app in healthcare is a processor of the patient information that is shared on behalf of the healthcare professionals (the controllers). Therefore, a processor agreement should be in place between the provider of the platform and the users of the platform
- The provider of a messaging platform must have demonstrable internal processes in place to guarentee proper information governance, such as an appointed data protection officer, frequent code audits by external security experts, ISO 27001:2013 and similar certifications
Healthcare professionals as users of the platform
- The provider should have company processes (audits, logging, etc) and cryptographic protocols in place that safeguard the personal information that is kept of the users (name, phone number, email address, medical license)
- The provider gives full transparency in its privacy policy and end user agreement and how personal data is used, processed and stored (a full privacy impact assessment will be published here shortly)
- The provider should not upload unencrypted phone numbers to create matches on its platform and store these on its servers
- The messaging app should be able to give alternative routes to connect with other users when the provider is not granted access to the device’s address book
- The provider should not ask for more information form its users than strictly necessary (given the fact that a background check/verification is necessary in healthcare)
- The provider should not store data outside the European Union
- The provider does not use or store (meta)data unless these are required to provide the messaging service
- The provider should allow users to be completely deleted from its user database
- The provider should not have a revenue model in place to capitalize on the profiling of its users
Stay Updated
Fulfilling our privacy and data security commitments is crucial to us. So we’re glad to help you prepare for all the changes the GDPR brings. If you have any questions about how Siilo can help you with your compliance regarding messaging, we hope you’ll reach out to us.