DUBLIN SHOULDER INSTITUTE PRIVACY POLICY
PROTOCOL FOR DATA PROTECTION AND MEDICAL RECORDS MANAGEMENT
As the General Data Protection Regulation (Regulation (EU) (2016/679) (the “GDPR”) comes into effect on May 25, 2018, we want to update patients on our data protection policy. The GDPR promotes stricter control of patient data (including the retention of patients’ medical records). We will be happy to answer any questions you may have.
The Dublin Shoulder Institute and Ms. Ruth Delaney, FRCS, consultant orthopaedic surgeon, are classified as data controllers.
Ms. Ruth Delaney, FRCS, is the Data Protection Officerfor the Dublin Shoulder Institute. She can be contacted at 01-5262335.
Collection and processing of patients’ personal and healthcare data is necessary for provision of treatment. This treatment is provided by a professional who is subject to an obligation of professional secrecy (patient confidentiality).
All medical records within this practice are electronicand are maintained by KM Medical Software Ltd., who follow the strict guidelines in the storage and use of medical data. All data are stored in Ireland at an ISO 27001 accredited secure data centre. To gain access to this centre, key cards and biometric authentication are required. KM Medical Software Ltd. only use encrypted VPN access to carry out maintenance on these servers. All client access to these systems is secured by TLS 1.2 encryption. Further details of the security measures in place are available upon request.
Medical records for adult patients will be held for 10 yearsafter last clinical interaction/clinic correspondence/death. For paediatric patients, records will be held until the patient’s 25thbirthday or 26thbirthday if the patient was 17 at the conclusion of treatment, or 10 years after death. For patients with special needs (mental disorders), records will be held for 20 years after last treatment or 10 years after death.
After 10 years (or given period in paediatric patients or those with special needs), the medical chart will either be destroyed or permission will be sought to continue retention for a further 10-year period. Patients will be notified prior to their chart being destroyed (such that they can request a copy). Please ensure we have up to date contact details.
For those patients referred but who fail to attend or do not pursue the referral, their data will be held for a period of 10 years before being destroyed.
You may request that your records be deletedat any time. You may also request that they be held for longer than specified above.
You may request a copyof your data and medical record at any time, and this will be provided to you within one month of your request.
Correspondence from your consultationis sent to the referring clinician (typically another doctor or a physiotherapist). If this clinician is not your GP, permission will be sought to copy the GP (or other appropriate member of care team) on the correspondence. In the instance where you have self-referred, correspondence will be sent to your GP, as required by Medical Council regulations, unless you specifically request that your GP not be informed of your attendance with us and your clinical management.
Your data may be shared with KM Medical Software Ltd, as outlined above; Medserv Ltd. who are a medical billing company and handle communication with your health insurance company; and the hospital at which you receive care (if you have a procedure or a hospital admission). Further details on the GDPR-compliant data protection policies of each of these organisations are available upon request.
……………………………………………………………………………………..
Ms. Ruth A. Delaney, FRCS
Consultant Orthopaedic Surgeon, Shoulder Specialist
May, 2018.