GDPR in a Medical Facility in Practice

As you probably know, any entity that offers medical services to patients collects and processes each patient’s personal data. This information is either regular or sensitive and both are subject to legal protection, therefore, so medical facilities must comply with restrictive personal data protection requirements so as not to harm the patient. What does this involve?

The following article is part of a series devoted to the practical approach to the management of a medical facility and the process of treatment of the patient. Read also: Medical records in practice

The issue of personal data protection is regulated by the Act of 10 May 2018 in Poland. According to its content, all information relating to an identified or identifiable person is protected. How does it relate to patient health data?

The Act specifically indicates that medical data include all information about the physical and mental state of the patient, such as data on past diseases, the degree of disability or the risk of illness in the future. In each facility, due to the obligation to keep patient medical records, the data obtained and processed are both ordinary and sensitive data regarding the state of health and the provision of health services. The latter are subject to the provisions of the GDPR.

GDPR and medical registration

A special place for the processing of a patient’s personal data is registration in a medical facility. This is where conversations with patients (telephone or face-to-face) take place, which often require sensitive data. The patient’s personal data may also be registered in the form of paper or electronic medical records.

How to reduce the risk of data leakage and thus increase data security in your medical facility? Below are some basic rules that are worth implementing.

Appoint a Data Protection Officer (DPO)

According to the Act, entities processing special categories of personal data, including medical data, on a large scale are obliged to appoint a DPO. 

Prepare together

Develop procedures to prepare facility employees for the implementation of the GDPR regulations.

Remember about staff training

Training should not only include working according to the principles of the GDPR. Remember also the principles of a clean desk and a clean screen. They allow you to organize the workplace in such a way that personal data are not available in the sight of other patients during a visit to the medical registration. Take care to turn files with the text side facing the tabletop and/or use protective overlays on the monitor.

Develop a procedure in the event of a violation of the GDPR

It is a real ­must-have­ for any medical facility. The system for reporting and assessing infringements should ensure the smooth flow of information. Remember that, if a breach has actually occurred, the law leaves only 72 hours to report the incident to the President of the Office for Personal Data Protection.

Keep it confidential

Try moving phone service to a separate room, so that the content of the conversation is not audible to outsiders. If you do not have such a possibility, organize a separate workplace. Try not to allow a situation in which the patient served by phone hears the data taken from the patient at the window or vice versa. Be careful not to repeat sensitive data aloud. As part of the confirmation, it is better to ask the patient again for information.


Keeping medical records, managing them, and protecting the patient’s personal data are special responsibilities for medical facilities. Violation of the established rules may result in a violation of the provisions on the protection of personal data, and thus criminal consequences.

Discover Comarch solutions for medical facilities – including HIS Optimed NXT and Optimed NXT Cloud systems, that will help ensure the security of your patient’s data. Contact our consultant to get a detailed offer.

Contact our expert

Do you want to discuss in detail our services and products for the medical sector? Feel free to contact our consultants!

Contact us

Please wait