GDPR And Your Physician Practice Website

GDPR online security healthcare

Is your physician practice website GDPR compliant?

Most physician practice websites work hard to abide by HIPAA requirements. But are you paying attention to GDPR guidelines as well?

Because doctors and healthcare providers are (rightfully) busy keeping up on the latest medical journals and not the newest website regulations, this update may have passed you by in 2018 if your web agency didn’t alert you to it.

What Is GDPR?

The General Data Protection Regulation (GDPR) is a legal regulation for personal data that applies to any organization that stores the data of European Union (EU) citizens. The result of a general outcry over rampant data collection, GDPR was passed to provide individuals with more control over how their data is used and processed.

In the past couple of years, you’ve probably noticed the upswing in data, privacy and cookie notifications across every type of website. That’s GDPR in action. The regulations went into effect in 2018.

GDPR example accept cookies

Even if you think it’s unlikely that you’re going to collect data on a European citizen, there are no guarantees. When it comes to GDPR compliance, as with some of the more ambiguous HIPAA regulations, you’re better off taking a “just in case” approach.

Plus, it’s pretty likely that US states will follow suit in tightening up privacy controls. California actually passed their own privacy act (CCPA) that mirrors GDPR, which went into effect January 1, 2020. So if your practice or MSO has locations in California, that’s yet another set of regulations you’ll want to look into.

How to Make Your physician practice Website GDPR Compliant

GDPR compliance isn’t necessarily difficult to implement, but it does require knowledge of your content management system and data collection setup. For medical practices, it’s best to bring on an experienced web development agency to ensure everything is being implemented correctly, with the additional check for HIPAA and ADA compliance as those can add even tighter restrictions.

The following gives you an idea of just some of the requirements for GDPR:

  • All privacy policies must be written clearly and be easy to find on your website
  • You must gain a user’s consent before collecting any of their data (those are the cookie popups you see)
  • Consent forms that invite users to subscribe to newsletters or emails must be left blank; the user must be able to opt-in for a subscription and not have to click a box or button to unsubscribe
  • You must have a separate consent box asking if users want to receive other forms of communication from you, such as telephone calls or standard mail
  • Websites must ask permission to give any personal details to a third party
  • Users must have the ability to opt-out or unsubscribe from any program
  • Your website must have procedures for detecting and reporting any personal data breaches
  • If you have an e-commerce website, you must remove all users’ personal information after a reasonable set period of time

Why Your medical Website Needs to Be GDPR Compliant Now

Much like with HIPAA and ADA, these compliance issues can leave your practice open to the possibility of lawsuits and fines. If you aren’t sure whether or not your website is in compliance, work with an experienced digital agency to audit your site and implement the necessary updates to keep you—and your patients—secure.

Picture of Carenetic Staff

Carenetic Staff

What can we do for you?

Let’s connect, and see if our solution is right for you.