SWeden: DPA audited eight healtcare providers, fines seven (up to 3 mio EUR)

The Data Inspectorate has now completed an inspection of eight care providers. What has above all been examined is whether the care providers have carried out the needs and risk analysis required to be able to give the staff the right access to personal data in the main medical record systems.

– Caregivers must make a careful analysis and assessment of what staff’s needs are for information in the medical record systems and what risks there are if staff have access to patient data. Without such an analysis, care providers cannot assign the staff the right qualifications, which in turn means that the operations cannot guarantee patients the privacy protection they are entitled to, says Magnus Bergström, who is the coordinator for the eight reviews.

The Data Inspectorate states that seven of the care providers have not carried out a needs and risk analysis, while one care provider has carried out an analysis which, however, has certain shortcomings.

The authority also states that seven of the care providers do not limit the users’ permissions for access to the respective medical record system to what is only needed for the user to be able to fulfill his or her duties.

This means that the seven care providers have not taken sufficient measures to be able to ensure and demonstrate an appropriate security for the personal data in the medical record systems.

https://www.datainspektionen.se/nyheter/brister-i-hur-vardgivare-styr-personalens-atkomst-till-journaluppgifter/ with links to details of the specific cases