Are Emailing Letters and Attachments from ClinicYou GDPR Compliant?

The General Data Protection Regulation (GDPR) has set out rules and good practices on the processing and sharing of personal data, including sensitive health data such as patient information. Under GDPR, emailing patient information is allowed, but requires taking appropriate measures to ensure the confidentiality, integrity, and security of the data. Some of the measures that may need to be taken to ensure compliance include:

Limiting access to the email containing patient information to authorised individuals who have a legitimate need to know. Within ClinicYou, email workflow is always context sensitive, and draws on pre-populated structured information (e.g, patient's email will have been taken at registration and this is always associated with the medical record. Similarly, provided email addresses are carefully recorded, choosing a contact as the To Address for a letter associates his / her email with the letter and reduces chances of error).

Implementing access controls and security measures to prevent unauthorised access to the email. As you know, each user has their own password and 2FA arrangements to ensure secure access to your data hosted on our server.

Ensuring that the email recipient is the intended recipient and verifying their identity before sending any sensitive data. This is indeed one of the strengths of using ClinicYou for generating communication - your room for error while addressing in a regular email client, even with NHS Net, is far greater. Provided your email addresses are meticulously checked and maintained, room for erroneous addressing comes down drastically.

Having a data protection policy in place that sets out the procedures for handling sensitive patient information. ClinicYou has a robust policy in place and our developers and staff have appropriate limitation placed on their access to customer data.

In summary, emailing patient information from ClinicYou is in compliance with GDPR. You must also take appropriate measures to ensure that your clinic staff follow your own data protection arrangements and ensure consistency of information gathered through your clinic.

Updated on: 09/03/2023