Together with our partners, the LMC Buying Groups, we discuss how to ensure complete security of your data whilst outsourcing can seem like a daunting task. When companies boast of adherence to data regulations you can be left wondering if this is true.
The main concerns regarding the outsourcing of typing are as follows:
What data can be sent to the typing provider?
- Who processes this data?
- Where does the data go – does it stay within the UK, or is it sent overseas?
- Risk of patient and employee data being exposed, or lost;
- File sharing protocols – do you have to email, upload to a secure system or can they access the files from within your dictation platform?
Amendments to the General Data Protection Act last year was a welcome and necessary change to data privacy regulations forcing organisations across all industries to assess the way they handle personal data, ensuring they have effective data management strategies in place.
So how do practices decide on what does and what doesn’t adhere to the Data Protection Act 2018? The easiest way would be to review documents produced by NHS Digital, or to contact your SIRO (Senior Information Risk Owner), but a lot of this isn’t specific to the use of an outsourced typing provider. The decision will come down to the practice manager to choose what systems are used and decide on the form of typing pool(s) used.
Where to start
When choosing a typing provider, data security should always be at the top of your list; look out for the following main points:
- Data retention;
- Information security certificates;
A process to encode information to ensure that only those meant to access it, can. A purpose-built system built around E2E (end to end) encryption of data from a secure UK-based server will reduce the risk of file interception – this is done by ‘hiding’ a bit of information within the file that only the creator and intended recipient can read and allow the file to be opened correctly.
All you need to know is that a company uses TLS (often referred to as SSL from the old days) encryption which is the worldwide standard.
If the company you’re looking at doesn’t offer any means of a secure system with E2E encryption, or they want you to work with them over email, we would recommend you look elsewhere.
A big concern for practices is that commercial contractors do not care what happens with patient information once the contract ends. Find out what their policy is for retention. As a requirement of GDPR, companies must remove all personal data relative to processing time, so it’s worth finding out what their procedure is regarding this. You want to know where the data goes to, where it is stored (is it a UK-based server) and what happens after they’ve typed the dictation.
Most large transcription companies will have hundreds of typists, almost all of which will be home-based. Ensure that you know where the typists are based (they could be offshore) and ensure you know how they secure data on their transcribers’ PCs.
Make sure that you are happy with the length of time in which any data is stored on their servers, and with the typists. There isn’t a hard and fast rule here, but it’s important you understand the risks/benefits of what the typing providers offer.
Information security certificates
You want your typing provider to not only tell you that their data protection policy is good, or that they are ‘compliant’, it is important that this can be evidenced with certification by an external examiner. Security should be an inherent consideration in the way a business operates, and not something only considered when an audit is due.
Look for an appropriate ISO certification mark; ISO27001 is the international standard for information security. A company who achieves an ISO27001 certificate has committed to maintaining an Information Security Management System (ISMS). This requires the implementation of a top-down infrastructure built around controls and procedures which manage the risk of potential data security threats and breaches.
We would also recommend looking at where a company is based. This is important to ensure you can contact them easily if you have any queries – but that isn’t all; you don’t want your patients’ data being stored on a server outside the UK if at all possible (NHS Digital). If data has gone offshore and outside of the EEA, then there are vastly different policies in place for data security, retention and encryption which could lead to data being intercepted, leaked or even sold on.
There are a few entirely UK-based typing companies in the industry, meaning that data will stay completely within the UK, and never leave. Some companies sneakily call themselves a UK-based company, whilst still sending letters offshore to India, the Philippines or elsewhere to be typed. Unvetted transcribers are liable to lower levels of scrutiny regarding data retention, with no way to prove that they are adhering to data protection policies. Language barriers and poor knowledge of medical terminology is another thing that can cause major issues here.
How long has the company been operating? If they have a track record with no breaches in the past, then this is ideal. You want a company that know what they are doing, have a good track record, keep on top of new procedures and take data security seriously.
There is a lot to be said for customer satisfaction. Look at who they already work with. Do they work with any practices in your area? Demonstrated approval by public and private sector organisations is a good indication that they are proficient in handling sensitive information with standards likely to meet the high expectations of today’s regulatory compliance.
If you stick to the above, and you have no concerns with what the transcription provider can offer in terms of data security, then you should feel safe in the knowledge that your data is in good hands.