GDPR & Policies and procedures in healthcare private practice

Let’s talk all things policies and procedures, not the most exciting of topics but so important in healthcare. So, you might be wondering, particularly if you’re a sole trader, or only working in private practice a few hours a week, do I really need policies and procedures?

I started in private practice as sole trader in 2015 and I really wanted to step away from policies and procedures when I left NHS, I used to write them! But I quickly realised how much they are needed to keep both you and your clients safe.

Policies and procedures give you guidance for your work, to ensure that you are following GDPR requirements. They help to cover all eventualities which when you are working in private practice healthcare, you certainly need this. From a GDPR aspect, the ICO requires you to have robust policies and procedures in place, that are annually reviewed.
They reduce the risks and make sure you are covered from a data protection point of view. Some businesses or organisations that you work with will ask you to evidence that you have these in place. Essentially, they eliminate initial panic if something should go wrong, or you get a request for a client’s notes etc…

I will write more on why GDPR compliance and having the right policies and procedures in place has helped my business in future blog posts, but for now, here’s an outline of our policies and procedures that we have prewritten for you and when you might need them:-

1: Storing notes & destruction of notes

  • Access Control Policy (which explains how access to information is managed both physical and technical access
  • Information Classification and Handling Policy (explains how information is classified and how it should be handled as in stored, access, transferred and destroyed)
  • Data Retention Policy (which explains retention periods of information stored within the business, including business related information and person-identifiable information.

2: When contracted to work with external companies/local authorities

  • Data Protection Policy (which explains how business is conducted to comply with  GDPR)
  • Information Security Policy (which explains the aims and objectives of the business in maintaining the security of information, which is an overarching policy for all the others and is one that potential new contracts may request)
  • Service Level Agreement Template (this can be used when agreeing to provide services for external companies. It outlines the services you will provide and stipulates your contractual terms.

3: Ensure any you/staff/associates work within GDPR guidelines

  • IT Acceptable Usage Policy (which explains how IT equipment, systems and resources should be used when accessing company information)
  • Clear Desk and Screen policy (which explains how information is protected when using screens and physical paperwork.)
  • Password Policy (which explains how information and resources are adequately password protected, previously it was best practice to change passwords regularly, this has changed over the last few years, the best practice is now complexity rather than the need to keep changing them.
  • Confidentiality Policy (which explains the principles that must be observed when accessing person-identifiable information or confidential information)

4: Dealing with complaints

  • Complaints Procedure (which explains how to handle and process complaints).

5: If a client requests access to their notes/child notes

  • Subject Access Request Procedure (which explains how to deal with subject access requests and the timescales for both adults and children, and includes two validation forms, one for an adult and one for children)

6: Should you be subject to a data breach

  • Data Breach Notification Procedure (which explains how personal data breaches should be handled and includes a flowchart to assist in deciding if the breach needs reporting the ICO or not)

7: If you encounter any safeguarding issues

  • Safeguarding Policy (which explains how you implement safeguarding for children, young people, and Adults at risk)

8: Sharing sensitive client information with others

  • Information Classification and Handling Policy (explains how information is classified and how it should be handled as in stored, access, transferred and destroyed)

9: When working remotely or alone

  • Mobile and remote working Policy (which explains how the security of information is maintained when working in mobile and remote situations)
  • Lone Working Policy (which explains how lone working is managed to safeguard you and employees/associates)

10: Employing staff (e.g. admin support)

  • Equality and Diversity Policy (which explains how the business adopts an equal opportunities in all aspects of employment and client services)

All of our policies and procedures can be purchased individually or you can buy our private practice document toolkit with everything you need in your healthcare practice to make sure you are GDPR compliant here: www.yorkshirepsychotherapy.co.uk/toolkit/

Scroll to Top