Focus 2 is already GDPR compliant

Further enhancements assist with the new legislation

Over the last six months, Ocuco have spent much time consulting with customers and Data Protection experts, understanding their interpretation of the new regulation and have created a version of Focus 2 that assists with the compliance process. Focus 2 now consolidates all information on communications, consent and data processing into one screen called the Data Processing tab; this screen is designed to ease the extra burden on staff and the business in compliance with the regulations.

Data Processing Screen:

  • Traffic light display of consent, making it easy to ascertain status at a glance, designating consent as Agreed, To Be Completed/Expired or Rejected.
  • Print Data Processing Agreement for patients to Sign, scan and email to the patient OR capture an electronic signature.
  • Record the details of those who might be giving consent on behalf of the patient.
  • Record date of consent and when it expires.

Communication Preferences:

This area allows the capture of consent based on each reason for communicating: Recall, Surveys and Marketing. Each area has configurable text which can be used to script the questions and ensure that staff are giving a clear and consistent message. It also includes the text to describe any third-party processing if applicable.

Communication Channel Preferences:

The patient can opt-in or out of each method of communication – Letter, Email or SMS. If they opt-in, their mobile number and email address are alongside for quick validation or addition.

The preferred channel of communication for Recall and other activities can be recorded here also.

Configurability of the Data Processing Screen :

Focus 2 now provides the admin user with the ability to set up templates and texts required to comply. Having these built into the software is not a requirement, but Ocuco have invested in this development in our continued commitment to continuous improvement and adding value.

Configuration covers the following topics all which are part of making compliance easier for the practice owner:

  • Minimum medical retention period.
  • Age of Adulthood.
  • Data Processing Policy templates.
  • Data Processing Disclaimer Text.
  • Remove Patient Disclaimer Text.
  • Channel for Contact Preferences – configuration screen sets up the default or customised text or ‘script’ for asking the patient for preferences for each channel of communication.
  • Communication Reasons – the configuration screen provides an area to set up the text or script that will appear in the Data Processing Tab in Focus 2. This will aid staff who are asking the questions and make sure that the message is the same from all staff.

EIGHT ENHANCED PATIENT RIGHTS

The page ‘The Basics‘ outlines the eight ‘data subject’ rights. The section below demonstrates how Focus complies with each of them.

The right to be forgotten

Focus manages this request from within the application taking into account the type of data stored, the medical retention period, open balances, active direct, debits etc. The authority to perform this function can be assigned to certain users.

The right to be informed

Should a patient request information on what data is stored and how it is used, the Focus 2 user can print or show the patient on-screen a Data Processing Agreement and can also capture written or electronic signature if required.

The right to access data

Should patients request access to the data stored on them, this can easily be provided in printed report format, PDF or an HTML file. Subject access request templates can be built into the letter templates in Focus 2.

The right to data accuracy

All data can be edited and mistakes/incomplete information rectified as needed. Focus 2 also has an audit trail which records all changes made to all records.

The right to restrict processing

Patients can easily be removed from recall or marketing so that they will not appear in any queries. For those who remain, it is also possible to choose which media channel they prefer, email, letter, SMS or phone call.

The right to data portability

Should patients request access to the data stored on them, this can easily be provided in printed report format, PDF or an HTML file.

The right to object

The patient's right to object can be upheld by removing them from all processing. Practice owners should review their legal basis for processing, i.e. ongoing legal cases, etc. and understand the circumstances under which they remove the patient from processing.

The right to object to automated processing

Focus 2 does not do any automated processing outside of Recalls. If you were making decisions based on profiling your patients, then the patient has the right to be excluded from this.

Compliance of Consent and Security

Compliance is also met in the following areas

Management of Consent

When an eye exam is complete, the data being stored is relevant and necessary to the performance of the contract with the patient. Consent for non-contractual operations such as marketing can be recorded directly into the practice management system or documented and scanned into the patient records.

Secure by Design

Focus 2 has inbuilt security rules covering both patient records and application access, passwords and PIN authentication with use and role-based access to functions and screens. Focus 2 utilises Oracle database for its strength of security. Full audit trail of all changes made by any user to data. Automatic home Screen lock so patient data is not left visible on a screen. Automatic application timeout after a period of inactivity. Files (referral letters, images, scans) held securely within the database.

Upgrade Compliance

Enhancements to Compliance in Focus

Hosting

Ocuco offers both on-premise and hosted implementations.

Hosting offers an extra layer of security and also means that a backup is not required on-premise as it is carried out at the data centre.

Fees depend on the number of users so please email gdpr@ocuco.com for more information.

Online BackUp

Ocuco can offer on-premise customer an offsite backup option which also validates restoration. Why wait until disaster strikes to find out the backup is not going to give back the data. To purchase Online BackUp click here.

Database Encryption

Ocuco can also offer database encryption that further enhances compliance.

Fees depend on the size of the database and if there are images, scans, etc. so please email gdpr@ocuco.com for more information.

Focus 1 and GDPR Compliance

We have made some changes to assist with compliance, but it is not to the standard of Focus 2 or Acuitas 2.

 

Acuitas 2 or Focus 2 have the enhanced GDPR compliance features.

 

Upgrading is easy – email Nathan.thomas@ocuco.com for more information on the costs and steps for upgrading.

Data Subject Rights

Right to access data and portability – can be provided by the Ocuco helpdesk. Right to be forgotten – can be handled by the Ocuco helpdesk.

Management of Consent

An enhancement has been implemented to allow a tick box for recording marketing consent. Consent can be recorded directly into a practice management system or documented and scanned into the patient records.

Security

Focus 1 database a is password protected DB and operates on Microsoft Access 2000. User profiles give access to certain areas of the application to specified users. It is recommended to review your infrastructure with your IT provider for database and server encryption. Focus 1 does not have a Patient Record Audit Trail.

Back Up & Restore

Focus 1 backups are provided, but validation is not as thorough as the online backup solution for Focus 2 users.

Why should I upgrade to Focus 2 now?

There are many reasons to upgrade to Focus 2. GDPR is the latest, and though we have made changes to Focus 1 for compliance, it does not benefit from the additional features of Focus 2.

  • Enhanced security and reliability of being on an Oracle database as opposed to Microsoft Access.
  • Optional Oracle database encryption, separate to operating system hardware encryption.
  • Full audit trail of all changes made by any user to any data.
  • All data securely held within the database and no external files (images, letters, etc.).
  • Inbuilt patient report to respond to Patient GDPR data access requests.
  • Comprehensive control of user access to application areas and functions on a per-user/role basis.
  • Password and PIN entry, with configurable complexity rules and auto-expiry.
  • Automatic application timeout after a period of inactivity.
  • Home screen so that patient data is not left visible on screen.
  • Enhanced GDPR features as listed above for Focus 2.

Upgrade to Focus 2 now