The General Data Protection Regulation (GDPR) counts health information as information that is particularly worthy of protection. Accordingly, data protection in the doctor’s office is important. Even in the hectic pace that often prevails in medical practices, it should not be handled carelessly under any circumstances.

What does a medical practice need to consider when it comes to data protection?

In a way, special rules apply to medical practices with regard to data protection. Not in the sense that they can do whatever they want with the data. But when collecting data, physicians do not have to obtain direct consent from patients.

This means that the written consent for data collection actually provided for by the GDPR does not apply to patients in the doctor’s office. The data may therefore also be collected without this written consent.

However, this only applies if a private medical billing office is involved and the data is not passed on to third parties. Otherwise, written consent for data collection must also be obtained from the physician. Incidentally, if this consent is refused by a patient, he or she must still be treated.

Data is usually collected from the doctor via the medical card. All the important data that doctors need is already stored on it.

A walk through the doctor’s office

Let’s take a step-by-step tour of a doctor’s office and see where data protection must be taken into account:

The reception desk

Data protection in a doctor’s office begins at the reception desk. Every patient comes by here at least once when he or she is here for an examination. This also means that every patient has an insight into everything that goes on at the reception desk: open patient files, notes from telephone calls and so on should not be lying around. Conversations about personal data should also not be held in the presence of patients.

“Anna, why is Mr. Meier here again?”

“Oh, he’s got that nasty rash between his legs again.”

“I told you, ointment X helps well there, I know that from my friend.”

This is not information intended for other patients. In the same way, of course, information is not shouted across the room so that the entire waiting room can hear Ms. Müller’s cell phone number.

Also important is the layout of the reception desk. Do patients possibly have a clear view of the computer monitors on which patient data is displayed? This should be prevented.

In principle, patients tend not to be interested in this information, but that doesn’t matter in terms of data protection.

The treatment room

In the treatment room itself, things get very personal. After all, this is where it is determined what kind of illness, injury or condition is actually present. In addition, the treatment takes place here, during which you sometimes show more of yourself than you would normally do in public.

It should go without saying that the door is closed during this process.

In addition, the principle of data minimization must be observed here. This principle means that only data that is actually relevant for diagnosis and treatment is collected.

The storage location for patient data

The storage of patient data logically takes place behind closed doors for data security. Either in a room or in cabinets that are locked.

Data processing and sharing of patient data is a bit complex. In principle, of course, it is not simply allowed. However, the forwarding of data between medical practices is sometimes useful if further treatment is to take place in another medical practice. The patient’s consent is required for this forwarding. This consent must be in writing.

What is permitted, however, is to obtain a professional opinion from another doctor on a diagnosis or treatment. However, only the data that is absolutely necessary may be used.

The IT department

As a rule, a medical practice does not have its own IT department. Instead, external service providers are commissioned for this purpose. These service providers can be among


Data protection in the medical practice is basically relatively easy to implement. However, the predominantly hectic pace of life in medical practices often plays against this. Minor errors quickly creep in when it comes to data processing and data security. But these small mistakes can have a big impact. After all, just a brief glimpse into personal data can lead to trouble if the wrong person gets that glimpse.