The General Data Protection Regulation (GDPR) comes into force in May, imposing new responsibilities to protect patient information at a time when Europe’s healthcare systems remain awash with paper records on one hand, and are struggling to digest the torrents of data flowing from digital apps and connected medical devices on the other.
It’s no surprise then, that despite a two-year lead-in time, some hospitals and companies that supply them, are not ready.
“A lot of people are struggling,” said Fabio Cirillo, managing director of Avanti Europe AG, of Ormalingen, Switzerland, a consultancy providing advice on implementing the new rules.
“Some do not know, from a technical perspective, how to comply with GDPR. With just one month to go, we are getting calls from organisations that are only now beginning to think about it. And there are many who don’t even know this is coming,” Cirillo told Healthy Measures.
What the new rules say:
- Data holders must notify the authorities in case of breach;
- Subjects have a right to access their data;
- The legislation enshrines the right to be forgotten;
- Privacy must be designed in;
- Privacy is ensured by default, not by unticking a box;
- Every organisation holding personal third party data must have a data protection officer.
GDPR must be enforced as the number of health apps is growing exponentially, patient records are being digitised and there is a growing market for connected medical devices.
At the same time, the evidence is mounting that collection and analysis of the huge volumes of digital health data being generated is a means to improve outcomes for patients and promote sustainability of Europe’s healthcare systems.
As one case in point, research published this month based on data from 10,575 patients in the Swedish Heart Failure Register, shows the current heart failure care guidelines overlook symptoms caused by co-morbidities, which patients view as having a greater impact on their quality of life than those caused by their cardiovascular disease. A new healthcare model is proposed.
For newly-gathered data, GDPR requires healthcare organisations to be upfront about its future use.
However, there is less clarity on whether deleting old files is appropriate and the need to track down any of archived versions of a file.
“There are some organisations that are still largely paper-based and cannot say for sure what data they hold. But they are considered to be data controllers and have big responsibilities under the new regulation,” Cirillo said. “EU law gives citizens the right to request copies of any personal data, and they have the right to be forgotten. At a minimum, data controllers need to know what data they have on file.”
Consent is King
The use of data from clinical trials, registries and patient outcome databases was the focus of major debate before the final GDPR text was signed off in 2016, amid concerns that some big datasets would become unusable for research purposes.
Explicit consent is required if data is to be used in any way. For biobanks and registries, where data and material may have been collected over several decades, securing consent from thousands of individuals for each new research projects would be onerous or impossible.
Compromise amendments assuaged researchers’ worst fears but the regulation still requires companies and hospitals to significantly rewrite their patient consent forms for trials and routine surgery, where data could potentially have a research use.
“All personal data – name, age, comorbidities, even your IP address – belongs to you,” said Cirillo. “If you agree to take part in a trial of a drug or a device, that data cannot leave the hospital or research site. If the trial data is to be crunched by an algorithm beyond the boundaries of the trial, new consent is needed.”
For new trials, consent forms will reflect the GDPR rules. A more challenging area will be registries and databases which contain information collected over several years, some under old data regulations and some under the new one.
Erik Vollebregt of Axon Lawyers in Amsterdam said analysing bundled patient outcomes data could require hospitals to secure explicit consent if this was not made clear from the outset. “However, if the data is truly anonymised then you do not need [new] consent,” he said.
Hospitals and health boards at the cutting edge of collecting and analysing patient outcomes have also been rethinking how they work with patients. Sally Lewis, national clinical lead for value-based healthcare at the National Health Service (NHS) in Wales, said transparency about how data will be used is essential to compliance and to maintaining public trust.
NHS Wales has updated patient literature and consent forms to make clear that outcomes will be collected and used for research. The Aneurin Bevan Health Board in Wales has also conducted patient focus groups to discuss how to communicate with patients on the use and results of research using their data.
Hospital data submitted to national datasets would be anonymised but should still be traceable, said Lewis. “Anonymised clinical data should still have a unique identifier so that it can be linked with patient-reported outcomes (PROMs) data and subjected to meaningful analysis.”
Despite the increased workload for companies and hospitals, the upside of GDPR should be to reassure patients the law is on their side when it comes to the use of personal health data. A perception of inappropriate use could undermine the huge potential of big data for healthcare.
“The hottest potato of all is when people look to commercialise data,” said Lewis. “There may be some legitimate partnerships that are valuable to patients and the health system. But if we get this wrong it would be devastating as people would become reluctant to share their data.”
Current EU rules on data protection date back to 1995 – before smartphones, digital apps or eHealth. The new regulation, adopted in 2016, aims to update the law for the digital era. It emphasises the need for consent, clarity about the purpose of data collection, and transparency about how it is used.
The legislation has been in the works for some years but its arrival amid a series of scandals arising from the mishandling of personal information by websites and social networks, could not look more timely.
The sharing of Facebook user data with data-mining firm Cambridge Analyticahas thrust privacy and data security into the spotlight and brought individuals up against the hard reality of how their information is being used. The reaction forced Facebook to abandon a plan to acquire patient medical records.
Big challenges for SMEs
In the medical technology sector, where devices such as blood glucose monitors and connected pacemakers collect large volumes of data, the industry has been focused on GDPR for years.
However, while smaller firm are committed to GDPR compliance, the requirements are onerous, said Ceren Aral Desnos, Interim Director Legal and Compliance at the trade body MedTech Europe. “SMEs may face distinct difficulties with respect to the resources they have to allocate to GDPR,” she told Healthy Measures.
The key GDPR principles of privacy by design and privacy by default are being built into new medical technologies, making personal privacy an automatic setting on devices that collect data.
While the GDPR text was agreed in 2016, there is still some uncertainty arising from delays in passing national legislation. As a result the medtech industry is hanging on for a European Commission working party to publish final guidance for companies and expects implementation to be “an ongoing project” rather than a dramatic change on 25 May.
The GDPR comes in as the medtech sector is busy digesting the new Medical Devices Regulation, which came into force in May 2017. Manufacturers have until May 2020 to bring products into compliance. Amongst other requirements, the rules require device manufacturers to provide a greater clinical evidence base of safety and performance before approval, and to collect post-market clinical data as part of an ongoing assessment of product safety.
That increases the burden of GDPR compliance. “We see that there is a potential tension between the EU [medical devices] regulation and GDPR,” Aral Desnos said. “It is crucial that GDPR implementation strikes the correct balance in safeguarding individuals’ health data without creating significant logistical and practical hurdles for the use of this data for research purposes.”
GDPR also threatens the proliferation of health and fitness apps, most of which are unregulated as they are not classed as medical devices but which must comply with data protection rules.
Many unregulated health apps may fail to comply with GDPR’s more stringent rules, according to Aral Desnos. However, by improving transparency and giving users more power about how their data is handled, consumer confidence may improve.
Cirillo said apps linked to regulated medical devices already conform to high standards on data integrity and cybersecurity. “Health fitness tracker bracelets and smartphone apps are poorly regulated,” he said. “I feel they will be shaken by GDPR because they have done so little to build in data security that it’s quite shocking.”