Taking advantage of patient data – an outlook on the upcoming General Data Protection Regulation

Patient treatment and research creates a wealth of data. Taken together and used appropriately, these data create crucial opportunities to fundamentally change the way health services are delivered for the benefit of patients.

One prime example illustrating how collecting and using data enables improvement of the healthcare system are electronic health records (EHR). EHRs are a centralized electronic storage of patient and population health information, systematized in a digital format. EHRs may include a range of data, such as demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal statistics (e.g., age and weight), and billing information. These records may be shared across different players in the healthcare system, including doctors, hospitals, pharmacies, insurers, and research institutions, which would, inter alia, improve diagnostics and treatment and avoid harmful interactions between drugs. Thus, exchange of vital information can be simplified and an optimum patient care could be facilitated.

Another data based use case are new therapies allowing the advanced adjustment of treatments. The so-called “precision healthcare / medicine” is a medical model that proposes the customization of healthcare, with medical decisions, practices, treatments, drugs, or devices being tailored to the individual condition of patients. In this approach, diagnostic testing is often employed for selecting appropriate therapies based on the context of a patient’s genome or other molecular or cellular analysis.

Given that health data are of great sensitivity, reaping the benefits of data based medicine comes with particular challenges provided, in particular, by data protection requirements.

Data Protection under the General Data Protection Regulation (GDPR)

EU data protection law is currently based on the Data Protection Directive (Directive 95/46/EC of 24 October 1995), along with national data protection laws and a range of particular regulations in each Member State. From 25th May 2018, the Data Protection Directive will be replaced by the General Data Protection Regulation (GDPR). The GDPR is best described as an evolution of existing regulation rather than a revolution, but it will bring into force some important aspects to be considered when using healthcare data.

As a general rule, every electronic use of healthcare data is subject to data protection, which is defined as the protection of personal data from improper use. Personal data means any information relating to an identified or identifiable natural person, e.g., examination results, x-rays or medication, provided that an individual which the information relates to can be considered identifiable. Under the GDPR, data concerning health is even deemed to be a “special category of personal data”, which is subject to increased protection, Article 9 GDPR.

Under EU law, personal data can only be legally processed or used under strict conditions, and for a legitimate purpose. As a general rule, every collection of personal data is prohibited, unless there is a statutory justification or the data subject has given consent.

In the context of a use of healthcare data, difficulties from data protection law often arise from the aspects set forth below.

Consent / transparency

Processing of healthcare data on the basis of a patient’s consent is subject to strict requirements, Articles 9 para. 1, 4 para 11 GDPR. The consent must be freely given, specific, informed and unambiguous. It must cover all processing activities carried out for the same purpose or purposes and where processing has multiple purposes, consent must be given for all of them. Therefore, a general broad consent to unspecified processing operations is usually invalid. As a result, it is challenging to obtain valid consent for the collection and usage of healthcare data: Due to the complexity of usage in the medical sector, lengthy explanations are often necessary, which may cast doubt on sufficient transparency. Further, later changes of the purpose of processing (e.g., processing of information in an EHR for a new application) cannot be covered in advance.

It is, however, worth noting that the requirement for consents to be specific is a little less strict when it comes to data processing for scientific research. Such consents are considered valid so long as they cover certain areas of research (rather than specific purposes). This is tribute to the fact that it is often not possible to fully identify the purposes of data processing for scientific research purposes at the time of data collection. This principle has now been acknowledged in Recital 33 of the GDPR. Further, there are certain statutory justifications for the processing sensitive personal data foreseen in Article 9 GDPR (hereto please see below).

Anonymization

Data protection law is not applicable to data rendered anonymous in such a way that the data subject is no longer identifiable. Therefore, anonymized data may be used without the restrictions of data protection law. While anonymization preserves existing data sets, it is an irreversible process that removes the ability to identify the data subjects, and is therefore only an option where reference to such persons is not required for any use of the data, in particular for merely statistical or research purposes.

Further, the threshold for anonymization under EU data protection law is very high. Data can only be considered anonymous if re-identification is not possible or impractical, taking into account all means reasonably likely to be used, either by the person or entity that has anonymized the data, or by any third party. Such means include “the available technology at the time of the processing and technological developments”, Recital 26 of the GDPR. As a result of the rapid technological development and the growing number of entities collecting data and combining data bases, it becomes increasingly difficult to achieve anonymization.

Impact of the GDPR on the healthcare sector

In addition to the general requirements involved with the implementation of the GDPR, it is important for processors of health data to reflect the applicable specific rules, including those in Article 9 GDPR.

Other than a particular framework for consent, the article contains certain statutory justifications for data processing. Hence, an organization does not need to rely on consent and is permitted to collect and use health data if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law (the ‘medical care’ ground). Additionally, consent is not required if the processing is necessary in the public interest for public health reasons (the ‘public health’ ground), or if the organization can argue that the processing is necessary for scientific research.

It is therefore recommended that processors of health data review their business practices in light of these statutory justifications and tailor them to comply with justifications, where appropriate.