Health Data in the Cloud - a Criminal Offence?
Digital transformation of medical services creates enormous amounts of data, including diagnostics and treatment data in hospitals and doctors’ surgeries (e.g., CT scans, patient files and blood-test results) and billing data of health insurance providers. With the evolution from local IT systems to flexible cloud computing solutions, moving healthcare data online promises cost savings and efficiency gains. Other evolving services, such as e-health and mobile health (e.g., wearables to measure heart data or blood pressure) are based on cloud services in the first place.
Given, however, the highly sensitive nature of health data and the principle of medical confidentiality, use of health data in a cloud environment is strictly regulated by law.
Cloud Computing vs. Data Protection Law
Unless anonymized, health data largely constitutes personal data in the sense of European Union laws, and applicable data protection laws must therefore be observed. These provide an accessible way to enable the use of cloud computing services: Under EU data protection law, cloud computing is classified as commissioned data processing (see Article 2 of the current Data Protection Directive 95/46/EC and Article 28 of the upcoming General Data Protection Regulation (GDPR) respectively). This means that the processing of the relevant personal data by the cloud provider (‘processor’) on behalf of the customer (‘controller’) is privileged in the sense that a specific legitimation of such involvement through either a statutory permission or consent of the patients is not required so long as both the processor and the controller comply with special requirements. It is, in particular, required that they conclude an agreement on the commissioned data processing that fulfills certain statutory standards.
Under the current Data Protection Directive, the controller, i.e. the customer of the cloud services, remains entirely responsible for compliance with data protection laws. Hence, there are extensive monitoring obligations which are binding on the controller, and the controller is under an obligation to ensure that the processor implements required technical and organizational measures, both prior to the commencement of data processing and thereafter during the entire period of cloud usage. As controllers often find it difficult to comply with these requirements in practice, it was often requested that independent certification of a cloud provider should be deemed to satisfy the monitoring requirement. Consequently, in its “Opinion on Cloud Computing”, the “Article 29 Data Protection Party” (a body comprised of European national data protection authorities) confirmed that “a relevant third party audit chosen by the controller may be deemed to satisfy in lieu of an individual controller’s right to audit.“
With the GDPR coming into force on May 25th, 2018, the legal framework is set to approximate further to reality: The cloud provider controls the data processing process in the cloud and dictates the conditions of use, so it is unreasonable to impose full responsibility for the provider’s compliance with data protection laws on its customer. The GDPR now expressly foresees that a controller may use an approved code of conduct or an approved certification mechanism “as an element” to demonstrate sufficient guarantees that the processor complies with applicable data protection requirements. Such provision sets forth the first legal basis for an uniform certification procedure in European law.
Additional requirements need to be complied with where health data shall be transferred to territories outside the European Union. These include, alternatively, a commissioned data processing agreement between controller and processor in accordance with the applicable model clauses of the European Commission, Privacy Shield certification of a processor located in the United States of America, express consent from the patient, and binding corporate rules for intra-group transfers.
Medical Confidentiality: An Obstacle for Cloud Applications
Under the principle of medical confidentiality, doctors, psychologists, hospitals and health insurance providers must maintain the secrecy of patient information. Violation of such obligation constitutes a criminal offence under German law (Section 203 of the Criminal Code). Under the current rules, the transfer of medical secrets without consent of the patient – which is, in many cases, difficult if not impossible to obtain, e.g. when there is a medical emergency – is only permissible where the receiver qualifies as a “professionally active assistant. There was uncertainty as to whether cloud and other IT services providers could benefit from the privilege, and there is no jurisprudence on the matter. As a result, moving healthcare data to the cloud involves the risk of criminal liability, unless the information is anonymized or highly encrypted before transferred to the cloud and it is ensured that the information may not be de-anonymized or decrypted there.
Given the tremendous advantages of cloud usage to the health sector, e.g., enhancing treatment options by enabling access and updates to data by different physicians and hospitals and the exchange of knowledge between doctors and healthcare providers, there was rising pressure from industry associations to amend the provision. Now, finally, the voices were heard by the German legislators and the parliament approved a bill on June 29th, 2017 extending the permission to commissioning “other persons involved with the professional or official activities of the secret carrier to the extent this is required to make use of the services of the other involved person”. The amendment is expressly intended to facilitate the use of IT and cloud services.
However, still, both customers and providers of cloud services may become liable to prosecution if they do not comply with the restrictions set forth in the revised provision: This is the case for “other involved persons” if they disclose secrets obtained in the course of their assignment without authorization, and for users of IT and cloud services if they did not ensure to bind their service providers to secrecy.
The New Law: A Leap to Digital Health Services
In combination, the acknowledgement of certification as a means to satisfy a data controller’s monitoring requirement as enshrined in the new GDPR and the exemption of cloud services from the criminal offences for secrecy carriers constitute a considerable facilitation for digital health services and are likely to boost cloud offerings in the healthcare sector. Still, however, the use of health data is subject to strict limitations and therefore requires a thoughtful legal analysis.
Any Questions? Please Contact: Dr Torsten Kraul
Practice Group: IT, Outsourcing & Data Privacy