Consent and transparency
GDPR and the healthcare sector
Patient treatment and research creates a wealth of data. Taken together and used appropriately, this data creates crucial opportunities to fundamentally change the way in which health services are delivered for the benefit of patients.
One example illustrating how collecting and using data enables the improvement of the healthcare system is electronic health records. Electronic health records are a centralised electronic storage of patient and population health information, systematised in a digital format. Electronic health records may include a range of data, such as demographics, medical history, medication and allergies, immunisation status, laboratory test results, radiology images, vital signs, personal statistics (eg, age and weight) and billing information. These records may be shared across the healthcare system with doctors, hospitals, pharmacies, insurers and research institutions, which could, among other things, improve diagnostics and treatment and avoid harmful interactions between drugs. The exchange of vital information can be simplified and optimum patient care could be facilitated.
Another data-based use can be found in new therapies allowing the advanced adjustment of treatments. So-called 'precision healthcare and medicine' is a medical model that proposes the customisation of healthcare, with medical decisions, practices, treatments, drugs or devices being tailored to the individual condition of patients. In this approach, diagnostic testing is often employed for selecting appropriate therapies based on the context of a patient's genome or other molecular or cellular analysis.
Given that health data is sensitive, reaping the benefits of data-based medicine brings particular challenges when it comes to data protection requirements.
EU data protection law is currently based on the Data Protection Directive (Directive 95/46/EC, October 24 1995), along with national data protection laws and a range of particular regulations in each member state. From May 25 2018 the Data Protection Directive will be replaced by the General Data Protection Regulation (GDPR). The GDPR is best described as an evolution of existing regulation rather than a revolution, but it will bring into force some important aspects to be considered when using healthcare data.
As a general rule, every electronic use of healthcare data is subject to data protection, which is defined as the protection of personal data from improper use. 'Personal data' means any information relating to an identified or identifiable natural person (eg, examination results, x-rays or medication), provided that the individual to which the information relates can be considered identifiable. Under the GDPR, data concerning health is deemed to be a "special category of personal data", subject to increased protection under Article 9 of the GDPR.
Under EU law, personal data can be legally processed or used only under strict conditions for a legitimate purpose. Generally, every collection of personal data is prohibited, unless there is a statutory justification or the data subject has given consent.
In the context of use of healthcare data, difficulties from data protection law often arise.
Processing healthcare data on the basis of a patient's consent is subject to strict requirements according to Article 9(1), (4) and (11) of the GDPR. Consent must be given freely, specific, informed and unambiguous. Consent must cover all processing activities carried out for the same purpose or purposes and where processing has multiple purposes, consent must be given for all of them. Therefore, general, broad consent to unspecified processing operations is usually invalid. As a result, it is challenging to obtain valid consent for the collection and use of healthcare data. Due to the complexity of use in the medical sector, lengthy explanations are often necessary, which may cast doubt on sufficient transparency. Further, later changes to the purpose of processing (eg, processing of information in an electronic health record for a new application) cannot be covered in advance.
However, the requirement for consent to be specific is a little less strict when it comes to data processing for scientific research. Such consent is considered valid so long as it covers certain areas of research (rather than specific purposes). This is tribute to the fact that it is often not possible to fully identify the purposes of data processing for scientific research purposes at the time of data collection. This principle has now been acknowledged in Recital 33 of the GDPR. Further, there are certain statutory justifications foreseen in Article 9 of the GDPR for the processing of sensitive personal data.
Data protection law is not applicable to data rendered anonymous in such a way that the data subject is no longer identifiable. Therefore, anonymised data may be used without the restrictions of data protection law. While anonymisation preserves existing data sets, it is an irreversible process that removes the ability to identify the data subjects and is therefore an option only where reference to such persons is not required for any use of the data, particularly for statistical or research purposes.
Further, the threshold for anonymisation under EU data protection law is very high. Data can be considered anonymous if re-identification is impossible or impractical, taking into account all means reasonably likely to be used, either by the person or entity that has anonymised the data or by any third party. Such means include "the available technology at the time of the processing and technological developments" (Recital 26 of the GDPR). As a result of rapid technological developments and the growing number of entities collecting data and combining databases, it is increasingly difficult to achieve anonymisation.
GDPR and the healthcare sector
Processors of health data should reflect the applicable specific rules, including those in Article 9.
Other than a particular framework for consent, Article 9 contains certain statutory justifications for data processing. Hence, an organisation does not need to rely on consent and is permitted to collect and use health data if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law (the medical care ground). Additionally, consent is not required if the processing is necessary in the public interest for public health reasons (the public health ground), or if the organisation can argue that the processing is necessary for scientific research.
It is therefore recommended that processors of health data review their business practices in light of these statutory justifications and tailor them to comply with justifications where appropriate.
For further information on this topic please contact Fabian Badtke or Torsten Kraul at Noerr LLP by telephone (+49 69 971 4770) or email ([email protected] or [email protected]). The Noerr LLP website can be accessed at www.noerr.com.