Data protection regulations define how an individual’s personal information can be used by organisations, businesses, or the government. The misuse of an individual’s healthcare data can have serious long-term consequences. Worryingly, the healthcare sector has the highest figures for data security incidents, with 184 healthcare breach incidents reported in the first quarter of 2016, compared to just 43 for local government. Guidelines exist to ensure healthcare data is not susceptible to attack, misuse, or misappropriation.
In May 2018, the EU General Data Protection Regulation (GDPR) will be enforced. The aim of the GDPR is to have one set of rules applicable throughout the EU, although there are a number of carve-out areas where EU Member States may introduce specific national provisions, including in the healthcare sector.
The GDPR also aims to ensure that there is privacy by design or default, meaning that data protection measures must be implemented across all data-processing activities. The changes to data protection rules are not revolutionary – the key principles, concepts, and themes of the current data protection regime remain in place. Instead, the new rules build on what is already there, but they do differ significantly with many new requirements.
Who is affected by GDPR?
Anyone in the EU who controls data and/or undertakes data processing falls under the GDPR, including in the healthcare sector. Organisations based outside the EU are also affected. Even though Brexit is pending, it will have limited impact on the implementation of GDPR as it pertains to EU Citizen’s data. So, for example, a French person living in the UK who is being treated for an illness is covered by the regulations.
Data controllers and processors have extended responsibilities and obligations under the GDPR. Controllers will have to put in place technical and organisational measures to ensure (and be able to show) that processing personal data fully complies with GDPR requirements – the way in which data protection policies are implemented will be of particular significance here. Processors will now have to maintain records of all of their processing activities, ready for disclosure in order to show compliance. In addition, processing on behalf of a controller must be set out in a contract or other “legal act”, according to certain criteria laid down under the GDPR.
The healthcare sector will therefore have to undertake a more holistic approach to data management – if done properly, the burden should be replaced by the reward of knowing where data is and where it goes to, thereby enabling good compliance practice and reduced risk.
A higher protection standard
There are three additional important definitions in the GDPR which relate to health data:
- “Data concerning health” now gets its own definition under the GDPR, which is “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
- “Genetic data”, which is “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
- “Biometric data”, which is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
What is important to highlight here is that “data concerning health”, “genetic data”, and “biometric data” will be subject to a higher standard of protection than personal data in general. The processing of these three forms of health data is prohibited unless one of a number of conditions applies.
Health-specific conditions are as follows:
- the data subject must have given “explicit consent” to the processing (although there is a caveat to this condition where either EU or EU Member State law says that the prohibition may not be lifted by the data subject – we shall have to see if, for example, the UK chooses to bring in its own law about this)
- “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […]”
- “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].”
The upshot is that when processing health data the healthcare sector will have to implement their data-processing operations in accordance with these conditions (or one of the other conditions). Healthcare organisations will as a result have to be more careful with the data and more exact in knowing where it is being stored, how it is being processed and whether consent has been given.
Mandatory breach disclosure and fines
One of the most important changes under the GDPR is that there will be mandatory data breach reporting. Breaches must be reported to a data protection regulator within 72 hours and those affected by the breach must also be informed. The healthcare sector will therefore have to put in place clear, practical and effective procedures that can be acted upon immediately – this should be at the top of the GDPR compliance checklist. It cannot be emphasised enough how important it will be to undertake training and fire drills.
A key driver behind better compliance with the GDPR are the stricter sanctions. For some infringements a maximum fine of 4 percent of the global annual turnover of a business can be imposed. The healthcare sector is no stranger to fines and the highest fine to date in the UK is £325,000 imposed after computer hard drives containing patient personal data were stolen under the control of the Brighton and Sussex University Hospitals NHS Trust. Under GDPR, this fine will be significantly higher.
The GDPR go-live date may seem like it is far away but it’s not. Important things like getting putting proper policies in place need to happen now. With proper planning the GDPR needn’t be scary, but the time to start that planning process is now.