The enforcement deadline of the General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, is almost upon us and it has significant impact on healthcare organizations. In this increasingly patient-centric world where global healthcare organizations collect a wide set of information on patients to provide better health outcomes, this increased regulation has an even bigger impact.
Pegasystems surveyed 7,000 consumers across seven European countries to gauge their attitudes toward the upcoming legislation. The findings were eye-opening – from consumers’ awareness of GDPR to the data and rights they prize the most. The survey results serve as an important wake-up call for businesses still mulling over their readiness strategy.
Special challenges for healthcare
GDPR presents challenges across all industries, and includes language that has special impact on healthcare. The regulation defines “personal” data as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” On top of this definition, GDPR contains three additional, important definitions that pertain to health data:
- “Data concerning health” is defined by the GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
- “Genetic data” is defined by the GDPR as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
- “Biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
As outlined in Article 6 of GDPR, processing of personal data is considered lawful if: (1) the data subject has given consent; (2) it is necessary for the performance of a contract to which the data subject is party; (3) it is necessary for compliance with a legal obligation; (4) it is necessary to protect the vital interest of the data subject or another natural person; (5) it is necessary for the performance of a task carried out in the public interest; (6) it is necessary for the purposes of the legitimate interests pursued by the controller or third party.
However healthcare organizations that typically manage health data, have an added burden to maintain “data concerning health,” “genetic data,” and “biometric data” to a higher standard of protection than personal data, in general. GDPR prohibits processing of these forms of health data unless one of the three conditions below would apply.
- The data subject must have given “explicit consent.”
- “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services …”
- “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices …”
Consent versus explicit consent
A savvy reader may have noticed that GDPR’s health data use conditions calls for “explicit consent,” but the general definition just calls for “consent.” This has led to an endless debate about whether there is a difference between “unambiguous” consent and “explicit” consent, and if so, what constitutes that difference. Irrespective of the final clarifications and legal interpretation, it is clear that “explicit consent” for healthcare purposes will need the strongest forms of agreement, with explicit use(s) of data listed when getting such consent. Healthcare consent will also need to cover the case of many potential transfers of health data, including international data transfers and cloud storage.
U.S. organizations can also be impacted by GDPR
Given these new regulations, U.S. healthcare organizations that have traditionally been used to the Health Insurance Portability Accountability Act (HIPAA) now need to think about data protection in a much more evolved way. Important considerations include data workflows, data handling, cross-border data transfer, data privacy, security monitoring, and overall policy compliance.
Look to technology as part of your compliance strategy
Obtaining consent is an effective way to be compliant with GDPR regulations. Digital process automation and patient engagement are two technologies that can help jumpstart your organization’s compliance journey. Ultimately though, GDPR has far-reaching implications across organizations. It’s more than just consent – organizations should also asses their capabilities in end-to-end orchestration, governance, dynamic processes, auditability, and engagement.
ABOUT THE AUTHOR: Jitesh Rohatgi, Pega’s global director and healthcare/life sciences principal, has over 15 years of experience advising life sciences and healthcare organizations on the most effective use of CRM, MDM, and AI technologies to improve clinical safety and patient care.