With an enforcement date of May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) is about to impact medical device manufacturers. Though similar to the U.S. Health Insurance Portability and Accountability Act (HIPAA), the new GDPR requirements will influence medical device data services by enhancing privacy and security for EU citizens.
Do not presume medical devices and GDPR to be a regional concern. Regardless of the organization’s location the regulations apply to any organization collecting personal private data from individuals in the EU (EU data subjects). Be sure to look at your territorial reach to determine how GDPR will impact your product. Do not take this regulation lightly as there are significant fines for violations (such as 4% of global revenue).
Both GDPR and HIPAA address privacy and security of medical records. The overlap in the regulations exists for “data concerning health,” which the GDPR defines as any personal data relating to the physical or mental health of an individual, including any health care service which may reveal information about the person’s health status.
Given this overlap to HIPAA, the current infrastructure, systems, and processes for connected medical devices will support many aspects of GDPR. But there are interesting differences. This article will present some of the more significant considerations.
Personal Data Access and The Right to be Forgotten
Almost all software privacy and security rules stipulate consent and access to personal records, but the GDPR provides the right to be forgotten. Systems must support deletion of the patient data if requested. This can get very interesting when other requirements are in conflict to deleting records. For example, data that is required for consented medical treatment, or data requested for use in a criminal matter. Though special cases will be interesting, deleting patient data is not a typical use case and will need to be integrated into the design. Procedures and mechanisms to request and complete data deletions, as well as data access, export, and even data editing to address corrections should be considered and planned.
The GDPR adds specific requirements on de-identification and pseudonymization of personal data. Specifically the process of removing identifying fields from the data does not change that definition of the data in that it is still considered personal data, and is not intended to preclude any other measures of data protection.
Pseudonymization is defined in the GDPR as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” The additional information must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.”
The regulation supports pseudonymization, and states that its use is a central feature of “data protection by design.” The regulation also considers it a safeguard for processing personal data for scientific, historical and statistical purposes, enabling extended use of the data. These extended uses are important to clarify as unlike other regulations the GDPR is more explicit in limiting use to the consented reasons for its collection and processing.
Such techniques are common practice in many medical device designs today, but the specifics in GDPR will need to be considered and adopted when processing data from the EU.
Mandatory Data Protection Impact Assessments
Parts of the regulation relate to the processes and support activities related to privacy and security practices. Staff training and job roles are also covered, such as data protection officer (DPO) and data controllers.
To assist in demonstrating compliance, an impact assessment is mandated in Article 35. These assessments are designed to evaluate processing practices and assess risks and mitigation measures related to the collection, storage, processing, and managing of information related to data subjects.
Data breach reporting is required in short order. A data controller must report data breaches to the data protection authorities without delay, within 72 hours of being aware of the data breach.
Partners and Data Process Agreements
An immediate step on the path to GDPR compliance is to reach out to your infrastructure providers. These regulations impact every industry. Major cloud service providers, such as Amazon, Microsoft, IBM, and Oracle can provide materials and support to help companies prepare. Building on the medical device connectivity practices of established partners will go a long way to support current and future regulatory requirements.
GDPR is designed to enhance the privacy and security of data subjects. Medical devices and GDPR cross paths in many areas. The right to be forgotten, pseudonymization, breach reporting and impact assessments are just a small number of examples. The impact to data services may be much more extensive, therefore reach out to your partners and consider early impact assessments.