The GDPR has been in force for a while now and one of the sectors that has received a lot of regulator attention is life sciences and healthcare. It comes as no surprise that "special categories" of personal data, such as health data, have been under specific scrutiny; data protection plays a key role in the health industry as health data is particularly sensitive and requires comprehensive protection. As a result, regulators have issued guidance to help with GDPR compliance when processing health data.
German regulator guidance on health data
Regulators in Germany have issued over 20 decisions or guidance papers on life sciences and healthcare services but there are still open questions in all areas where medical or other health data is being processed.
In particular, digital health services and the use of software based on Big Data and Artificial Intelligence have attracted the most attention. A recurring theme from regulators is that, despite some effort to adapt to the new regime under the GDPR, the level of data protection is lacking in this area.
GDPR compliance for app providers within hospitals and related services
Mobile health services are of particular concern to regulators. The joint committee of German regulators (DSK) published a white paper dealing with state of the art technical and organisational measures and issued guidance which addresses the use of websites and messaging apps that process personal data.
These documents emphasise the high risk of abuse of personal data, especially when sensitive health information is used for diagnostic purposes, including for psychiatric or physical screening. The DSK recommends obtaining the express consent of patients when transferring health data to third parties and implementing security measures to minimise the risk of breaches.
In another guidance paper aimed at clinics and other hospitals, the DSK pointed out that compliance with the GDPR and additional requirements under national laws apply regardless of the size of the service provider. Doctors, pharmacists and related professions were identified in regulatory statements that addressed the appointment of a data protection officer for small medical practices. There were also numerous statements by State regulators addressing other specific questions. Finally, many regulators are calling for the use of web analytics and other tracking tools used by health app providers to be subject to a prior explicit consent requirement.
Statements and guidelines by EU and German agencies
The European Data Protection Board (EDPB), which is composed of representatives of the national data protection authorities, issued a key opinion concerning the interplay between the Clinical Trial Regulation and the GDPR but again, questions remain regarding the roles and responsibilities of the various players engaged in clinical trials.
Aside from this, several EU non-governmental and German governmental agencies addressed the requirements to be met in terms of data protection for health service providers by way of specific guidelines. The Guidelines on the Protection of Health Data issued by the German Federal Ministry for Economic Affairs (BMWi) are particularly interesting. They aim to provide an introduction to the GDPR's requirements for developers and suppliers of digital health products. They outline the impact of the GDPR on some key issues in specific areas, for example, automated decision-making, big data applications and the development of apps.
Enforcement and fines
In terms of enforcement, the most recent fine in this space issued in Germany was in the context of a patient mix-up when admitting the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient and privacy management.
It is not all about fines though. Regulators are increasingly 'naming and shaming' as part of their enforcement strategy, realising that the threat of reputational damage can be as much of a compliance incentive as the threat of financial penalties.
What next?
The regulatory landscape is by no means complete. As the market and the technology develop, businesses will look to regulators to provide coherent and comprehensive guidance in what is, by definition, a complex space for data compliance.