GDPR and healthcare - how to ensure a clean bill of health
We’re all aware of the imminent arrival of the EU General Data Protection Regulation which comes into force in under one month on 25th May 2018. It will arrive on the UK’s statute books as the updated UK Data Protection Act 2018, which replaces the existing DPA of 1998, from an era where only a tiny percentage of our lives was reliant upon the internet and online transactions. This new approach to data protection provides a long overdue update to current requirements, and is focused upon several core subjects:
- Providing data protection by design and by default
- Understanding the legal basis for undertaking personal data processing
- Delivering an expanded set of rights to data subjects
- The role of the Data Controller and Data Processor
- A significant penalty regime for non-compliance and breaching personal data
From a healthcare perspective, we’ve looked at each of these in turn.
Firstly, Article 25 of GDPR mandates that we must ensure data protection by design and by default. We’re required to design processes and IT systems with data privacy consideration as a primary input, rather than trying to retrofit them at a later stage. This broad subject includes a wide selection of technical and organisational requirements, including:
- Understanding the risks to personal data being processed
- Identifying the sources of personal data and “special categories” of personal data (as described within Article 9 of GDPR) – note the latter includes medical/healthcare data
- Implementing technical controls such as encryption or pseudonymisation
- Promoting data minimisation, and retaining personal data only for as long as is necessary
- Delivering capabilities to protection from virus, malware and ransomware
- Properly architected and security tested systems and applications
- Providing effective data protection training to all personnel, contractors and suppliers
Article 35 requires us to undertake formal “Data Protection Impact Assessments” where there is a high risk to the rights or freedoms of natural persons and, when done well, will provide a formal record of data protection and privacy controls. The “UtopiaR” cloud-based solution from InfoSaaS is globally used to undertake such detailed assessments.
Next up, we need to understand the reason we are processing personal data and ensure that at least one of the six criteria prescribed in Article 6 of GDPR can be met. Dependent upon the activities our respective organisations undertake within the healthcare sector, we may have a different legal basis to comply with.
For accident and emergency environments or when processing the personal data of those with mental health conditions, 6.1(d) allows processing of personal data “to protect the vital interests of the data subject”. For those undertaking voluntary medical research activities, the gaining of data subject consent as described in 6.1(a) may be a more appropriate approach. Remember that consent needs to have been freely provided by the data subject, records of consent need to be maintained, and that the consent can also be withdrawn at any time.
Other legal bases include the fulfilment of a contract with the data subject, compliance with legal obligations, data processing as a task carried out in the public interest or in exercising official authority and finally processing which s undertaken as a legitimate interest of the data controller. It’s recommended that healthcare organisations familiarise themselves with these alternatives and ensure that an appropriate legal basis is adopted which supports their personal data processing requirements.
Data subjects have a greater set of rights which they can choose to exercise in relation to the processing of their personal data. Healthcare organisations need to prepare themselves for how they will react when such requests start to arrive – how will you validate the identity of the requester, confirm the specific details of what they have requested, allocate internal resources to respond to the request – within 30 days – and respond back to the data subject? Robust processes and staff awareness training are essential in this area.
- Making healthcare IoT infrastructure safer
- What can the NHS learn from the theory of marginal gains?
- Making the Best Use of Patient Data for Effective Diagnosis
Article 15 gives data subjects the right to request details of their personal data being processed by an organisation, with the reasons why. Whilst this right was already available under the DPA 1998 for a fee of £10 and organisations have 42 days to respond, under DPA 2018 this is available free of charge and organisations now have only 30 days to respond.
Following receipt of this data, Article 16 provides a right for any incomplete or inaccurate personal data to be corrected promptly. In specific circumstances, for example where consent is the legal basis for processing, data subjects can use Article 17 to request that their personal data is deleted, provided there is no alternative legal basis for its ongoing retention. Other rights allow for data subjects to request that their personal data is extracted and transferred to an alternative data processor, that the processing of their personal data is restricted in certain situations, and for them to object to specific data processing activities – for example direct marketing activities.
Whilst the Supervisory Authority (the Information Commissioner’s Office in the UK) has significant penalties at its disposal – data subjects also have the right to seek compensation for damages for infringements of GDPR (as per Article 82) and failing to provide timely and accurate responses to data subject rights requests is likely to be an initiating step.
Within the healthcare sector, it’s important to identify which organisation is the “Data Controller” (as per Article 24) and who is the “Data Processor” (as per Article 28). Data controllers are responsible for determining the nature of the personal data processing that is to take place, and for ensuring that appropriate technical and organisational safeguards are in place to ensure that the personal data will be managed safely and securely. They may determine that they need to use the services of demonstrably compliant third-party data processors for some of the processing tasks, and it remains the data controller’s responsibility to validate their capabilities and competencies.
In healthcare, we regularly see the engagement of specialist organisations to undertake specific processing tasks that are not readily available from the NHS. Once they have been validated as being authorised to process medical data, such data processors must only act in accordance with the written processing instructions issued by the data controller and ensure that their own technical and organisational controls communicated during validation remain in place and effective at all times.
Perhaps the most widely known fact about GDPR is the significant increase in financial penalties which are associated with personal data breaches and non-compliance with the Regulation’s requirements. With the most serious misdemeanours attracting fines of up to €20mn/£17mn, or 4% of global annual turnover (whichever is the greater), less serious issues can be fined up to €10mn or 2% of turnover. When taken in conjunction with the rights of data subjects to seek damages themselves, and anticipation of an active legal systems to help represent citizens, breaches of personal data are likely to be very costly. The healthcare system does not carry this level of contingency, and any liabilities which need to be paid will have a negative impact on the funding of healthcare activities within other parts of the organisation.
GDPR is a complex framework of requirements, and if your organisation has yet to make serious progress with your preparations, it very unlikely that you will be ready for 25th May 2018. Having said that, the more that you can do to reduce risks, protect patient personal data and comply with the requirements of the Regulation, the less likely you are to suffer a data breach as you complete your preparations. Let’s not forget, however, that GDPR is good news for data subjects (which includes all of us), who will finally have their personal data properly protected and have recourse in the event of something going wrong. And nobody’s going to argue with that.
How health plans can reduce healthcare inequalities
The COVID-19 pandemic has put inequalities accessing the healthcare system in the spotlight. Jim Clement, Vice President of Product & Services at cloud provider Inovalon, tells us that health plans play the most integral role in advancing the health equity movement.
Why did it a global pandemic to highlight the issue of healthcare inequities?
Health inequity in the US has been well understood by healthcare professionals for many years, but it has become more evident due to the COVID-19 pandemic. It wasn’t until the racial and ethnic differential seen in response to COVID-19 related infections, deaths and vaccinations that many Americans became acutely aware of the health inequity due to sociodemographic factors such as race, geography, education and income.
Fortunately, there’s now a growing health equity movement afoot in America which aims to improve public health and achieve equity in health status for all people by ensuring opportunities are available to attain the highest level of health. While the entire healthcare ecosystem is important to this transformation, it is health plans that arguably play the most integral role.
How can health plans help?
Achieving health equity means obstacles to health must be removed, including poverty, discrimination, powerlessness, and lack of access to the basics like physicians, hospitals, medicine, technology, and health education. This is not only a social justice initiative, but also a clear call to action for health plan organisations that are bearing the economic brunt of the costs due to health disparities.
Health plan organisations that recognise the alignment between efforts to improve health equity and broader member engagement initiatives will be in the best position to move the needle. Plans must also understand that the provision of medical services within hospital walls, physician offices and other health services providers is necessary, but not sufficient.
By recognising that health inequity also includes non-medical factors such as employment, income, housing, transportation, childcare, and more, plans will be better equipped to ensure their members are set up for success.
What do healthcare providers need to do generally to address inequities?
Outreach by both health plans and providers is critical to ensuring people have knowledge of available services, the reason those services are critical to their health, and options to access those services based on their unique circumstances. With both stakeholders beating the same drum, progress can be made quickly.
Given the impact of social determinants of health (SDOH), should healthcare providers take a more active role in addressing these, or other agencies?
While communicating with patients is critically important, what is truly required to address inequalities is helping patients take medical actions – like regular PCP visits, monitoring A1C and accepting health coaching – that are necessary to maximise their health, along with non-medical actions –like availing themselves of community resources that address homelessness, food insecurity and employment services.
The most progressive providers and payers have or are putting in place programs to address these non-medical issues. In addition, non-medical tools such as transportation services can certainly help drive the effectiveness of medical services.
How important is it to educate patients about their health and how can this be done?
Education is a social determinant of health and a key lever to be used to drive health equity. Patients who do not understand their medical conditions or the consequences of non-compliance with their treatment plans are prone to poor outcomes.
For health plans, understanding member needs is one of the biggest drivers of quality care. A continuous cycle of engagement through feedback and appropriate responses will provide health plans with an opportunity to uncover, discuss, and resolve problems faster.
Improving member outreach and engagement can be made easier with a programmatic approach involving four stages of intentional outreach: Getting to know your members, educating members, seeking feedback from members and gaining member loyalty. Each stage not only contributes to a better member experience but also to improved outcomes and higher satisfaction scores.
Now that the issue has come to the fore, what do you think things will look like in 5 years or so?
I predict that health plans that get member engagement, education and equity right will achieve better health and greater value, faster. Those who get it wrong or delay will suffer the consequences of competitive disadvantage and pay a larger share of the rising costs associated with health inequity.