GDPR and healthcare - how to ensure a clean bill of health
We’re all aware of the imminent arrival of the EU General Data Protection Regulation which comes into force in under one month on 25th May 2018. It will arrive on the UK’s statute books as the updated UK Data Protection Act 2018, which replaces the existing DPA of 1998, from an era where only a tiny percentage of our lives was reliant upon the internet and online transactions. This new approach to data protection provides a long overdue update to current requirements, and is focused upon several core subjects:
- Providing data protection by design and by default
- Understanding the legal basis for undertaking personal data processing
- Delivering an expanded set of rights to data subjects
- The role of the Data Controller and Data Processor
- A significant penalty regime for non-compliance and breaching personal data
From a healthcare perspective, we’ve looked at each of these in turn.
Firstly, Article 25 of GDPR mandates that we must ensure data protection by design and by default. We’re required to design processes and IT systems with data privacy consideration as a primary input, rather than trying to retrofit them at a later stage. This broad subject includes a wide selection of technical and organisational requirements, including:
- Understanding the risks to personal data being processed
- Identifying the sources of personal data and “special categories” of personal data (as described within Article 9 of GDPR) – note the latter includes medical/healthcare data
- Implementing technical controls such as encryption or pseudonymisation
- Promoting data minimisation, and retaining personal data only for as long as is necessary
- Delivering capabilities to protection from virus, malware and ransomware
- Properly architected and security tested systems and applications
- Providing effective data protection training to all personnel, contractors and suppliers
Article 35 requires us to undertake formal “Data Protection Impact Assessments” where there is a high risk to the rights or freedoms of natural persons and, when done well, will provide a formal record of data protection and privacy controls. The “UtopiaR” cloud-based solution from InfoSaaS is globally used to undertake such detailed assessments.
Next up, we need to understand the reason we are processing personal data and ensure that at least one of the six criteria prescribed in Article 6 of GDPR can be met. Dependent upon the activities our respective organisations undertake within the healthcare sector, we may have a different legal basis to comply with.
For accident and emergency environments or when processing the personal data of those with mental health conditions, 6.1(d) allows processing of personal data “to protect the vital interests of the data subject”. For those undertaking voluntary medical research activities, the gaining of data subject consent as described in 6.1(a) may be a more appropriate approach. Remember that consent needs to have been freely provided by the data subject, records of consent need to be maintained, and that the consent can also be withdrawn at any time.
Other legal bases include the fulfilment of a contract with the data subject, compliance with legal obligations, data processing as a task carried out in the public interest or in exercising official authority and finally processing which s undertaken as a legitimate interest of the data controller. It’s recommended that healthcare organisations familiarise themselves with these alternatives and ensure that an appropriate legal basis is adopted which supports their personal data processing requirements.
Data subjects have a greater set of rights which they can choose to exercise in relation to the processing of their personal data. Healthcare organisations need to prepare themselves for how they will react when such requests start to arrive – how will you validate the identity of the requester, confirm the specific details of what they have requested, allocate internal resources to respond to the request – within 30 days – and respond back to the data subject? Robust processes and staff awareness training are essential in this area.
- Making healthcare IoT infrastructure safer
- What can the NHS learn from the theory of marginal gains?
- Making the Best Use of Patient Data for Effective Diagnosis
Article 15 gives data subjects the right to request details of their personal data being processed by an organisation, with the reasons why. Whilst this right was already available under the DPA 1998 for a fee of £10 and organisations have 42 days to respond, under DPA 2018 this is available free of charge and organisations now have only 30 days to respond.
Following receipt of this data, Article 16 provides a right for any incomplete or inaccurate personal data to be corrected promptly. In specific circumstances, for example where consent is the legal basis for processing, data subjects can use Article 17 to request that their personal data is deleted, provided there is no alternative legal basis for its ongoing retention. Other rights allow for data subjects to request that their personal data is extracted and transferred to an alternative data processor, that the processing of their personal data is restricted in certain situations, and for them to object to specific data processing activities – for example direct marketing activities.
Whilst the Supervisory Authority (the Information Commissioner’s Office in the UK) has significant penalties at its disposal – data subjects also have the right to seek compensation for damages for infringements of GDPR (as per Article 82) and failing to provide timely and accurate responses to data subject rights requests is likely to be an initiating step.
Within the healthcare sector, it’s important to identify which organisation is the “Data Controller” (as per Article 24) and who is the “Data Processor” (as per Article 28). Data controllers are responsible for determining the nature of the personal data processing that is to take place, and for ensuring that appropriate technical and organisational safeguards are in place to ensure that the personal data will be managed safely and securely. They may determine that they need to use the services of demonstrably compliant third-party data processors for some of the processing tasks, and it remains the data controller’s responsibility to validate their capabilities and competencies.
In healthcare, we regularly see the engagement of specialist organisations to undertake specific processing tasks that are not readily available from the NHS. Once they have been validated as being authorised to process medical data, such data processors must only act in accordance with the written processing instructions issued by the data controller and ensure that their own technical and organisational controls communicated during validation remain in place and effective at all times.
Perhaps the most widely known fact about GDPR is the significant increase in financial penalties which are associated with personal data breaches and non-compliance with the Regulation’s requirements. With the most serious misdemeanours attracting fines of up to €20mn/£17mn, or 4% of global annual turnover (whichever is the greater), less serious issues can be fined up to €10mn or 2% of turnover. When taken in conjunction with the rights of data subjects to seek damages themselves, and anticipation of an active legal systems to help represent citizens, breaches of personal data are likely to be very costly. The healthcare system does not carry this level of contingency, and any liabilities which need to be paid will have a negative impact on the funding of healthcare activities within other parts of the organisation.
GDPR is a complex framework of requirements, and if your organisation has yet to make serious progress with your preparations, it very unlikely that you will be ready for 25th May 2018. Having said that, the more that you can do to reduce risks, protect patient personal data and comply with the requirements of the Regulation, the less likely you are to suffer a data breach as you complete your preparations. Let’s not forget, however, that GDPR is good news for data subjects (which includes all of us), who will finally have their personal data properly protected and have recourse in the event of something going wrong. And nobody’s going to argue with that.
Walmart, the next health tech giant - a timeline
Retail giant Walmart has been building its healthcare division for a number of years, but its recent acquisition of a telehealth firm and the slow down of its clinic expansion suggest its focus has now shifted to health tech. We look at key moments in Walmart's history in healthcare.
Walmart announces plans to provide "full primary care services" by 2020. The plans include opening clinics in underserved, urban areas, where the chain has many existing stores.
A series of “Healthcare Begins Here” events launch at Walmart stores, where consumers are given information on leading healthy lives, as well as free blood pressure, blood glucose and vision screenings, and access to vaccinations.
As part of the organisation's commitment to pursue a more data-centric approach to worker safety, Walmart partners with StrongArm, manufacturers of safety wearables. Staff begin wearing FUSE, a small sensor worn between their shoulder blades that detects injury risk. Within a year, ergonomic injuries decreased by 65%.
Walmart opens its first health centre in Dallas. The 10,000 square-foot "super centre" offers primary care, X-rays and ECG, counselling, dental, optical, hearing and community health services. Prices are affordable regardless of health insurance status.
The same year a partnership with Doctor on Demand is announced, a telehealth company offering mental health services. As part of the agreement Walmart employees are able to access these services for free.
The first health and wellness clinic opens in Springdale, Arkansas, providing primary care, dental care, vision and hearing services as well as behavioural health, fitness and wellness education classes.
Walmart acquires CareZone’s medication management technology. CareZone's app reminds users to take their medication and provides refill reminders. The acquisition complements Walmart's existing pharmacy service.
The Wall Street Journal reports that Walmart is in talks with Verizon to implement 5G wireless service in select sites, to help boost digital health services.
As part of its COVID-19 response, drive-thru testing is offered at hundreds of Walmart Neighborhood Market drive-thru pharmacy sites, free of charge through Humana .
The retail giant teams up with the Department of Veterans Affairs to offer telehealth services to veterans at stores in Wisconsin, Michigan and Iowa.
Walmart Mexico signs a deal with Jack Nathan Medical Corp, a Canadian tech-focused healthcare provider. This will see 153 new medical clinics open within stores across Mexico, taking the total in the country to 203.
Walmart announces it is acquiring MeMD, a multi-speciality telehealth provider. The acquisition will enable Walmart Health to provide access to virtual care across the US. At the same time it is reported that plans to open further clinics are deliberately slowing down.
"Today people expect omnichannel access to care, and adding telehealth to our Walmart Health care strategies allows us to provide in-person and digital care across our multiple assets and solutions" Dr. Cheryl Pegus, executive vice president for Health & Wellness said of the announcement.