But how patient data is managed is about to be radically altered, as the European Union’s General Data Protection Regulation (GDPR) comes into force on 25 May.
The GDPR will affect almost all industries, but in health the new regulations give every patient more control over the personal data that is being collected about them, as well as how this information is used. Hefty penalties are another core component, with a maximum fine of €20m or 4% of turnover for noncompliance.
But what does this all mean in reality? Here are five ways the GDPR will affect the healthcare industry over the coming years.
Safer personal data
Under the GDR, healthcare organizations must better understand how their patient information is collected and where it is stored. Digital data is of course affected, but this change also affects paper records.
The GDPR mandates that data breaches must be reported within 72 hours. Naturally, this will drive healthcare professionals and organizations to take better care of the data they hold and, of course, the higher fines in play will act as another incentive to dramatically improve data security.
“Many companies are concerned that GDPR will severely impact their ability to engage with customers and prospects, owing to the new restrictions on right to erasure, right to be informed and right to object,” says Michael Geary, Co-founder and CEO of medical practice software company Consentz. “However, given the backdrop of hackers, data breaches from multiple household names and concern about how social media companies use our personal information, GDPR presents a great opportunity to reset relationships and build trust between companies, staff and customers or patients.”
Detailed patient profiles
With data collected at points ranging from doctor’s surgeries to specialized healthcare organizations, the data footprint of an individual is usually highly fragmented.
One of the core components of the GDPR is ensuring that there’s more available information about the purpose and location of any data that’s collected. This means healthcare providers will have a more detailed view of their patients, which could lead to better and more accurate diagnosis, as well as more targeted treatments at lower cost.
The counterpoint, though is that the GDPR enshrines the right to be forgotten, which could emerge as a barrier to improved diagnosis.
A person’s right to be forgotten could conflict with the legal requirement to retain data following a patient’s or resident’s discharge or death
– James Kilmister, Product Director Health & Care at Civica
“It is a legal requirement for all healthcare providers to retain records for a prescribed period in case of query. This will need to be tracked closely to both ensure the record is not disposed of prematurely or the subject is denied a disposal when it is valid to do so.”
Mandating that patient data has more structure could be hugely beneficial to HCPs. The GDPR places a framework around how this data can be collected, used and in which scenarios it must be deleted, but individual patient care should benefit from reduced fragmentation.
Putting patients in control
Healthcare is the one area of our lives that has remained highly sensitive and private. But test results are often shared widely to reach a diagnosis, with the patient having little insight into how this information is collected, who has access to it and how it is stored. GDPR places individuals firmly in charge of their data.
Giving customers control can help to shape relationships in a positive way
– Helen Goldthorpe, Associate Solicitor at law firm Shulmans LLP.
“Some of the new data-subject rights also help customers feel in control – for example, they have stronger rights to stop how their data is to be used if they change their mind about consent. Demonstrating that you have thought about how you use data and have put appropriate protection in place can definitely help, even where the customer has no choice.”
However, Lee Dentith, CEO and Founder of telehealth company Now Healthcare Group thinks there is still a way to go: “The framework is there to give the user control but how? How are people going to be educated? How will this be facilitated? GDPR goes part of the way in definition but there is no easy way for the individual to control their data. In short the potential is there but how successful it will be is yet to be seen.
Using new data sources
According to Future Health Index data, 57% of patients own or use a connected care device to monitor various health indicators, but only one-third of these individuals (33%) have ever shared this information with their doctor. Furthermore, FHI research found that healthcare is the industry the general public most trusts with its personal data. There is, therefore, a strong foundation from which to make health data collection part of more peoples’ lives.
On the HCP side, technologies from social networking are increasingly being used to deliver patient care and support. Healthcare professionals regularly use networks such as Whatsapp to send patient data to each other. As this information moves across the network, this could mean sensitive data is held outside of the EU, breaching GDPR regulations.
James Flint is the CEO of Hospify, which has developed a Whatsapp-like messaging service to enable healthcare teams to securely send patient data over an EU-based network.
“Hospify encrypts and delivers text messages from phone-to-phone and then deletes the message from its servers within 72 hours, so the only copies are in the phones of the people in the conversation or group in question,” he says. “This design massively reduces the potential for security breaches or for legal liabilities around patient data access requests and keeps legal liability exactly where it should be – with the individual patients or clinicians involved in any given conversation.”
From data insights to better prevention
Speaking at the ‘Big data: Connected solutions for better healthcare’ conference held in Brussels earlier in the year, EU health commissioner Vytenis Andriukaitis referred to the European Reference Networks (ERNs) that aim to promote cross-border healthcare: “The success of ERNs also depends on big data: they will compile fragmented health data sets, generate new clinical, genetic, behavioural and environmental data, and make use of these data.”
The masses of data that healthcare organizations have been collecting for decades is still often unstructured and inaccessible. The ideas behind big data and how it can unlock the insights contained with healthcare information is a major reason why GDPR could offer the healthcare industry a huge opportunity. The insights that come from the drive to structure and integrate data could accelerate new therapies and bolster moves to improve prevention.
Overall, the GDPR is a reason for the health sector to be excited – it could help unlock the potential in huge stores of data that have remained dormant for decades.
Photo by rawpixel.com