GDPR and healthcare: Understanding health data and consent

The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, has significant impact on healthcare organizations. In this increasingly patient-centric world where global healthcare organizations collect a wide set of information on patients to provide better health outcomes, this increased regulation has an even bigger impact.

Prior to the implementation of GDPR legislation, Pegasystems surveyed 7,000 consumers across seven European countries to gauge their attitudes towards it. The findings were eye-opening – from consumers’ awareness of GDPR to the data and rights they prize the most. The survey results serve as an important wake-up call for businesses still mulling over their readiness strategy.

Special challenges for healthcare

GDPR presents challenges across all industries, and includes language that has special impact on healthcare. The regulation defines “personal” data as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” On top of this definition, GDPR contains three additional, important definitions that pertain to health data:

1. “Data concerning health” is defined by the GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
2. “Genetic data” is defined by the GDPR as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
3. “Biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

As outlined in Article 6 of GDPR, processing of personal data is considered lawful if: (1) the data subject has given consent; (2) it is necessary for the performance of a contract to which the data subject is party; (3) it is necessary for compliance with a legal obligation; (4) it is necessary to protect the vital interest of the data subject or another natural person; (5) it is necessary for the performance of a task carried out in the public interest; (6) it is necessary for the purposes of the legitimate interests pursued by the controller or third party.

However healthcare organizations that typically manage health data, have an added burden to maintain “data concerning health,” “genetic data,” and “biometric data” to a higher standard of protection than personal data, in general. GDPR prohibits processing of these forms of health data unless one of the three conditions below would apply.

1. The data subject must have given “explicit consent.”
2. “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services …”
3. “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices …”

Consent versus explicit consent

A savvy reader may have noticed that GDPR’s health data use conditions calls for “explicit consent,” but the general definition just calls for “consent.” This has led to an endless debate about whether there is a difference between “unambiguous” consent and “explicit” consent, and if so, what constitutes that difference. Irrespective of the final clarifications and legal interpretation, it is clear that “explicit consent” for healthcare purposes will need the strongest forms of agreement, with explicit use(s) of data listed when getting such consent. Healthcare consent will also need to cover the case of many potential transfers of health data, including international data transfers and cloud storage.

U.S. organizations can also be impacted by GDPR

Given these new regulations, U.S. healthcare organizations that have traditionally been used to the Health Insurance Portability Accountability Act (HIPAA) now need to think about data protection in a much more evolved way. Important considerations include data workflows, data handling, cross-border data transfer, data privacy, security monitoring, and overall policy compliance.

Look to technology as part of your compliance strategy

Obtaining consent is an effective way to be compliant with GDPR regulations. Digital process automation and patient engagement are two technologies that can help jumpstart your organization’s compliance journey. Ultimately though, GDPR has far-reaching implications across organizations. It’s more than just consent – organizations should also asses their capabilities in end-to-end orchestration, governance, dynamic processes, auditability, and engagement.

How one healthcare organization is managing GDPR compliance

At PegaWorld 2019, the German company DAK Gesundheit discussed how GDPR considerations have affected their approach to one-to-one customer engagement. To comply with new regulations they built into their customer engagement application rules and processes related to contact, legitimate interest, and advertising. Watch the replay of their conference presentation for more insight on how they are operating within a GDPR regulatory environment (GDPR-specific slides start around the 16:30 minute mark).

Learn More

• Visit the GDPR page on Pega’s Trust Center for insights on fast-tracking enterprise apps for regulatory readiness.
• In his whitepaper, “Taking on General Data Protection Regulation,” Jeff Nicholson helps clients understand the implications of GDPR on customer interactions, and outlines seven steps your organization can take today.
• Digital process automation is designed to orchestrate complex processes. Get more background on how DPA helps automate tasks, then download our whitepaper for info on the three most common automation mistakes and how to avoid them.
• Read more perspectives from our healthcare industry experts on subjects like its retailization, the best uses for robotics, and the effects that companies like Apple and Amazon are having on the industry.