With the European Union’s General Data Protection Regulations (GDPR) going into effect May 2018, much of the attention has been on its impact on Internet websites and applications that gather personal information, but it also affects makers of medical devices that offer goods or services to, or monitor the behavior of EU data subjects, according to the EU GDPR organization.
HIPAA compliance does not guarantee GDPR compliance
While many people working in healthcare in the US feel that compliance with HIPAA will satisfy GDPR, it is important to know that being compliant with HIPAA does not guarantee compliance with GDPR and covered entities need to conduct an in-depth assessment of their data procedures, policies and safeguards if they do business in the EU.
In an article in the HIPAA Journal some of the differences are explained with regard to data covered, and breach notification requirements, as well as data protection assessments that need to be documented.
All devices such as CT scanners, MRI scanners, and ultrasound equipment that collect and store personal data on a PACS or enterprise imaging system need to comply with the GDPR and are considered "high risk" under the provisions of GDPR.
Less obvious devices that collect data include implanted heart devices, diabetes monitors, and so on. In general, if actual processing takes place on the medical device, it will need to be captured as a place of processing on reports that may go back to the patient.
As such the GDPR requires prior consent to collect, use, process, and store personal data. Such consent must be explicit and freely given under plain language informed consent guidelines (article 7 of the GDPR).
Data Protection Impact Assessments required
In addition, the use of new technologies that process personal data requires a Data Protection Impact Assessment (DPIA). Such assessments need to include a systematic description of the processing operations, the purpose of the processing, and an evaluation of the risks to the rights and freedoms of patients/subjects. The assessment also needs to include the security controls, safeguards, and mechanisms to ensure the privacy of patients.
Requirements surrounding profiling
Another requirement device makers need to be aware of are profiling requirements. Profiling is the use of personal data that forms a picture of a patient’s health as it develops over time. The GDPR defines such data as any form of automated processing of personal data used to analyze or predict aspects of a broad range of a person’s ability to perform, whether that is in relation to physical and mental health, work, or personal interests. In short patients must be informed of diagnostic and prognostic details collected and how that information is to be used.
Patient rights and protections
Much like HIPAA, under GDPR (article 15), data subjects have the right to access their personal data and access information such as the purpose of data processing and how the data is processed and with whom the data have been shared, and under article 20 they have the right to their data and be provided the data in a commonly used electronic format, and also the right to have all personal data erased.
The pan-EU breach notification feature of the GDPR presents a significant challenge in that personal data breaches have to be notified to the competent Data Protection Act supervisory authority “without undue delay” and in any event less than 72 hours after becoming aware of the breach. Notification must include the nature of the breach, types of information involved and the likely consequences of the breach, along with the measures being take to secure the breach.
Non-compliance can be costly
The GDPR has produced a set of regulatory requirements that have spawned a cottage industry of consultancies offering a variety of compliance services, and with good reason. According to Compliance Junction, a trade publication focusing on HIPAA and GDPR issues, failure to comply can be very expensive.
A DPA authority can impose fines of up to €20m or 4% of annual turnover, whichever is higher. And the potential for reputational damage could prove to be more costly, as other organizations are likely to be wary of forming a relationship with organizations found to be in breach of data protection and privacy laws.
For complete information about the GDPR, the EU GDPR Organization contains a comprehensive website covering the regulations and the processes for compliance.
Whatever regulatory process you need to navigate, Kapstone Medical has the experience and expertise to assist you through all phases of the process. For more information contact us today at (704) 843-7852 or by email at info@kapstonemedical.com.
Sources: EUGDPR.org, HIPAA Journal, Compliance Junction, Medical Devices Legal blog