Electronic medical data sharing has emerged in recent years as a way of amassing large information sets that can be harnessed to speed diagnosis and treatment of diseases. Collections of ultrasound images, for example, can enable artificial intelligence to learn to identify abnormal scans, removing human error from the picture entirely. Because electronic health data are increasingly targeted by hackers, breaches can have far-reaching consequences.
The European Union passed the General Data Protection Regulation (GDPR) in 2016 and began enforcement of it in 2018. These rules govern how European Union (EU) citizens' personal data are used and safeguarded, with the goal of protecting individuals from privacy and data breaches. The new regulations apply to any company or entity regardless of its location, and cover cloud storage breaches as well. While data for business purposes are covered by the GDPR, it also extends to medical records privacy. Laws such as HIPAA in the United States — passed more than a decade ago — provide patients with rights to their own medical records.
The Risks of Medical Data Control
According to the Information and Data Protection Commissioner (IDPC), self-employed medical practitioners are considered "data controllers," since they are "responsible for determining the means and purposes of the patients' health records." In this role, physicians are responsible for letting patients know about their rights, how their records are used, how long they will be kept, with whom the records might be shared and how to file a complaint. Practitioners will be required to report privacy breaches to the data protection authority within 72 hours. If the health data are risky, the individuals whose records were breached must be notified.
Because patients must provide consent for their medical records to be recorded and saved (and utilized as described within the regulations), the GDPR has introduced some uncertainty about patients' rights in emergency situations and in research. BioMed Central (BMC) points out that because there are large fines for privacy breaches, researchers may have reservations about using patient data collected without consent.
The Limitations of Patient Data
One example of data collected without consent given by BMC is a common situation — cardiac arrest patients. These individuals are physically unable to give consent for either treatment or collection of their data for research purposes, and since some patients who experience cardiac arrest do not survive, the question of consent is unsettled. While the GDPR regulations do not apply to deceased patients, researchers may still have an ethical obligation to request consent from a family member. Additionally, studying only survivors of cardiac arrest who are able to provide consent creates a bias in the research.
While the impact of GDPR is broad and reaches into medical practice within the U.S., the takeaway message is that physicians must consider these regulations and integrate appropriate privacy standards into their practices. As the National Law Review states, the GDPR applies to information that was collected within the EU states, but not information collected on EU citizens while in the U.S. However, if a U.S. physician needs medical records from a patient who received care in the EU, the GDPR does apply.
Patient Data Collection Precautions
The IDPC suggests that private practitioners develop a consent form and privacy policy that covers the GDPR requirements and provide it to any patients who are from the EU if they are transferring records, since patients must opt in for data sharing. It also recommends that all medical records are sufficiently protected against data breaches with safeguards such as encryption, partial de-identification (such as pseudo-anonymization) and even maintaining back-up data so that patients do not lose access to their records in the event of a system failure. Similarly, Forbes suggests that physicians and practices constantly re-evaluate their use of medical records to ensure that they are only being accessed for legitimate purposes, and that appropriate privacy safeguards are in place, updated and monitored.
The full effect of the GDPR on medical data sharing has likely not yet been felt. A knee-jerk reaction of restricting data sharing — even for research purposes — is possible, but any negative consequences on patient care will test the system and hopefully be resolved by the EU in the form of clarifications to the regulations.
