Challenges and Guidelines for Sharing Personal Healthcare Information in the European Union

by ,

Europe’s General Data Protection Regulation (GDPR) is one of the strictest privacy and security laws in the world.  Enforced by the European Union (EU) since May 2018, these regulations were designed to provide EU citizens and residents with better control over their personal data while also harmonizing the rules across the EU for targeting, collecting, and managing this data.  For personal healthcare information, GDPR guidelines are critical to consider, not only by the healthcare community and its institutions, but also by the scientific community, academia, pharmaceutical firms, clinical study organizations and anyone involved in the management, ownership, interaction, or the use of personal healthcare data.  Use cases can vary from clinical trial recruitment to the use of data for secondary purposes, such as for improving patient adherence or better outreach to physicians.

The collection of healthcare data often involves patients and organizations across geographies, with physical locations of stakeholders crossing geographical lines. Hence, each organization’s data management rules need to consider overall general global standards and country-specific guidelines before being categorized as trustworthy and shareable within the EU as per the GDPR. In particular, it is the responsibility of data holders and collectors to anonymize data to offer increased protection for patient privacy. This is done by masking key information as well as strictly controlling access to personal information.

Process of Data Sharing

GDPR guidelines have set frameworks to guide organizations in accessing, storing, and processing personal data and cover the following major facets:

  1. Consent: Process and store data only when you have clear and unambiguous consent from the individual after a very explicit and clear explanation of the use of data.
  2. Reason for Data Sharing: A written and documented reason for data storage and processing—for example, whether it is deemed to be of use for the establishment, exercise, or improvement of an existing medicinal product.
  3. Use of Data Outside the EU: If personal data is transmitted to a third country outside the EU for handling, storage, processing, or any step thereof, data subjects must be informed of all appropriate safeguards, possible ramifications, and usage of their data.
  4. Access of Data: Personal data access should only be permitted to those who have been authorized in the consent form and communicated to the patient/data primary owner. The process requires a robust, fool-proof approach to restricting access to the data while building a clear audit trail of when the data was accessed, by whom and for what duration.

As noted in the points mentioned above, GDPR guidelines are strict, impose penalties for non-compliance and require a well-thought-out process for data sharing in the EU.

Guidelines for Sharing Personal Healthcare Data

We recommend setting up internal processes and rules adapted to your organization’s particular situation and needs, while strictly complying to GDPR guidelines for secure data sharing. This involves not only restricted access as well as de-identification of personal data but also caveats specific steps dependent on the nature of the project, use of data, and online/offline publications—notably:

  1. Personal Information: Name, geography, telephone number, SSN, URLs, IP address of the submission, biometrics, medical records, etc. are all considered direct identifiers. They could be used to identify patients, their personal healthcare information, financial and overall personal data, and hence should always be entirely stripped before entering records.
  2. Patient Identification: De-identified unique patient codes that are generally used across datasets, as these codes are linked across the data and studies to keep the patient tracked in the system. Patient identifier codes should be replaced with randomly generated numbers consistently across datasets and extension studies to prevent back-tracking.
  3. Dates: Date of birth, date of death, etc. should be replaced by referenced dates as these could lead to patient identification. However, dates have a higher need and significance in reviewing the seasonal and cyclic nature of diseases; therefore, alternative approaches should be considered to ensure data usability. Storing just the month or year in such a case could serve this much-needed purpose in these circumstances.
  4. Indirect Identifiers: Place of patient enrollment, gender, height and weight become potential identifiers when used with other patient information. This is especially true in rare disease and oncology patients where there are tiny populations. It is possible that there are fewer than five muscular dystrophy patients in a small town, and tracing the gender, weight and height could lead to patient identification. Data collection with a low patient population should be reviewed on a case-by-case basis, and steps should be taken to maintain patient confidentiality by removing all such identifiers.

Healthcare organizations are at very different points in their journey in compliance of GDPR and data usage. This means there is an increased demand and dependency on data subject matter experts (SMEs) to answer data ownership and processing accountability questions. Axtria’s data teams have been working with various organizations in processing, storing, and accessing data as per the GDPR guidelines. Teams handling data should be thinking of various ramifications and questions to not only access data in a correct way but also safeguard themselves from non-compliance liabilities.

  • What precautions should we take to hold personal data?
  • How do we access the data?
  • Why was the data initially gathered, and what is in scope?
  • How long should the data be held for its intended use?
  • How secure is the data in terms of accessibility and encryption?
  • Do we share data with third parties?

Answering such questions is critical, knowing that failure to comply with GDPR guidelines could lead to heavy and severe penalties. It is pivotal to design the whole process with robust business rules, quality controls, well-vetted architecture for data access, and an audit team to safeguard against any possible leaks in the process.

Inderpreet Kambo is an Associate Director at Axtria with expertise in market assessment, business intelligence, and data analytics. He is widely acknowledged for his vision on artificial intelligence, machine learning, and data sharing.

Jeremy Carter is a Senior Director at Axtria and spearheads innovative, data-guided transformative programs within the life science industry. He is regarded as an industry-leading expert in his field.