Patient Data and General Data Protection Regulation

Who is responsible for keeping personally identifiable patient registry data safe?

towfiqu-barbhuiya-FnA5pAzqhMM-unsplash (1)

What is GDPR?

GDPR stands for General Data Protection Regulation. First brought into effect in 2018, all businesses have been affected by the EU regulation worldwide. In this article, we will highlight what the regulation entails, key terms/items from the legislation, it’s importance in the modern world, how it measures up against other regulations and finally, how we as a company ensure our compliance.

Since the introduction of GDPR, many procedures and processes have been changed by companies and businesses to align with the legislation; now a company/entity established in the EU or companies/entities established outside the EU offering goods and/or services (paid or free) to EU citizens and processes personal data as part of their business activities need to ensure they abide by the legislation.

GDPR legislation is all encompassing and does not just refer to one department or aspect of the business. Companies that wish to operate in Europe or offer services to citizens of the European Union (also now expanded to include Singapore, Australia and the Baltic States) have to be cognisant of their activities across all departments to ensure they are wholly GDPR compliant. This extends to companies ensuring that any information concerning or relating to a person who is either identified or identifiable through personal data collected pertaining to them, maintains their full suite of rights when they engage with the Company’s services.

Even prospective clients are afforded the same rights and legal claim under the regulation. So now sales and marketing teams need to acquire consent before signing potential clients up for communication or marketing activities, prospects now must fill out a form or tick a check-box to consent to be contacted.

Under the regulation, the burden of proof rests with the organisation providing the good or service who now must prove that consent was attained from all individuals in any instance where personal data is being collected. This means that it’s not just enough to collect consent, it also needs to be collected in an organised fashion that can account for the varying levels of permission given and any possible changes that might need to be actioned, such as revoked consent. For this reason any personal data held must have an audit trail that is time stamped and report information that details what exactly the data subject opted into.

Furthermore, companies and businesses still hold the responsibility for attaining the proper consent information, even in the event a vendor or outsourced partner has been recruited for data gathering activities. All 3rd parties and their activities should be stringently vetted to assess their ability to comply to the data protection legislation.

gdpr

GDPR Key Terms

Privacy by Design: This means considering privacy from the beginning of the design process and throughout the entire development process of new products, processes, or services that entail the processing of personal data. In other words, the default approach is to presume personal data privacy. For OpenApp, our core platform was developed with privacy and security as priorities. All our platform support consent models that align with GDPR regulations and have implemented 2 factor authentication and role-based access to further bolster the protection of personal data.

Sensitive Data: is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, bio-metric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

Personally Identifiable Data: is data that can be used to reveal a person’s identity for example contact information such as email addresses or phone numbers. OpenApp uses pseudonymisation to redact identifiable information, only displaying the full suite of identifiable data to those with appropriate role based permissions. We store this in our baseline forms, before progressing to entering data on these consent questions must be completed or there is no option to continue in the system.

Data Controller: the person or organization that decides why and how personal data is processed. The 'purpose' of data processing refers to 'why' personal data is processed, while the 'means' refers to 'how' data is processed. This refers to the client or potential clients role as they dictate what data is to be collected, and what is to be done with said data.

Data Processor: is a person or legal entity that handles personal data on behalf of a data controller. Data processing entails storing and transmitting data. This refers to OpenApp’s role, as we process data under the direction of the Data Controller.

Data Subject: A data subject is the person to whom the personal information relates, in a registry context the data subject refers to the patient or the service user.

Right to Be 'Forgotten': You have the right to have your data erased by the data controller without undue delay: When your personal data is no longer required for the purpose for which it was collected or processed. In OpenApp systems we have dynamic consent, this means that consent can be revoked at any time within the system.

Why GDPR is so Important?

The modern world is more data driven than ever before. The laws and regulations need to reflect this in order to protect citizens from having their sensitive, personal information distributed and/or accessed without their consent. GDPR is a necessary regulation to ensure responsible, ethical and consensual handling of data of the citizens in the European Union (as well as Singapore, Australia, and the Baltic States).

OpenApp have worked with many European based healthcare organisations, a number of these groups have patient populations that span across multiple EU countries. We are well versed in GDPR regulations and how they translate to the processing of health data.

As our platforms are built entirely in-house we have complete autonomy in adding features and functionality (Privacy by Design) that not only adhere to the GDPR regulations but assists also with our clients adherence. For example the Clinical Insight patient registry platform allows you to gather and track consent no matter how bespoke the end software turns out to be.

GDPR versus HIPAA

A common question when looking at GDPR is to compare it to other Data Protection standards already in place internationally, the most notable of which, in a health context, is the Health Insurance Portability and Accountability Act otherwise known as HIPAA.

GDPR and HIPAA: There are some significant contrasts between these two standards. Here are the major differences:

  • GDPR defines protected data as any information that can be used to identify a person. GDPR defines 'sensitive data' as racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, genetic / biometric data, health data, or sex life / sexual orientation. Protected data is defined by HIPAA as any information about a person's health status, care, or payment that is created or collected by a HIPAA-covered entity. The GDPR defines the types of information that are subject to the regulation in a much broader manner.
  • There is a disparity in permission to share information. GDPR requires explicit consent to collect, store and/or processing the personal data, however HIPAA enables disclosure of Protected Health Information (PHI) for "treatment, payment, and operational reasons" without the individual's agreement.
  • Another notable distinction under GDPR when comparing it to HIPAA is that people have the right to be 'forgotten' (to have their data deleted upon request). Companies may no longer store data indefinitely and must destroy it permanently upon request. This is not a privilege granted by HIPAA. In practice, HIPAA covered institutions are obligated to keep PHI until the state-mandated record destruction date (for instance, in Massachusetts there is a minimum 7-year retention requirement after the last date of patient encounter).

How OpenApp works with GDPR

At OpenApp we abide fully with the GDPR requirements. To ensure our internal procedures are up to standard we appoint a Data Protection Officer who is responsible for overseeing data protection; all OpenApp staff undergo regular training on working with patient data; and all OpenApp solutions and services are GDPR compliant.

OpenApp also holds an ISO 27001 security certificate. While this does not automatically mean GDPR compliance, it does indicate a commitment to continuously review and audit our security procedures around personal data to ensure our systems are robust and secure.

OpenApp Technology Solutions

OpenApp’s platforms have the facility to support any consent model appropriate for a given organisation. As an experienced patient and rare disease registry vendor we advise on what a consent model needs to be GDPR compliant, for those clients unsure of whether their own consent is thorough enough.

Each client has the autonomy to customize their consent system, whereby each user can consent to how their personal data will be used both within the system and by any third parties. This consent is collected upon the entry of a new patient into the system. This ensures everyone whose data is stored has not given explicit consent.

New layers of consent through dynamic consent forms, where participants can

  • consent with whom their personal data may be shared;
  • indicate if they wish to be contacted about different research studies or clinical trials;
  • indicate if they wish to be enrolled in an additional research studies or clinical trials;
  • revoke consent.

OpenApp take on the Data Processor role and responsibilities. This means as a company OpenApp processes data on behalf of a data controller (the client). We operate at the behest of the Data Controller, who has complete autonomy and control over the reason and purposes behind data collection. The data controller also the means, method and vendor-choice on any data processing activities.  For example, our solutions can anonymize personal data, ensuring that any data given to a researcher, is a). based on a client request and b). does not contain any personally identifiable information thus complying with GDPR.

Before we begin work on a system we complete a document called a “Data Processing Annex” outlining the data security measures that will be undertaken on personal data including, but not confined to: organisational security, data hashing, data encryption, disaster recovery and failover procedures. A copy of this document is signed and kept by both parties for transparency purposes.

gdpr 2

Conclusion

To conclude, OpenApp does not transfer any data captured within our solutions to any third party, unless the client specifically directs us to do so.

In other words, unlike other registry vendors we do not retain any ownership or autonomy/control over patient data. Our goal is to be as patient-centric as possible, advancing the vision and goals of the organizations with whom we work.  Within OpenApp processes and procedures, data and data access is controlled by the Data Controller.

IQVIA (NYSE:IQV) is a leading global provider of advanced analytics, technology solutions and contract research services to the life sciences industry dedicated to delivering actionable insights. Learn more at www.iqvia.com.

OA_iso27001_email_logo

EMAIL

PHONE

Irish Number:

+353 (1) 872 9331

US Number:

+1 (914) 455-0216

Copyright © 2024 | Privacy Policy | Information Security Policy

OpenApplications Consulting Ltd. Registered in Ireland No. 355595