Growth of technology brought forth internet enabled Medical Devices which can help with everything from the monitoring of patients to the collection and use of statistical data. This helps to improve medical care across the globe and progresses the medical knowledge of health professionals. The use of these devices provides many financial and efficiency benefits for healthcare providers as well as helping to improve the safety of patients. In order for these devices to be successful, it is necessary to collect and process the personal data of individuals.
The concern for businesses and organizations that process the personal health information of individuals who reside within the European Union is that they need to ensure they comply with the stipulations detailed in the EU’s General Data Protection Regulation (GDPR), as it became law on May 25 2018. While most of the GDPR affects the back end of medical device data management, databases, and moving of medical data. Now, the medical device needs to be configured to shield patient’s data.
GDPR applies to all types of health related data. This data includes:
- Information gathered when registering for any form of medical treatment.
- Unique identifiers assigned to individuals. This can include hospital admission numbers, for instance.
- Any results of medical examinations and testing.
- Any information regarding the condition of health, or the treatment, of an individual.
If the device is used by practitioners, they need a way to signify that the patient understands and then gives consent to the processing of their data that generated on the medical device. Essentially, whoever controls the data on behalf of the patient is considered as the Controller; if the Controller handing out subcontract to another service provider, that provider is considered the Processer. In any case, processing that takes place on medical devices is covered under GDPR in any case where the data subject is a member of European Union Countries or is visiting the EU. This is especially important in respect of personal data that directly relates to health as this type of data is considered to be high risk under GDPR rules.
Privileges provided via GDPR are:
- Informed of the type of processing of their data that will be taking place
- Access and review the data that is being used to make decisions on the data subject
- The right to be forgotten once the service goals are accomplished
- The right to data portability, where the service provider must provide the data subject with their data in the electronic format