GDPR and HIPAA for digital health apps: why it matters, and how to fast-track your route to compliance

Regardless of whether or not your company is based in the European Union (EU): if you hold or process personal data of European citizens, you must comply with the General Data Protection Regulation (GDPR).

The regulation, which is in effect in the EU since May 2018 (and at present continues to be applied in the UK as well), is aimed at strengthening both data privacy and data security, and gives EU citizens more rights relating to how their data can be used. GDPR also addresses the transfer of personal data outside the EU and the European Economic Area (EEA).

Accordingly, if your digital health app and/ or medical device collects personal data from individuals in the EU, you need to ensure GDPR compliance.

HIPAA (The Health Insurance Portability and Accountability Act, passed in the US in 1996) considerably predates GDPR, but GDPR has a much broader focus and legal implications. Businesses whose operations comply with HIPAA cannot assume compliance with GDPR - and, in fact, vice versa. Security is at the core of both regulations, but there are distinct differences between them.

For example, HIPAA standards apply only to ‘covered entities’, such as healthcare and insurance plan providers, and their business associates, for example IT providers or transcription services. 

Furthermore, HIPAA only concerns PHI (Protected Health Information), which includes any personal health information that can potentially identify an individual, and which was created, used, or disclosed in the course of providing healthcare services.

GDPR, by comparison, applies not only to PHI, but also covers any information that can be used to directly or indirectly identify people in the EU - for example, information pertaining to political, cultural, or religious group affiliation. 

In addition, GDPR applies to all organisations, regardless of sector, holding or processing personal data.

Explicit consent required for data processing

Explicit consent is mandatory under GDPR for the processing of personal health data (which is categorised as sensitive data). Article 9 of GDPR asserts a comprehensive scope, with limited exceptions. These exigent circumstances, i.e. where it is essential for the life of the data subject or that of another natural person, are just that - exceptional, and not standard business practice.

In contrast, HIPAA is less restrictive, allowing for the disclosure of personal data without patient consent for treatment purposes, securing payment, and in connection with the operations of a healthcare provider.

GDPR requires that you identify ALL data processing activities, not just disclosure. This includes, for example, data storage and transfer within an organisation. A legal basis must be established for each and every activity.

The right to be forgotten

HIPAA, along with most data privacy and security regulations, sets out the right of patients to receive copies of their own PHI held by the organisation. GDPR goes a step further to assure the rights of data subjects to be forgotten. 

The timeframes around these procedures are explicit, and therefore need to be specifically addressed within the system design in order to ensure compliance. This is but one element, as system compliance requirements also extend to theft/ misuse, un/intended disclosure or breach, and erasure/ disposal of records.

You must have procedures and mechanisms in place to receive and reliably manage these process tasks so that, in the event of a request to be forgotten (i.e. for the deletion of personal information), it is possible to validate the request, and ensure the information is indeed deleted and no longer held anywhere in the system. 

You also need to be able to manage related processes, for example to provide an individual with copies of their private data held by your organisation, along with the ability to edit data (and record and validate any changes) should corrections be necessary.

Mandatory Data Protection Impact Assessments

Under GDPR it is not enough simply to have the systems in place to meet the regulatory requirements, you must be able to demonstrate that you have the necessary capabilities to fulfill the regulations.

Job roles, such as data protection officer (DPO) and data controllers, are specified, as well as staff training. 

In addition, Article 35 of GDPR mandates an impact assessment. The impact assessment must cover all aspects related to the collection, storage, processing, and management of personal data. In addition, it must continually evaluate data processing practices and activities, including risk assessment and mitigation measures.

Data breaches under GDPR can incur large penalties

By contrast, if you use a cloud supplier who is ISO 13485:2016 certified, many of these tasks are already taken care of. Procedures for documenting changes, responding to any issues, notifying you of updates, and more, are already in place. 

Through their certification, the supplier is demonstrating, to you and your certification body, that their platform and quality management systems are suitable for a medical device. 

Further, with a certified quality management system and many of the technical MDR and GDPR requirements already in place, using a regulated cloud supplier can typically reduce time to market for new app development by 6-9 months.

Pseudonymization is a critical strategy for preserving data privacy in compliance with HIPAA and GDPR. 

Pseudonymization is defined within GDPR (Article 4(3b) as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.”

But note that under GDPR, even with the identifying fields removed, the data is still considered personal data, and use of de-identification and pseudonymization is not intended to exclude other measures of data protection. Furthermore, explicit consent is also required for any extended use of personal data, such as for scientific or statistical purposes, and these data must also be anonymized.

Also of note for GDPR compliance, de-identified data must be stored separately and subject to technical and organizational measures to ensure it cannot be attributed to an identified or identifiable person.

ISO 27001:2017 represents an international standard for security certification, and as such provides an ideal framework for implementing the technical measures necessary for data security compliance with GDPR.

However, GDPR and ISO 27001:2017 are in no way interchangeable, and having ISO 27001:2017 certification does not mean you comply with GDPR. GDPR is wider, and encompasses both data security and data privacy.

Compliance with GDPR involves a great deal of complexity, encompassing both the health app/medical device itself and the infrastructure that supports it. If you are starting from a blank slate, such as an unregulated cloud platform, it can add months to the development timeline,diverting valuable resources.

Unlike most cloud infrastructure providers, Extra Horizon provides a medical back-end as a service, certified to ISO 27001:2017 (information management system) and ISO 27701:2019 (privacy information management system) amongst others.

Extra Horizon alleviates most of the compliance burden from your organisation by taking responsibility for protecting the infrastructure and systems that support your app. Using our regulated platform allows you to focus your attention and resources on your application, confident in the knowledge that your infrastructure is - and remains - GDPR compliant.

Unlike most cloud infrastructure providers, Extra Horizon provides a medical back-end as a service, certified to ISO 27001:2017 (information management system) and ISO 27701:2019 (privacy information management system) amongst others:

• Extra Horizon alleviates most of the compliance burden from your organisation by taking responsibility for protecting the infrastructure and systems that support your app. Using our regulated platform allows you to focus your attention and resources on your application, confident in the knowledge that your infrastructure is - and remains - GDPR compliant.
• Extra Horizon will be responsible for the management of software updates and security patches, as well as the networking configurations underlying the system. Customers can leverage Extra Horizon’s control and compliance documentation to perform their control evaluation and verification procedures as required under GDPR.
• Our platform uses the best-in-class encryption standards, and makes it easy to move to pseudonymized data and ensure that personal information and pseudonymized data are stored separately.
• Our user and group service makes it simple to manage users, offering you granular access control opportunities, audit trails, consent management, and management of the right to be forgotten.
• Building your digital health application on Extra Horizon’s regulatory-compliant framework will significantly advance your GDPR and MDR compliance trajectory , flexibly, scalably and reliably future-proofing the development of your medical software.

For more information and to discuss any aspects of GDPR and the Extra Horizon cloud platform, contact us anytime.