Laws such as the Federal Data Protection Act and the Criminal Code make it unmistakably clear that data protection is particularly important in the case of medical data.
In this article, you can read why medical data requires special protection, what the special features of medical data protection are, and which data protection laws must be observed.
1. Data protection: Who is interested in your medical data
Collecting, processing, and storing sensitive medical data carries significant risks, such as no longer being able to decide who gets to see your data:
- Employers: Specific data in employers’ possession can abruptly kill recruitment or career.
- Insurance companies: If you have medical information and conceal it from your insurance company, then your coverage may be voided. You may also no longer receive insurance coverage at all. This means you can no longer cover fundamental life risks – or only at a high price. By the way, this does not only affect you but possibly also your children!
- Partner: The fact that genetic data is relevant in paternity suits should be nothing new.
- Yourself: It should be obvious that most people returning from a trip to the Caribbean with an STD prefer not to disclose this to the public. Their informational self-determination may be at risk.
- Hackers have also recognized the sensitivity of medical data and are blackmailing health insurance companies or hospitals they have captured data from.
Other examples of data privacy violations:
- Michael Schumacher’s medical records were stolen.
- Deutsche Bahn illegally kept medical records.
- Employees illegally read medical records in the Tugce case.
- English health authority NHS loses 8 million patient records.
2. Special features of medical data
2.1. it is not always possible to decide on your own
Contrary to other sensitive data, when it comes to some medical data, it is impossible to decide on one’s own whether you grant third parties access to data, and, if you do so, which third parties you grant the access to: If you disclose your genetic data, you also disclose information about your relatives – with or against their will. After all, you share important genetic information with them.
2.2. Some people do not want to know the data
But it may also be desirable for the owner of the data not to know the medical details:
- Psychological burden: You would need to be able to deal with the diagnoses, which are not necessarily good ones. It can be a high burden, for example, knowing you have a high probability of developing Alzheimer’s. Enjoyment of life until the onset of the disease (which may never happen) can be dramatically affected.
- Medical Consequences: Some diagnoses may lead you to unnecessary, expensive, and dangerous examinations, in the worst case, even therapies. This may also be another burden.
Of course, some risks do not affect the individual but society. What happens if you choose your partner based on your genetic data set or adopt children based on this information? My genetic data set, for example, supposedly allows conclusions to be drawn not only about eye color…
2.3. Data protection can jeopardize safety
Nurses were denied access to patients’ medication prescriptions in a hospital because of data protection. Thus, staff members during the night shift could not detect a medication error when checking these prescriptions. One patient died.
Safety in the sense of IT security and safety in the sense of security can be contradictory protection goals.
2.4. Data protection can slow down progress
Data protection should not deny us the opportunity to learn from medical data to make early diagnoses or identify drugs and treatment procedures that need to be chosen specifically for a genetic disposition. Anyone suffering from an incurable disease will understand how important this is.
This progress will only succeed if we have many data sets that are as complete as possible. But we will only achieve this if as many people as possible are willing to make them available. We also need systems, processes, and standards to combine this data while ensuring the best possible protection. This is certainly not a trivial matter because it is challenging to anonymize genetic data.
Read more about pseudonymization and anonymization of data.
3. Regulatory requirements for data protection
3.1. Overview of data protection laws
A large number of complementary but also contradictory (more precisely, “overwriting”) regulations on data protection must be observed:
- At EU level
- European Charter of Fundamental Rights
- The EU GDPR has been in force since May 2018. It replaces the previous Data Protection Directive 95/46/EEC, which only achieved effectiveness through transposition into national laws. Generally, an EU regulation does not allow nation-states to weaken or tighten requirements. In this case, however, there are exceptions.
- At the federal level
- Federal Data Protection Act – the German “Bundesdatenschutzgesetz” (BDSG) – aimed at private individuals, industry/business, and federal authorities. It supplements and concretizes the GDPR.
- Social Security Code – Sozialgesetzbuch (SGB)- in particular Book 10.
- IT Security Act and associated ordinance (Data protection is one of the protection goals of IT security).
- Criminal Code § 203 StGB, which also addresses medical data.
- Digital Health Applications Ordinance – Digitale Gesundheitsanwendungen Verordnung (DiGAV ), in particular, § 4 and Annex 1.
- Guidelines of the German Federal Office for Information Security – Bundesamt für Informationssicherheit (BSI) – presented in the article on data security and data protection for DIGA
- Infection Protection Act
- Data protection laws of the church (interesting that this parallel world exists, isn’t it?)
- E.g., laws for institutions of the protestant and catholic church
- At the state level, the state data protection laws
- for public administration in the state and in municipalities
- State hospital laws
- State registration laws, state administrative laws, …
- Other “special laws” that take precedence over the General Laws
- German Telemedia Act (TeleMedienGesetz)
- Telecommunications Act (TeleKommunikationsGesetz)
- Health Data Protection, Vaccination Act
- Higher Education Act
- Police Act, Passport Act, Identity Card Act, Residence Act
In contrast to the rest of the legal system, “what is not prohibited is permitted” does not apply to data protection, but rather “only what is explicitly permitted is permitted.”
Read more about the General Data Protection Regulation (GDPR) and its impact on medical devices. Manufacturers of digital health applications should read the article on data security and data protection for DIGA. There, further standards and guidelines are listed, which are not only mandatory for these manufacturers.
3.2. Content of data protection laws
In terms of content, these laws mainly deal with the following:
- Lawfulness of data processing (compliance with the legal basis, necessity of consent, etc.)
- The principle of purpose limitation and the principle of guaranteeing the rights of data subjects, e.g., prohibition of profiling, prohibition of data collection for retention, prohibition of automated individual decision-making
- The principle of necessity, i.e., the principle of data avoidance and data economy
- Also among these principles is that of transparency.
- The principle of clear responsibilities
- Principle of control
- Use of pseudonymized or anonymized data
- Obligation to protect the data
- Data portability and the right to receive one’s data (now also the subject of EU regulation)
- Right to erasure of data (now also subject to EU regulation).
The most important law in Germany is the Federal Data Protection Act – Bundesdatenschutzgesetz (BDSG). It follows the principle of data economy and data avoidance. The BDSG requires that “personal data are anonymized or pseudonymized as far as possible in relation to the purpose of use and does not require a disproportionate effort in relation to the intended protective purpose.”
The BDSG even prohibits the collection, processing, and benefit of personal data. Exceptions are only permitted if either other legal provisions allow or require this or the data subject has consented.
Often, the only sensible and legally sound approach is explicitly asking the data subjects (e.g., patients, customers) for consent.
3.3. Further regulations and publications on data protection
For doctor’s offices:
- “The Recommendations on Medical Confidentiality, Data Protection and Data Processing in Medical Practice” by the German
Medical Association – Bundesärztekammer (BÄK) – of April 2014. - New version of the Technical Annex from 2008, also from the BÄK.
For hospitals
- “Orientierungshilfe Krankenhausinformationssysteme,” published by the Conference of Federal/State Data Protection Officers (first published in 2011, revised in 2014). This publication requires hospitals to upgrade their administrative IT to the current threat situation and to implement data protection-compliant access rules technically.
For the healthcare industry in general
- “Kommentierter Muster-ADV-Vertrag für die Gesundheitswirtschaft” [Annotated model contract for the healthcare industry] of January 28, 2015, published by a working group in which the “Gesellschaft für Datenschutz und Datensicherheit (GDD)” [Society for Data Protection and Security] and the “Berufsverband der Datenschutzbeauftragten Deutschlands (BvD)” [Professional Association of Data Protection Officers in Germany] were involved, among others. It is intended to help meet the requirements of Section 11 BDSG for the particular case of sensitive medical data.
Industry-independent specifications and best practices
- The family of standards in the ISO 27000 series describe the requirements for IT security management, including data
protection as one of the protection goals. - The same applies to the IT basic protection catalog of the German Federal Office for Information Security – Bundesamts für Sicherheit in der Informationstechnik (BSI).
For medical device manufacturers
In contrast to hospitals and doctors’ practices, data protection laws indirectly affect medical device manufacturers. The latter must develop systems that allow operators to work in a privacy-compliant manner. For some apps, however, medical device manufacturers themselves become operators. The following regulatory requirements affect medical device manufacturers:
- The MDR requires data protection compliance for clinical investigations, among other things.
- ISO 13485:2016 requires manufacturers to ensure the confidentiality of health information and implement the necessary methods.
- ISO 13485:2016 also requires manufacturers to comply with all regulatory requirements (not only) for data protection.
The data protection commissioners of the federal states are considering demanding the requirements of the GDPR not only from the organizations that process personal data, but also from the manufacturers that develop the necessary systems! Read about this in “Focus Topic 4″ starting on page 15 in the field report of the independent data protection supervisory authorities of the federal and state governments. [Erfahrungsbericht der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder]
4. News
Online articles
- GMDS on data security and data protection in healthcare information systems
- Drastic fines for data protection violations (also by hospitals)
