I recently sat down with Peter Blenkinsop, a Partner at DrinkerBiddle, an expert on data privacy and one of the panelists at our upcoming GMTCC Conference (Amsterdam, May 3-4), to get his take on the biggest privacy law challenges currently facing Medtech companies.
Peter pointed to two trends that are changing the Medtech sector and provided insight on how privacy and data protection laws may impact those trends:
Trend #1: Rapid growth of consumer generated and controlled health and wellness data
Consumers now have an ever-increasing number of options for tracking their health and wellness between visits to the doctor. Mobile apps that enable consumers to monitor and manage their health are extremely popular. These apps allow consumers to track, share and utilize insights from data in a variety of ways and can be integrated with other systems including medical devices and electronic health records.
This has resulted in an explosion of consumer health data that could be put to many beneficial uses. For example, researchers could harness this data collection for a particular person and ‘go back in time’ after a patient experiences a serious medical event to better understand what signals were present that may have foreshadowed the event. They could then leverage those learnings to alert similar individuals in the future who exhibited the same signs, perhaps averting a medical emergency. The accessibility of such data to researchers in the first place hinges on one thing: trust. If consumers don’t trust app and device makers to use their data appropriately, then they won’t share it.
Trend #2: Increasing demand for health outcomes and cost-effectiveness information
Now, more than ever, payers want real-world evidence of the value of medical technologies they have agreed to cover. This requires the collection of data on comparative health outcomes of different treatment choices and analysis of the overall costs of each option. Public health care systems and private insurers have vast quantities of insurance claims data that can be used to conduct such analyses. Such ‘secondary use’ of health information triggers data privacy requirements and raises questions such as: When is patient consent necessary to re-use health information for a secondary purpose and, where consent is deemed necessary, how should such consent be obtained?
Peter commented that navigating privacy requirements in this evolving landscape can be particularly complex. For example, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) covers the collection and use of health information by health care providers and health insurers. Therefore, health information collected by medical devices in a hospital setting, for example, is likely to be covered by HIPAA. In contrast, health information input by a consumer into a mobile app offered by a software company is unlikely to be covered by HIPAA, although other laws would apply. Whether HIPAA applies versus other laws has implications for who owns the data generated by a medical device and whether the consent of the patient is needed before using the data for research, quality improvement, and other secondary purposes.
In Europe, the situation is very different. Omnibus data protection laws treat all identifiable information as protected data, endow data subjects with a number of rights with respect to the data, and require companies collecting personal data to implement a variety of privacy enhancing measures. These types of laws are rapidly spreading around the world, with the European Union at the forefront. Under these laws, health data, in particular, is considered a sensitive category of data requiring more stringent controls.
Peter pointed to the new EU General Data Protection Regulation (GDPR), which will take effect in May 2018, as one of several new laws that is particularly occupying the attention of Medtech privacy professionals at the moment. On the issue of consent, for example, the GDPR says that if processing of personal data is made a condition of a service but is not actually necessary for that service, consent might not be “freely given” and valid in that context. So, if you offer a mobile app and want to use collected data for a secondary purpose (e.g., quality improvement), you might not be able to bundle the primary and secondary data uses into a single consent. This could make it harder for companies to use data for secondary purposes. This is one of many questions that Medtech privacy professionals are seeking answers to as they prepare for the GDPR implementation date.
Interested in learning more about data privacy and what it means for medtech?
- We’ve structured a special discussion at GMTCC (Amsterdam, May 4) among leading European and US industry and legal experts on these and other privacy issues. I hope you will join us there!
- Also, Peter has agreed further tee up these some of the above issues in blog posts in the next few weeks, in advance of the GMTCC Conference. Stay tuned for more!
This blog is part of the GMTCC 2017 blog series. You can follow the conversation under #GMTCC and find more details and at gmtcc.com.