European legislation has increasingly become a facilitator to innovation by supporting the dynamics of change while providing full protection and legal and ethical certainty. This is achieved in synergy with other enablers including standardisation clinical governance and through fostering security and quality cultures under an integrated framework of trust that is enforced and protected by law.
When an eHealth solution is the primary vehicle for delivery of care, then the legal and ethical issues are wide and will arise not only in terms of privacy and data protection, but also in terms of complying with competition rules and meeting safety and quality requirements to mention but a few.
ICT technical specifications are not developed by European or international standardisation organisations, or by national standardisation bodies. They do not fall under any of the categories of standards and approvals laid down in the EU’s public procurement legislation. To provide for the possibility that tenders for public procurement could refer to such ICT technical specifications, the Regulation lays down a procedure for the identification of selected ICT technical specifications eligible for referencing. These specifications are produced openly, meeting specific requirements on both the ICT specifications and the process of their development, set by the Regulation.
Public authorities can therefore make use of the full range of specifications when buying IT hardware, software and services. This, in turn, creates more competition in the field, reducing the risk of lock-in to proprietary systems. Through an Implementing Decision, the European Commission has identified 27 IHE profile as such suitable ICT interoperability specifications that healthcare providers can reference in public procurement, hence operationalising a major legal enabler for standards-based procurement by healthcare providers.
The GDPR requires that all processing of data has a legal basis and that appropriate safeguards are in place. The high financial and reputational cost of being in breach of the GDPR is a worry to hospitals. The use of health data (for example, in EHRs) for direct patient care and internal quality monitoring is less of a problem to most health care providers. Cross-border care transfers are sometimes seen as a cause for concern, but if the transfer is within Europe and the purpose is to support safe continuity to a hospital’s patient receiving care whilst abroad, the legal basis should be the same as for a hospital’s internal data use for direct care.
Beyond using data for the provision of care, European health care providers are concerned about how the GDPR will impact on population-based uses they make of their data, especially for research and for participating in regional or national quality improvement programmes. The lack of national or local guidance about the interpretation of how to comply with the GDPR for making data available for research adds to uncertainty in many countries today, which will hopefully lessen as countries update their national data protection laws.
As a starting point, every European hospital will have appointed a Data Protection Officer who should be able to develop a suitable GDPR compliance strategy. The incorporation of a Data Protection Officer is obligatory as of May 2018, for organizations that have, among their main activities, to process a large amount of sensitive data. The Data Protection Officer should have autonomy in carrying out their duties.
It is important to recognise that there are legal bases that are applicable to scientific research conducted on personal data. These also cover special categories of data, under which most health data falls. Safeguards such as pseudonymisation can be used, provided that one remembers that pseudonymised data are still personal and have to be kept securely and only used for legally acceptable purposes (such as research). Although it is not always easily to anonymise clinical data whilst retaining its research usefulness, this method can render the data non-personal and not within scope of the GDPR. Good anonymisation practices can be applied to data before it is used for research.
Hospitals should therefore not see the GDPR as an obstruction to making better use of their health data, for learning and for research. However, they should take legal advice to ensure that are adopting and complying with the right legal basis, and ICT security advice on how to safeguard the data being used for research.