Does the GDPR Apply to Medical Devices?

The EU General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. All companies that provide healthcare services to EU nationals, and those that market services to EU nationals that involve the collection and processing of personal information, need to comply with the GDPR. GDPR also applies to medical devices as medical devices can gather a variety of personal data which is regarded as ‘high risk’ under GDPR.

The aspects of GDPR that apply to medical devices are:

Obtaining Consent

Before using medical devices, the data subject’s consent must be obtained. Explicit consent should be obtained, meaning the data subject should freely give specific, well-informed consent with a clear affirmative response. If using a consent form, information should be written using clear and plain language so that it can be easily understood. The data subject should know what data will be gathered, and how the data will be utilized, and the categories of person with whom the data will be shared. (See GDPR Article 7)

‘Special category’ personal data, including biometric data, health data and genetic data, are not to be obtained or processed if explicit consent has not been obtained. Special category data can only be processed in the circumstances detailed in GDPR Article 9.

Conducting a Data Protection Impact Assessment

Using new technologies for processing personal data demands conducting a Data Protection Impact Assessment (DPIA), which is likewise required when processing special category data.

The DPIA should include a description of the processing, the reason for processing, an analysis of the need to process data, and proportionality of the processing operations with regards to the purpose, an evaluation of the risks to the data subjects’ rights and freedoms, and the actions that deal with those risks, such as the security controls and safety mechanisms to guarantee the privacy of patients. (See GDPR Article 35)

Securing Personal Data

Any personal information collected or processed should be protected. Suitable technological and physical measures should be employed to provide a level of protection suitable to the risk level. Just like HIPAA, healthcare providers need to ensure the confidentiality, availability and integrity of personal information. In case of an emergency or technical problem, the healthcare company should be able to restore personal data.

Routine testing, assessment, and evaluation of the effectiveness of security controls are necessary. Any person who is given access to personal data should be trained on GDPR requirements and made aware that they are forbidden to process data unless instructed to do so by the data controller.

Encryption of personal information at rest and in transit is necessary, except if the data is protected by pseudonymization or the data is de-identified. GDPR Article 32 covers the safety of processing data.

Patients Requests for Copies of their Personal Data
Data subjects have the right to access their personal information (Article 15) and be provided with the reason for data processing, the types of information collected and processed, the entities with whom the data is shared, and for how long their personal data will be retained.

Data subjects possess the right to data portability, meaning that upon request, the data should be provided in a common digital format. (See GDPR Article 20)

Data subjects may also exercise their right to be forgotten (Article 17) meaning that all their personal data must be erased, or request all data processing is stopped. (Article 19)

Data Breach Notifications

In case of a breach, notifications must be issued to the supervisory authority within 72 hours of the discovery of the breach. The notice should include the nature of the breach, the types of information likely compromised, the contact details of the data protection officer, the probable outcomes of the breach, and the steps being taken to deal with the breach. (See GDPR Article 33) Article 34 details personal breach notification requirements. These need to be issued without undue delay, but only if the incident is likely to cause a high risk to victims’ rights and freedoms.

Does HIPAA Compliant Mean GDPR Compliant?

Luckily for U.S. healthcare companies, a lot of the requirements of GDPR will already be satisfied if when the organization is HIPAA compliant. But, being HIPAA compliant does not ensure compliance with the GDPR. HIPAA-covered entities should perform an thorough assessment of their policies and procedures to make sure they match GDPR requirements.