European healthcare systems are moving toward a value-based care model that requires healthcare providers use a process-based approach to ensure accurate diagnosis and treatment. This transformation in care delivery is expected to enable providers to improve patient outcomes and reduce disparities in treatment of diseases and conditions. It will also support the healthcare providers by making it easier for them to deliver high-quality care while maintaining financial goals, especially in an ecosystem that is going through reductions in reimbursement, budget shortfalls, and an overall restrictive regulatory environment.
To offer value-based healthcare, healthcare providers are actively involved in collecting, analysing, and integrating clinical information by working with patients, payers, vendors and healthcare authorities to manage healthcare information. Medical technology providers have a critical role to play in enabling value across the care continuum.
In Europe, General Data Protection Regulation (GDPR) for data privacy and security is expected to have a major impact on the way health data is collected, accessed, analysed, stored, and shared in a healthcare ecosystem.
Collecting and Managing Healthcare Data in Compliance to EU GDPR
GDPR will replace the current European Data Protection Directive from 25 May 2018 onward and will apply to 28 Member States of the EU. Medical device and technology providers, biopharmaceutical companies, and healthcare service and infrastructure providers will have to comply with additional regulatory requirements, as health data is classified as sensitive personal information.
GDPR requires any health data collected and monitored, including biometric and genetic data, to comply with strict regulatory guidelines, and this extends to the physical premises where healthcare information is stored and managed by healthcare organisations. All healthcare information that is collected and processed for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services will need active consent from the patient. Patient has full sovereignty to revoke his consent at any time by using ‘Right to Be Forgotten’ and the healthcare organisations will have to delete the information from their data storage and also potentially stop this data being processed by the third parties associated with them.
The reform also mandates the appointment of a competent data protection officer that healthcare organisations involved in data processing activities that require regular and systematic monitoring of patients on a large scale. This has a direct impact on the stakeholders involved in population health management, chronic disease management initiatives, or even remote monitoring as part of follow-up care after discharge from a hospital, as it will be difficult to not only access patient history on a continuous basis but also perform data analytics for clinical decision making.
The Key Performance Indicators for Hospital CIOs to Meet the Challenges of GDPR
In the future, hospitals will need to implement data protection frameworks as part of their data processing systems and databases. Furthermore, it will be important to initiate data protection contracts with third parties that collect, control and process information, such as medical technology companies and healthcare infrastructure providers. In addition, all data processors and controllers will be required to maintain a log of their activities, and it will be critical to ingrain this into the organisational culture. All hospitals engaging in large-scale monitoring of patients are mandated to perform a prior assessment of the associated risks and file a Data Protection Impact Assessments (DPIA). A major area where hospitals will need to develop a strict framework is the use of data for secondary purposes and processing by third parties, as it is highly vulnerable to data breaches. Lastly, in the unlikely event of a data breach, hospitals will have to immediately report it to not only data protection authorities but also individuals who are likely to be directly affected.
To achieve the aforementioned requirements of the regulation, hospitals will have to build GDPR mapping criteria into their compliance management dashboards. They will need to invest in managed security solutions for data encryption, assured privacy, threat detection and response management. In addition, data management solutions, such as clinical coding solutions, case management solutions, document managements and business process automation solutions, will also add value to the hospital’s effort to ensure GDPR compliance.
Conclusion: Data Management for Improved Outcomes
To conclude, the saying ‘prevention is better than cure’ applies for healthcare data management, as any deviation from the proposed protocol will make hospitals and healthcare providers liable to a maximum fine of €20 million or 4% of the global annual turnover of the business, whichever is greater.
However, GDPR compliance need not be seen as having an implication on only the financial goals of hospitals. Hospitals can take this opportunity to design and implement an effective data management strategy and move toward value-based care and striking an effective balance between clinical outcomes and business objectives.
For further information on medical device and healthcare connectivity in compliance to European Union Medical Device Regulation (MDR) and GDPR, please look at our latest research study.