Digital transformation is progressing in the health care sector, with electronic patient files, health apps, mobile health wearables, connected medical devices and even remote emergency doctors. Digital transformation generates large volumes of data, which offer a wide range of opportunities for research and innovation. When it comes to patient data, these opportunities may clash with the requirements under applicable data protection laws, particularly consent requirements. However, consent as legal basis is administratively burdensome, costly and unreliable, as it can be refused or subsequently revoked by the patient.
Are there any ways out of this dilemma? Legislators are working on legal approaches, while governments are supporting the development of technical approaches to address this unsatisfactory obstacle to innovation and research. Some examples from the EU and Germany are discussed below.
Remote emergency doctors in Bavaria
To provide emergency patient care, ambulances and paramedics are equipped with technology allowing remote emergency doctors to access medical devices in the field and communicate with the paramedics and patients via video and audio. Large volumes of emergency care data are available through the use of this technology. The Bavarian Emergency Medical Services Act provides the legal framework for telemedicine emergency care and enables public and nonpublic bodies, organizations and companies to access anonymized, emergency-related patient data and process it for further purposes, such as research and innovation.
The act requires, among other things, patient data relating to emergency cases collected during treatment in the field, ambulance on the way to the hospital and the hospital to be stored in an emergency register. The emergency register is operated by a third-party scientific service as a "data trustee." The parties involved in emergency care, particularly the remote emergency doctor services and the hospital, must pseudonymize the patient data before its transmission into the emergency register. The data trustee then takes further steps to anonymize it by removing potentially identifiable features and replacing the case ID with a newly generated, nontraceable ID.
The approach of the act is simple in theory: If patient data is anonymized within the meaning of the EU General Data Protection Regulation, the GDPR does not apply and the anonymized patient data can be used for research and innovation, and the heated discussion as to what qualifies as "scientific research" or "reasons of public interest in the area of public health" according to Article 9 (a)(i)(j) of the GDPR is irrelevant. However, it must be anticipated the Court of Justice of the European Union will at some point be required to assess whether this approach for achieving anonymized patient data complies with the GDPR and, in particular, if it in fact results in anonymized data in all cases. Using a data trustee as a middleman to strip off any identifiers from a data set will certainly not result in an anonymized data set by itself.
The planned European Health Data Space
Based on the European Commission's current proposal, the European Health Data Space will, among other things, enable EU patients to make their electronic health data accessible to health care professionals across borders within the EU. Having all such electronic patient data digitally accessible shall open the door to further usages, particularly for research and innovation like training and testing algorithms in medical devices, AI systems and digital health applications. Researchers and industry members, also from third countries, will have a right to request access to such patient data.
Access must be requested from a national authority in an EU Member State and is subject to strict conditions, in particular, the requirement to make the results of the further processing publicly available. If access is approved, the organization currently holding the requested patient data, such as a health care institution, research institution, or pharmaceutical or medical device company, is obliged to release the data to the national authority. The authority will then provide the patient data to the requesting organization, the so-called data user, in anonymized form unless the purpose requires pseudonymized data. If the purpose of further processing cannot be achieved with anonymized patient data, the national authority may approve access to the patient data in pseudonymized form. The authority will then act as a data trustee to ensure access to the information necessary to reverse the pseudonymization stays with the authority, thereby preventing the data user from reidentifying the patient.
Even though the draft regulation for the EHDS is supposed to be in line with the GDPR, it is currently unclear on what legal basis the organization currently holding requested patient data – the so-called data holder — may release the patient data to the national authority and the subsequent data user, and on what legal basis the data users may subsequently process any pseudonymized patient data for research and innovation.
The draft merely obliges data users to prove compliance with GDPR Article 6 but does not refer to Article 9. Thus, it is unclear on what legal basis research and innovation can be pursued with pseudonymized patient data within the framework of the EHDS. Medical and pharma companies are also concerned about the potential requirement to share data with third parties as part of the EHDS, as this may negatively impact innovation and investment in research. The current proposal for the EHDS will certainly be subject to significant changes as heated political discussions on EU level are expected.
The intended health data use law
Germany planned a Health Data Use Act to accelerate the expected paradigm shift through the EHDS for research and innovation, as the EHDS adoption will likely take until 2025. The intended Health Data Use Act is expected to regulate easy and uncomplicated research using the electronic patient file. To maintain the trust of patients, patient data for research purposes will be made available exclusively in a secure processing environment through a newly established research data center. Everyone will have the right to request access to electronic patient data for certain predefined purposes, such as medical innovation, product safety or health reporting. Similar to the EHDS, access to patient data under the intended Heath Data Use Act will be conditioned upon the requirement to publish the research results. A draft bill for the Health Data Act is expected in 2023.
Funding guidelines for research and development of procedures for anonymizing personal data
Turning personal data into anonymized data is still a mystery. Despite guidelines from the Article 29 Working Party, companies and organizations are struggling to anonymize personal data, and uncertainty remains.
The German Federal Ministry of Education and Research decided to fund research projects to develop technologies, procedures and methods for the anonymization of personal data. The German government states, as a result of the digital transformation, data is accumulating everywhere, and its potential should be used in the best possible way. However, given the tension between such potential and data protection compliance, especially in the health sector, organizations are uncertain whether and how they can process patient data for secondary research purposes in compliance with applicable data protection laws. If these research projects actually find a way to anonymize patient data so data protection authorities and courts also confirm the status of anonymization, the potential for research and innovation in the health care sector would drastically change.
Conclusion
Lawmakers have acknowledged steps to better exploit the potential of patient data for research and innovation must be taken. However, it is still unclear how the legislative initiatives are aligned with the overarching principles and requirements of the GDPR. What is the legal basis under Article 9 GDPR for processing pseudonymized patient data for research and innovation? What is required to qualify patient data as anonymized patient data? Is a data trustee solution combined with the removal of direct identifiers sufficient for anonymization? Ideas are emerging, but there is still a long way to go before organizations have certainty on how to do research and innovation without consent.