“Complex data privacy regulations lead companies to be either too careful, or break regulations”
Getting data privacy and security regulations right is essential for all digital health applications. Complex regulations, unexpected pitfalls, and extensive bureaucracy have forced many digital health products and initiatives to pause. But ultimately, high data privacy and security standards are essential to reach high acceptance not only by payers and regulators but most importantly also by patients.
You advise startups and corporates working on data privacy and security in healthcare for many years. What are the biggest pitfalls in compliance when building a digital health product?
There really are too many challenges to name them all. It depends on where and how you plan to operate your product or service. But they all have these three initial questions in common:
“What can I do with health data?”, “Am I compliant enough?” and “Can I use provider/solution XYZ for my app?”.
We see both large and small companies struggling with fragmented and fast-evolving regulations and seeking guidance. This insecurity is a big issue: Companies tend to be either too careful and not reach their full potential, or do the wrong things and break compliance regulations.
The fall of the EU-US Privacy Shield in July 2020 has led to strong uncertainty among digital health providers. What must organizations do to ensure they stay compliant?
The safest choice for all healthcare stakeholders is to avoid relying on providers outside the EU. The Adequacy Decisions, which determine if a non-EU country has an adequate level of data protection, or methods like Standard Contractual Clauses, are not reliable contractual bases for building businesses in healthcare.
In 2020 we all learned that simply storing data in the EU is not sufficient anymore. Regulators now take into account the fact that a parent company from abroad can still access the data (e.g. to comply with national laws such as the US CLOUD Act).
Does this mean technology handling this data cannot be from the US?
Unfortunately, the answer is “it depends”. Factors can be the reimbursement scheme a company is targeting, specific regulations that services and products need to comply with, and the type of customers a business is targeting. Currently, it’s definitely not recommended to use a non-EU provider, and we are not sure when this is going to be solved or improved.
In addition, since there is a lot of misinformation on the topic, many healthcare stakeholders are adopting the safest approach, requiring their technology providers to deal only with EU providers, and in extreme cases to keep the data in a specific country (even though this is slowly disappearing).
As large cloud providers are mostly US-based, this is a real problem for companies, especially fast-scaling startups. However, for specific needs, there are great EU-based tech solutions, such as ours for compliant data storage or Thryve, which provides a compliant solution for data from wearables.
Digital Therapeutics in Germany must comply with a special set of rules to be listed for universal reimbursement. In November BfArM issued new guidance regarding data privacy and security. Does this provide more clarity for DiGA’s working with health-related data?
Yes, it clarifies that developers can’t use a US cloud provider to process health data. Note that processing means any form of collection, transfer, or simple storage. More recently, the EDPB made it clear it also covers accessing the data (e.g. just looking at it on screen).
Developers either need to encrypt the data (at a single record level) before storing them on a cloud provider, or to store health data on an EU service (which must also provide sufficient levels of encryption and security for health data). For example, this is something that we enable with Chino.io.
Likewise, you can still distribute the apps via the official app stores.
The modular data platform of Chino.io allows building compliant and secure services in a matter of days, not months. How does your platform help to cope with the jungle of changing regulations and standards? What is your secret?
Since 2015 we have been helping digital health companies to solve the tech and legal challenges that existing cloud solutions don’t solve. Our platform offers simple services to encrypt health data, manage user identity, manage consent, ensure immutable audit logging, and more.
In addition, we also help companies to understand their compliance needs, choose their providers carefully, integrate them correctly, and demonstrate compliance to their customers. That’s the most important aspect of any digital health business.
One recent case study is an Austrian company assisting with cardiovascular health problems, which switched from a US PaaS service to EU providers. This company now uses both Chino.io and Thryve to ensure that all data collection from devices, transfers, and storage are done in compliance with the DiGAV law.