Secondary Use

Digital health solution providers, and users of digital health services, should take note of three recently launched EU public consultations in the digital health space, and may wish to make submissions to help shape the future of digital health initiatives in the EU.  The earliest deadline for submissions is 16 August 2017.

EU Commission

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

On May 11, 2017, the European Cloud in Health Advisory Council (ECHAC) – a group of healthcare organizations, technology companies and patient representatives  –  launched its second whitepaper focused on use of data to improve health outcomes and delivery of care.

ECHAC launched the whitepaper at an eHealth Week 2017 session attended by ECHAC participants

The UK Government has opened a consultation, running until September 7, 2016, regarding how UK National Health Service (NHS) patient data should be safeguarded, and how it could be used for purposes other than direct care (e.g. scientific research).

The consultation comes after two parallel-track reviews of information governance and data security arrangements in the NHS found a number of shortcomings, described below.  The  Care Quality Commission (CQC) and the National Data Guardian (NDG, led by Dame Fiona Caldicott) made a range of recommendations, including new security standards, stronger inspection and enforcement around security lapses and re-identification of anonymized patient data, and an eight-point process around assuming and respecting patient consent decisions.

Following the public consultation, the new security standards could eventually be required and audited by government inspectors from the CQC, and imposed under revised standard NHS England contract terms.  CQC inspectors could potentially act on tip-offs from NHS Digital (formerly known as the NHS Health and Social Care Information Centre, ‘HSCIC’).  Those tip-offs could be based on low scores obtained by organizations in their annual NHS Information Governance Toolkit (IGT) self-assessments.  The IGT, which the reviewers said should be redesigned, applies both to NHS bodies and their commercial vendors.

The new consent model, meanwhile, could provide more streamlined, system-wide consents for use of patient data for purposes including quality assurance and research.

The CQC and the NDG’s findings and twenty-four recommendations were jointly presented in a covering letter to the UK government, available here, and fuller reports, available here and here (CQC and NDG, respectively).  This post provides a brief summary of their main findings and recommendations.  For the consultation questions themselves, see here.
Continue Reading UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions