HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How Does GDPR Apply to Medical Devices?

The European Union’s General Data Protection Regulation came into force on May 25, 2018 and applies to healthcare providers who collect or process the personal data of data subjects residing in the EU, but how does GDPR apply to medical devices?

How Does GDPR Apply to Medical Devices?

Medical devices can collect a range of personal data – data that are considered ‘high risk’ with respect to the rights and freedoms of data subjects. As such, there are many aspects of GDPR that apply to medical devices.

Consent Must be Obtained

Prior to medical devices being used, it is important for consent to collect and process data to be obtained from the data subject. Explicit consent must be obtained, which means the data subject must freely give their specific, informed consent through a clear affirmative action. Any consent form must be written in clear and plain language that can be easily understood and the data subject must be made aware of the data that will be collected, how they will be used. See Article 7 of the GDPR.

Consent is especially important for ‘special category’ of personal data, such as health data, genetic data, and biometric data, which cannot be collected or processed without explicit consent. The processing of special category data is only permitted in certain circumstances, as detailed in Article 9 of the GDPR.

A Data Protection Impact Assessment Must be Conducted

The use of new technologies to process personal data calls for a Data Protection Impact Assessment (DPIA) to be conducted, with is also mandatory when special category data are processed.

The DPIA must include a systematic description of the processing operations, the purpose of that processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects, and the measures that address those risks including the security controls, safeguards, and mechanisms to ensure the privacy of patients is protected and data subjects’ rights and freedoms have been taken into account. – See Article 35 of the GDPR

Personal Data Must be Secured

Any personal data collected or processed must be protected. Appropriate technological and organizational measures must be implemented to ensure a level of security appropriate to the level of risk. As with HIPAA, healthcare organizations must ensure the confidentiality, integrity, and availability of personal data. In the event of an emergency or technical issue, the healthcare provider must have the ability to be able to restore data.

Healthcare providers should routinely test, assess, and evaluate the effectiveness of their security controls. Any individual who has access to personal data must be trained and be made aware that they are prohibited from processing data except when instructed to do so by the data controller.

Healthcare providers must also encrypt personal data at rest or in transit, unless data are otherwise protected through pseudonymization and individuals cannot be identified from their data. Article 32 of the GDPR covers the security of processing.

Personal Data May Need to be Provided to Patients

Data subjects have the right to access their personal data (Article 15), and access information such as the purpose of data processing, the types of data collected and processed, with whom the data have been shared, the period of time that data will be stored.

Data subjects have the right to data portability, and upon request, must be provided with their data in a commonly used electronic format -See Article 20 of the GDPR. Data subjects can also exercise their right to be forgotten (Article 17) and have all personal data erased, or may request that all data processing stop (Article 19).

Notifications Must be Provided in the Event of a Data Breach

As with HIPAA-covered data, if a breach is experienced, notifications must be issued. In contrast to HIPAA, which allows up to 60 days to issue notifications, GDPR calls for the supervisory authority to be notified within 72 hours of the discovery of the breach. The breach notice must include the nature of the breach, the types of information likely to be involved, the contact information of the data protection officer, the likely consequences of the breach, and the measures being taken to address the breach – See Article 33 of the GDPR. Personal breach notifications, as detailed in Article 34, must be issued to breach victims when the incident is likely to result in a high risk to the rights and freedoms of breach victims. Personal breach notifications must be issued without undue delay.

Does HIPAA Compliance Mean Compliance with the GDPR?

Fortunately for U.S. healthcare providers, many of the requirements of GDPR will already have been satisfied if the organization is compliant with HIPAA. However, being compliant with HIPAA does not guarantee compliance with GDPR. HIPAA-covered entities must therefore conduct an in-depth assessment of their policies, procedures, and safeguards to ensure they meet the requirements of the GDPR.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.