Data protection plays a central role in the healthcare industry in particular, since health data is particularly sensitive data that must be comprehensively protected. With the development of eHealth, which means health-related services with mobile devices (mHealth), the processing of health data is gaining in importance. Developers of digital products and apps should take these data protection requirements into account at an early stage so that products do not have to be modified later, which is time-consuming and high costs can be avoided.
“Health Data” Definition
According to the GDPR (Art. 4 No. 15), “health data” is personal data “relating to the physical or mental health of a natural person, including the provision of health care services, and revealing information about his state of health “. This data primarily includes personal data that allow direct conclusions to be drawn about the state of health of a person (e.g. information about medical findings, diagnoses, laboratory results, etc.), regardless of where this data comes from, i. H. whether they were collected from a doctor, pharmacist or another healthcare professional, a health insurer or through the use of mHealth.
In addition, such data may be included and considered health-related that only indirectly or in combination with other data allow conclusions to be drawn about the state of health of an individual (e.g. information about weight, dietary habits, visits to health care or related facilities, use of medication, etc .).
Requirements for handling health data
Like the Federal Data Protection Act (new), the GDPR allows the processing of personal data falling into certain categories, including health data, only with the valid consent of the data subject or on the basis of one of the exceptions to a general rule set out in Art. 9 para 2 of the General Data Protection Regulation. Particularly sensitive data may therefore only be processed under strict restrictions. It is therefore important to avoid data protection incidents as a matter of urgency.
In detail, the GDPR requires an appropriate level of protection in accordance with Art. 32 GDPR for the personal data that is included in the processing. If this personal data is health data, the requirements for the measures leading to an appropriate level of protection for this type of data increase. Some technical measures from the field of encryption are usually used when processing health data. For example, data is often not stored in plain text in applications, but only “hashed” – i.e. pseudonymized.
What is mHealth?
Mobile health apps or mHealth apps can be defined as apps that collect personal data about an individual’s physical or mental health, including the provision of health services that provide information about health status and recommendations for healthy diet and lifestyle. mHealth also includes technologies that measure vital parameters such as heart rate, blood glucose levels, blood pressure, body temperature, and brain activity, as well as physiological data, lifestyle data, daily activities, and environmental data.
Guidance on health data protection
The data protection requirements for developers and providers of digital health products represent a major challenge. The guidance on health data protection is therefore intended to provide developers and providers of digital health products such as mobile apps with an introduction and support. It presents both the general data protection requirements and the provisions for special areas, such as app developers.
In addition, the Data Protection Authorities have issued guidance on the data protection requirements for app developers and app providers, which is specifically aimed at mobile apps that process sensitive data. The authorities, in particular, require sandboxing and other encryption options when processing patient and health data.
Read Also: This is how cancer follow-up works via APP
Requirements for apps
Apps are considered an important and elementary part of mHealth. In principle, the same data protection requirements apply to health apps as to any other processing of health data. In addition, companies that want to develop or offer apps in the field of eHealth (or mHealth) should take into account some data protection peculiarities. The processing of data in the context of health apps must meet the following requirements:
- It must always be based on an appropriate legal basis (Art. 6 and 9 GDPR);
- If consent is involved, it must be obtained before the respective data processing begins, in this context preferably before downloading the app;
- If there are several users of the mobile device, consent to data processing can be obtained by integrating a technical solution. This makes it possible to obtain the consent of several users.
- The consent of the holder of parental responsibility is required for the processing of data relating to minors.
- Particular caution is required as soon as an app accesses location data (further information in the “Orientation Guide of the Düsseldorf District”);
- If user behavior is to be measured or tracked in the app, the general legality requirements apply.
- Data protection by design/data protection by default should primarily be taken into account when programming apps.
- If it is a digital health application (DiGA), the special requirements of the DiGAV or the BfArM must be observed.
Ads on mHealth
In principle, you can also use advertising on the mHealth app under the following conditions:
- The display of advertising must be clearly approved by the user before the app is installed.
- If the app uses contextual advertising, which is displayed to the user of the app without personal data being shared with third parties (e.g. an advertising network) and without the user’s health data being processed, the user must be given the opportunity to view the contextual Reject advertising before data processing takes place.
- If the advertising is served by a third party or if the health data is processed to target the advertising, you should obtain explicit and separate consent prior to installation.
In addition, where applicable, national laws and EU regulations for online marketing should be taken into account in order to avoid breaches of data protection.
The field of mHealth apps is developing rapidly with the increasing use of such apps. Therefore, there will also be drastic legal changes in this industry in the near future. Therefore, it is important to be prepared for compliance with the Data Protection Regulation and the relevant national laws, and to consider the supporting guidelines and procedures. This will help avoid hefty fines such as B. Fines for health data leaks.