Why healthcare data protection and privacy tools are enablers of trust and opportunities
Why healthcare data protection and privacy tools are enablers of trust and opportunities27 October 2021 | 12min
The collection, storage and sharing of data (especially across borders) is critical to using patient data to add value to healthcare organizations and patients, with trust at the very core
Changing roles require more collaboration between operations, technology and legal and compliance and a shift in mindset about compliance across the organization
Compliance is more than just a checkbox; it is an integral part of any function within the organization that must take into account global regulations in order to create the optimal solutions for the best patient outcomes
The more data we collect, store, and share, the more value we can add to healthcare organizations, and the more important healthcare data protection becomes. The value-added will rely on one key element: trust.
To establish and protect that trust, privacy policies and regulations have been put in place, but are often regarded as barriers to advance technology. What if instead of seeing these policies and regulations as barriers, we shift our perspective to see them as enablers of trust and growth opportunities for organizations?
That is exactly the innovative mindset that Pierre-Mikael Legris and Evelina Georgieva of Pryv champion and promote through their startup. Pryv offers a ready-to-use middleware for personal data and consent management, which organizations can use as the foundation to build their own digital solutions. In this interview, we discuss the challenges, solutions, and opportunities of data protection in healthcare.
The driving factor behind digital transformation as it relates to data
HT: What was your inspiration for starting Pryv, and what would you say was the driving force behind its development?
Pierre-Mikael Legris: The motivation was trust. I was diagnosed with leukemia 18 years ago and I spent about seven years between a home and a hospital. Most of my time was spent in the hospital, seeing a lot of different doctors, and always repeating the same story. I was sharing routine information, such as weight and blood pressure, that could have instead been sent by email or any other data transfer solution. You cannot imagine the number of times I was asked, “What medication do you take?” This is one of the first questions a doctor asks you, and for me, it was twice a week for 7 years. The driver was: “How can I spend more time at home without spending as much time in hospitals?”
When you’re in front of your doctor, you can tell them whatever problems or concerns you have, and whatever is important and deeply personal to you because you trust that in that place, with this person, you can say anything.
Being able to use any digital tool with the same level of trust as you would with a doctor’s office that collects data so we can communicate, store, and share personal and medical information easily is what I saw was lacking.
Evelina Georgieva: For me, the inspiration centered around the ability to transfer sensitive data from one country to another, a bit like how you move with your suitcase but with data instead.
Pierre explained that the software could guarantee compliance with existing and future regulations, speed up time to market and reduce the cost of innovation development, and enable organizations to manage personal data effectively. For me, it was the perfect solution to enable the transfer of sensitive data, being medical, or not, from one jurisdiction to another, where people can transfer data as freely as we travel.
We became a team and we started offering Pryv in 2014/2015, as a B2B solution to other organizations, mostly within the healthcare industry, so they could benefit from what we had already built.
Security and privacy challenges facing healthcare organizations
HT: What do you see as the biggest data security and privacy challenges facing healthcare organizations at this current moment?
Evelina Georgieva: When we started, the biggest problem was around interoperability and how you can bring different datasets together. This was the hot topic everyone was speaking about. Then, over time, this shifted towards trust and enabling secure sharing of data.
The biggest challenge that I still see today is this mistrust or misaligned distribution of responsibilities when it comes to the value creation of such digital health products and technologies. This impacts product efficiency and scalability.
The software engineer’s capabilities are another challenge. In the development of digital health tools or any tools concerning personal data collection, usually, it’s the software engineering team that is given the task to develop them.
There are heavy regulations and a lot of business requirements, in terms of how this data can be monetized, and how a business model can be created based on this data sharing, or data economy.
If you put yourself in the shoes of a software engineer, it’s a lot that they have to do. What we have seen in the last 10 years or so, are products failing because the software engineers are taking on the software development part, but missing the compliance part, or the bigger picture in terms of how data can unlock more business opportunities and create a stronger value proposition for the patients.
Solutions to healthcare data protection challenges
HT: What do you see as the main solution to these challenges? Is it just having the right people in place? And what would be your recommendation to overcome them?
Pierre-Mikael Legris: When you create a solution or platform, especially in the healthcare space, you must take into account privacy laws on an international basis, such as General Data Protection Regulations (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Act.
The complexity around data integration, interoperability, and anything that touches the data life cycle must be considered and assessed from a risk management perspective.
Focusing on what is important for the end patient, or the end community, such as the user interfaces, the business model, or how this solution is going to scale is paramount – as is considering who should be involved in the development.
Although addressing these factors may seem like an immense undertaking that will slow down the development process, in the end – if considered and done correctly – by providing a ready-to-use data management software that handles all this, it saves time, stress, and money.
When data crosses the border into other healthcare systems
HT: What are the implications of data crossing borders and how can these barriers be addressed by healthcare systems?
Pierre-Mikael Legris: Holding data locally helps to decentralize it within healthcare systems. This allows data to be stored and shared in accordance with:
1) legal regulations, and
2) the explicit consent obtained from the individual whose data is in question
Regulations are in place and constantly changing. For example, today if a company can prove that data has been fully anonymized, the data can be processed with very few restrictions in some countries. However, as the difficulties in guaranteeing anonymity become more and more apparent, this may influence and change future regulations.
Consent is much more powerful in the sense that “consent” does not change unless the individual changes their mind. If an individual grants the right to process or access their data, the consent will remain within the jurisdiction it was given. The only thing that would prevent a company from using data, even if consent was granted, would be due to a specific regulation that prevents it. For example, there is a law against insurance providers for processing xxx or yyy data. The regulation would prevent entities from “receiving data”, but in no way can they prevent an “individual” from sharing data.
Evelina Georgieva: Compliance in healthcare depends on multiple factors and regulations as Pierre mentioned. Managing healthcare data should be done according to the patient’s local privacy regulations in combination with the requirements of the ethical committees from the medical institution. If we are in the scope of a clinical trial or medical device, you can add the required standard protocol and the U.S. Food and Drug Association (FDA) or CE certification. For example, if you lived in Canada and then moved to Europe, your data could be transferable and treated under different jurisdictions, depending on your residency.
Anyone can clearly imagine the increasing complexity when multiple countries are to be considered, especially when you consider that each of them updates their own regulations regularly and at a different pace.
From Pryv’s perspective, we put a lot of emphasis on collecting explicit consent and being able to prove its usage. Explicit consent is extremely powerful and a common concern for most privacy regulations.
Being able to decentralize the data management and localize it in the desired countries or infrastructure to meet specific cross-border regulations helps to address the challenge of ever-changing regulations.
Keeping a contact link with the patients and requesting a consent update to match new requirements or handle secondary use of data is also beneficial when possible.
There are plenty of things that can be done, but the underlying question is, “What is the value of making this data fluid from one site to another, from a business perspective?”
It’s a business decision that requires a regulatory lens in the countries that they are operating.
Implications to data privacy in the adoption of digital healthcare services and the impact to healthcare
HT: As we see increased use in technology-enabled care moving forward, such as telehealth services and mobile health apps, what are the implications to data privacy in the adoption of telehealth services, and how will this impact existing healthcare systems?
Pierre-Mikael Legris: People should understand that when they develop a product, they should be accountable for the data they manage. Exactly like when you put your money in a bank, they shouldn’t lose it or spend it for you. They should tell you exactly what happened with your money, and it’s the same with data.
Therefore, transparency is key. organizations should be transparent about where the data is stored, how it is used, who has access, and prove that they have the right to use the data for their intended applications. It brings us back to the exact point I started with – you have trust in your doctor, you should have trust in their system.
Data is extremely valuable for organizations and the individual. It would make no sense to throw it away, which is why transparency, trust, and explicit consent must be an integral part of any digital solution. Ideally, for example, organizations would clearly ask as part of the consent agreement, “Can I keep your data for 10 years?” 80% would say yes and 20% would say no. If you don’t have some no’s, it means that you probably didn’t ask the right question. That’s good proof to say that you have explicit consent.
Evelina Georgieva: Usually, when filling out consent forms online for data use, people just click on that “yes” and they have no idea for example, where the data goes, or what is done with it, or how it’s given to third parties. It should be very simple, exactly like online banking
Top recommendations for using patient data to add value to organizations and patients
HT: What are your top five recommendations for healthcare organizations looking to use patient data to add value to their business and to their patients?
Pierre-Mikael Legris and Evelina Georgieva:
- Get on board with adding value to your organization through the use of digital tools and patient data. Providing digital tools to your patients today is imperative, otherwise patients might flow to other care systems, perhaps even abroad where you can have better or cheaper treatments.
- Provide compliant digital tools that your patients can trust. The introduction of digital tools should be done with the same proficiency as when a medication is put on the market. If it’s a medical app or a medical service, it should be with the same level of trust as what has been done up to now in the medical sector.
- Start to look at data privacy and compliance as an opportunity, not a difficulty. It goes back to transparency, which is the missing piece nowadays in most of the applications. So far, it is common for developers or solution owners to look at privacy and compliance as something bad, and difficult to manage. The reality is that those who look at it as an opportunity, benefit sooner than expected from investment into trust.
- Safeguard the rights of individuals. Organizations need to be able to answer or provide information about the following inquiries at any time about an individual’s personal data to demonstrate it is being rightfully used:
- Explain what data you have about the individual
- Send a copy of all their personal records
- Provide proof of consent to information collected
- Provide information about who has or had access to personal data, for how long and for what purposes
- Ability to modify who has access to personal data at any time.
- Ability to delete all or part of the personal data, including any backups. (not applicable to clinical trials)
- Look outside of the healthcare industry for best practices of digital solutions.. To go back to the analogy of banks, not too long ago they were fully paper-based. They then evolved to have a digital front-end, where almost anything could be done online. Healthcare should follow the same path. Out of the age of digitizing PDFs from paper and into the age of e-health and the offering of digital services. We foresee some similarities between banking and the healthcare industry already such as digital safes, or digital wallets, in which you can have a secure storage of health data for example. So, there are plenty of opportunities to get good practices, or even do some joint development.
The role of startups in digitally transforming the healthcare industry
HT: How do you see the role of startups in progressing the digitalization of healthcare and transforming the industry?
Evelina Georgieva: One main advantage with startups is that everything gets done much faster because they have less established policies and processes, and development happens at a faster pace.
Connecting startups and corporations is a great way to exchange new perspectives and innovate existing systems and processes with the right mindset. Collaboration is key to success in finding the right solution, the right technology, and the right marketing approach. It is much easier to leverage the marketing capacity and brand image of a corporation than to raise marketing budgets for startups and leverage only on the startup brand identity, especially in healthcare. Corporations have access to much more resources than startups do, which can help the feasibility to investigate innovative solutions for startups.
What we’re still missing to see is corporations willing to participate in programs such as the Creasphere, where startups are connected with industry-leading corporate partners. In these environments, various individuals come together to identify needs and create efficiencies to achieve transformation. Researchers, universities, and startups can come into the corporation’s systems and processes, however, some corporations may not have the mindset and skills to operate the project effectively. At the corporate level, there’s still some work to be done so that they not only talk to us but also exchange ideas to make this an efficient collaboration.
Pryv successfully participated in Startup Creasphere, a leading digital health accelerator that strives to transform healthcare together with startups.
Pierre-Mikael Legris, MEng is a Swiss-French computer engineer (EPFL), Entrepreneur since his graduation. Pierre-Mikael co-founded Pryv after a Leukemia diagnosis and 6 years fighting for recovery. Some of Pryv’s core concepts of providing a decentralized tracking solution for collecting and sharing personal data in a trusted environment are coming from his own need as a patient. Pierre-Mikael received the award of “Patient Leader” from HIMSS Future 50.
Evelina Georgieva, MPA is an Entrepreneurs & Data Privacy Expert with 10 years of experience in purpose-driven digital transformation and Digital Health. Evelina is a co-founder of Pryv SA, a Swiss-based company specializing in personal health data & privacy management. In 2017 she was selected among the top 10 Swiss Venture Leaders in Technology and Female Role Models in Tech in 2030.