The Digital Health Data Revolution: Are You Prepared?

Digital Health Data Revolution

The data revolution as it relates to digital health is already underway, but we’ve yet to scratch the surface of what’s possible. The opportunities for big data in a digital healthcare era are limitless. Pharma companies’ R&D departments, the public sector, insurance and pension providers, local authorities, private healthcare companies, emergency services and of course patients, will all benefit.

Great blocks of data can now be accurately gathered and analysed for the first time, with digital health data falling into two broad groups. The first relates to “wellness”, being the type of data that a health-conscious twenty-something would find useful.

The market for this type of data is already proven. Active individuals are keen on any technological application that allows them to make the most of their exercise time and track the results of their activity accurately. Fitness Apps are an obvious example, allowing users to monitor everything from weight loss to improved lung function.

The second group of data covers ‘true’ health applications, for example those relating to the monitoring of chronic long-term conditions. Applications here would include remote testing and the collation of test results gathered over long periods of time. This is a far less developed market, but at the same time it is where the big opportunities lie for both the private and public sector.

Wellness data is currently the more readily available type, but it is also of lower value. In terms of mass applications you can identify trends from such information, but little more. In contrast data sets relating to more concrete health conditions provide market changing analysis possibilities – ones with the power to influence a wide variety of different business propositions, particularly those involving insurance, pension provision and healthcare.

Data of this type allows for detailed analysis of insurance risk, increasingly accurate valuation of possible claims and the design of more tailored products. Over time, the effective use of big data in this way should flow through to greater efficiencies, mitigation of risk and therefore increased profitability.

From a population healthcare perspective, big data should allow groups of individuals at risk of developing a given illness to be targeted before their condition becomes chronic allowing a wider range of treatments to be deployed, reducing cost and leading to better patient outcomes.

The ultimate goal for healthcare providers such as the NHS should be to increase the level of monitoring and treatment that can be carried out within a patient’s home, allowing savings to be made by reducing some of the fixed infrastructure costs that are inherent in a system that is designed to provide healthcare face to face in a surgery or hospital environment.

Privacy Pitfalls

Privacy issues are an important legal area to address when it comes to digital health provision, but not all data relates to identifiable individuals. There is potentially significant value in anonymised data, for example in the type of trends actuaries rely on.

Anonymised data can have major impacts when it comes to designing drug trials and treatment testing, for example in relation to who you should attract to your trial or where to focus your research. But there are problems here. Data can be of variable quality, out of date or from a non-applicable region. A top tier of truly valuable data will increasingly become available, but only at a premium.

Tailored data also presents a wealth of exciting possibilities. Consumers might one day carry around a device that allows access to all of their medical records. In an emergency situation all your information would be instantly accessible.

Patients taking control of their own data, or allowing private healthcare organisations to hold it for them, is likely to develop into a valuable market. An automated call centre might dispense tailored advice on your lifestyle choices and tailored data will drive the development of other new products and services of this type.

Varying Protections Between Territories

Data protection is on the legislative agenda in Europe at the moment. There is currently a general data protection directive in Europe, which has been implemented into national legislation by each member state, supplemented by sector specific legislation.

As with the Information Commissioner in the UK, each member state has its own regulator to provide guidance to data controllers and enforce the law. A number of countries outside the EU have committed themselves to similar principles to those found in the European data protection directive. Europe is seen as an area of best practice in this regard.

But before you can transfer personal data to key territories, including America, India and China, European data protection rules require adequate protection to be put in place.

Anonymising data offers a degree of protection, but is not as straightforward as sometimes imagined. Anonymised data may not be useful in some contexts and therefore additional data points are necessary to make the processing activity in question operationally or commercially useful.

Secondly, few data points are necessary to enable the subject of the data to be re-identified from an anonymised data set. For example, if you’re dealing with a small data set from a specific geographic location small, seemingly innocuous details could render individuals in the cohort identifiable.

Removing names and addresses alone will generally not offer sufficient levels of protection. Get this wrong and potentially very significant legal consequences may follow, not just in relation to breaching the Data Protection Act, but potentially also the health and safety of data subjects involved, ethical guidelines in relation to research and so on, so caution is required.

What’s Next

The EU data privacy directive is no longer judged as being fit for purpose in light of technological advances over the past two decades and so the European Commission is now proposing a replacement. Once the new data protection Regulation has been agreed and comes into force, following negotiation amongst member states and the EU institutions, there will be a more harmonised framework for data protection within Europe. The new Regulation is still under negotiation in Europe, so its proposed entry into force in 2016 is by no means yet certain.

That said, existing European data protection laws already place considerable requirements on parties involved in handling personal data, as described above. Furthermore, the concept of “privacy by design”, which is likely to be mandatory under the Regulation but is currently not in most member states, constitutes a useful framework for the design of new products and services that use personal data.

In short, privacy by design requires a risk assessment in relation to personal data at the outset of design, rather than at a later stage, so that adequate protection for the data can be embedded into the design and not added as an afterthought later. This covers a wide range of considerations, from designing applications so that they do not collect more types of data than are actually necessary for the purpose intended, to disposal rules that ensure data is securely deleted once the purpose has been fulfilled.

Digital health technology and its potential applications are together evolving at an ever faster rate. Whilst relevant regulatory frameworks are also changing, we are facing the traditional hare versus tortoise contest. If a digital health business is to thrive in this new environment, it must be nimble in grasping the opportunities as they appear, but it must also be alert to any potential regulatory constraints so that the required level of compliance can be folded into its commercial strategy. The concept of compliance by design needs to be incorporated into the DNA of all aspiring digital health businesses.

Matthew Godfrey-Faussett

Matthew Godfrey-Faussett is a Partner at international law firm Pinsent Masons. Matthew advises on ICT related transactions for clients on both sides of the customer/service provider divide. Matthew has particular experience in large scale end to end system procurement projects and outsourcing or managed service arrangements. In addition, Matthew specialises in information security, data protection and e-commerce law.