Existing regulations and legislation regarding patient privacy and security , HIPAA vs GDPR. What do radiologists need to know?

1. Protection of Patient
Data in EU vs. US
ERIK RANSCHAERT MD, PHD
ETZ TILBURG, NETHERLANDS
erik.ranschaert@gmail.com
@eranrad

2. Learning Objectives
1. Knowledge of the patient privacy issues involved in using AI
applications
2. Knowledge of principles of the European privacy regulation
3. Knowledge of potential ethical and social issues that can be
encountered by using AI applications

3. Regulations and framework
A.I. is 1 of the few things we
should regulated proactively
in stead of reactively
If we regulate A.I.
reactively then it’s too
late

4. Relevance of protecting Health Data
• “FastMRI” partnership between NYU (CAI2R) and FacebookA.I. Research to make MRI
scans 10x faster
• Combination of domain-specific expertise from different fields and industries
• Train artificial neural nets to recognize underlying structures and construct MR-images
with less data
• NYU provides FAIR with 3 million MR-images (knee, brain, liver)
https://www.healthimaging.com/topics/artificial-intelligence/facebook-nyu-collaborate-make-mri-faster-ai

5. Security measures
• The MR images used for this project have to be scrubbed of any
potential distinguishing features.
• Approved by NYU Langone’s Institutional Review Board,
following policies and procedures for human subjects research
protection
• No Facebook data of any kind will be used in the project.
• Fully HIPAA compliant (Health Insuranc Portability and
AccountabilityAct)

6. How are patient data protected in the EU vs US?

7. General Data Protection Regulation
• EU law that came into effect on
May 25, 2018.
• Main purpose: to define and
update the basic rights of data
subjects regarding control of and
access to personal data

8. EU Regulation
• As opposed to a directive, a regulation
is directly applicable in all EU Member
States.
• National authorities can define
exceptions and derogations from
certain obligations by means of
national law.

9. What are Personal Data?
• Any information related to an
identified or identifiable natural
person (data subject)
• Also Health Data!
1. Data concerning physical/mental
health
2. Genetic data
3. Biometric data
NEW

10. The Goals of the GDPR
Protect
• EU citizen’s
personal data
Control
• To data subjects
over their
processed data
Unify
• The duties and
responsabilities
of controllers
and processors
Simplify
• The means of
data collection
and processing

11. Economical purpose
Any organization that processes EU citizens’ data,
even if the company isn’t located in the EU,
has to ensure GDPR compliance.

12. Handling of personal data: 3 players
Data subject Data controller Data processor
1. Collection
2. Encryption & storage
3. Forwarding
4. Processing

13. GDPR in Healthcare
• Facilitates free flow of patient data within EU.
• Personal data can only be collected under strict conditions and for
legitimate purposes.
• Data controller (hospital, HCP) has to respect rights of data subject
• Data processor must protect information it handles, processes and
stores on behalf of data controller

14. Opportunities for HC created by GDPR
1. Improving the sharing and interoperability of health
data
2. Helps HC organisations to build consumer trust
• Mitigate negative sentiments generated from recent data
breaches (Cambridge Analytica/FB saga)
3. Spur adoption of alternative modes of data
management (e.g. blockchain)
• Single source of trusted information, reducing redundancy and
administrative costs
Sharing
Trust
Costs

15. • GDPR concerns EVERY piece of information
that can identify a person, not limited to HC
• HIPAA only governs protected health
information (PHI)
Governance
HIPAA vs. GDPR

16. Position of ESR
• The GDPR is welcomed by the ESR

17. Meaning for Radiology
Received: 20 March 2017 / Accepted: 21 March 2017 / Published online: 24 April 2017

18. GDPR
Key
Elements
Clear Consent
Erasure
(right to be
forgotten)
Rectification
Portability
Notification of
data breach
Demonstration
of Compliance
Data
Protection
Officer (DPO)
Derogations
and exceptions
2
3
4
1
5
6
7

19. 1. Clear Consent
• Explicit consent of data subject
prior to data processing
• Explicit consent prior to
communication of imaging data
1

20. • HIPAA only governs protected health information
(PHI)
• GDPR concerns EVERY piece of information that can
identify a person, not limited to HC
Governance
• HIPAA does not require consent from patient to
release health data for third parties (e.g. for insurance
company)
• GDPR needs explicit consent for any interaction with
PHI other than direct patient care
Consent
HIPAA vs. GDPR

21. 2. Erasure and Rectification
• Destruction of data if storage is
no longer necessary for the initial
purpose
• Withdrawal of consent possible,
“the right to be forgotten”
• The right to obtain rectification of
his/her data
2

22. 3. Portability of health data
• Data subject has the right to
transfer personal data to another
service provider
• Hospitals and other HCPs have to
provide electronic data in an
appropriate format to a patient
upon request – free of charge
https://www.himss.eu/himss-blog/data-portability-and-sharing-personal-health-data-across-national-borders
3

23. • HIPAA only governs protected health information (PHI)
• GDPR concerns EVERY piece of information that can
identify a person, not limited to HC
Governance
• HIPAA does not require consent from patient to release
health data for third parties (e.g. For insurance company)
• GDPR needs explicit consent for any interaction with PHI
other than direct patient care
Consent
• HIPAA grants right to a copy of PHI, not for free
• GDPR grants right to copy of health data for free, and
even to rectify and erase data
Privacy
HIPAA vs. GDPR

24. 4. Data Breach
• Breach or hacking of Personal Data
• Notification within 72 hrs to
Supervisory Authority
• Communication to data subject
• Larger institutions: DPO needed
4

25. • HIPAA only governs protected health information (PHI)
• GDPR concerns EVERY piece of information that can identify a
person, not limited to HC
Governance
• HIPAA does not require consent from patient to release health
data for third parties (e.g. For insurance company)
• GDPR needs explicit consent for any interaction with PHI other
than direct patient care
Consent
• HIPAA grants right to copy of PHI, not for free
• GDPR grants right to copy of health data for free, and even to
rectify and erase data
Privacy
• Both require absolute secure measures to ensure confidentiality
• HIPAA breach notification is 60d vs 72h for GDPR (including
communication to data subject)
Security

26. 5. Demonstration of Compliance
• All organisations processing personal data must be able to
prove that they comply with the rules
• Hospitals and HCPs need to define their lawful basis for
processing health data and demonstrate their compliance
with GDPR
• e.g. for access to databases such as EPR and PACS
5

27. Stringent Penalties
• Failure to comply with the new data protection rules can result in
different types of sanctions from controllers, ranging from
• a warning,
• a reprimand,
• to a temporary or definitive ban on processing data,
• and a fine of up to €20 million or 4% of the business’s total annual worldwide
turnover

28. • HIPAA only governs protected health information (PHI)
• GDPR concerns EVERY piece of information that can identify a person, not limited
to HC
Governance
• HIPAA does not require consent from patient to release health data for third
parties (e.g. For insurance company)
• GDPR needs explicit consent for any interaction with PHI other than direct patient
care
Consent
• HIPAA grants right to copy of PHI, not for free
• GDPR grants right to copy of health data for free, and even to rectify and erase
data
Privacy
• Both require absolute secure measures to ensure confidentiality
• HIPAA breach notification 60d vs 72h, including data subjectSecurity
• Any organisation violating regulations is liable to be prosecuted
• HIPAA: prosecution is related to “significant harm” caused by violation
• HIPAA penalties go up to 1.5 million USD, GDPR is much higher
Penalties

29. 6. DPO
• Data Protection Officer is mandatory for
those companies and organisations that
systematically monitor data subjects on
large scale of sensitive data
• According to Art. 29Working Party (WP29)
processing of patient data by hospital is “large
scale”
• The DPO is in contact with the national data
protection authorities (Security Authority)
6

30. Derogations and exceptions
• Often conflicting objectives:
• Ensure privacy rights for personal
data vs.
• Providing adequate access to such
data for research & healthcare
purposes, e.g. for developing or
training A.I.
• Therefore the GDPR provides
several derogations regarding
health data
7

31. What is Scientific Research?
• Only broad definition in the GDPR
• Not clear how far the research
exemption extends, especially as
regards research activities with a
commercial goal
• For clinical trials: processing of data
should also comply with other relevant
legislation, policies, ethical standards

32. ESR opinion on Data for Research
• GDPR proposes technical and organisational measures such as
1. Anonymisation
2. Pseudo-anonymisation
3. Encryption

33. • Remove personally identifiable information
where it is not needed
• e.g. Name of patient, institution, date of exam
on images, DICOM metadata
Anonymisation
• Replace personally identifiable material with
artificial identifiers
• Data can no longer be attributed to individual
without additional information
Pseudonymisation
• Encoding of messages that can only be read
by authorised persons.
• Can only be done with anonymised or
pseudonymised data
Encryption

34. Image-based information
• Absolute confidentiality cannot be
guaranteed in case of image-
based information
• Matching by digital robotic
algorithms of organs and
pathologies could possibly allow
re-identification

35. What to do with Research Data?
• Key question: what is the purpose of using the data?
• Procedures to be followed:
• Adhere to ethical standards
• Use the right safeguards such as anonymisation, pseudonymisation,
encryption
• Pseudonymisation is generally recommended
• Exemptions are provided under certain conditions
• These should not result in PD being processed for other
purposes by third parties, e.g. employers, insurance or banking
companies, commercial enterprises

36. Exemptions for Scientifc research
• The purposes may override 3 basic rights in the following
conditions:
1. The right to information: if the provision of information involves a
“disproportionate effort”
2. The right to the processing: if it’s likely to render impossible or
seriously impact the achievement of the objectives of the processing
3. The right to be forgotten: if the processing is necessary for the
performance of a task carried out for reasons of public interest

37. GDPR and Ethical question
• Some AI algorithms are “impenetrable”, certainly those
constructed by unsupervised learning, creating a so-called
“black box”.
• If the subject has the legal right to information following the
GDPR, how can decisions concerning a person made by anAI
expert system that is not transparant be fulfilled?
Peter Rinck:Why radiology must take care when it comes to AI
https://www.auntminnieeurope.com/index.aspx?sec=sup&sub=aic&pag=dis&ItemID=616410

38. Take Home Messages
• Many ethical, legal and issues are involved with the development
and implementation of A.I.
• The GDPR regulates all personal data, including health data
• Use of health data for A.I. development is strictly regulated for all EU
inhabitants
• The GDPR is relevant to the development and usage of A.I. apps.
• Certain derogations are applicable to data for scientific research.
• Several A.I.-related ethical questions still need to be answered.

39. Erik Ranschaert, MD, PhD
erik.ranschaert@gmail.com
@eranrad
Thank you!