ITV #2 - Patrice Bideau
Confidentiality of health data, what are the obligations and what are the opportunities for insurance and other companies in the health sector ?
What is the entry point, the questions that companies and insurance companies must ask themselves in terms of confidentiality of health data ?
Above all, it is important to reexamine the definition and the distinction that can be made between personal data and health data.
Personal data is information relating to a natural person likely to be identified directly or indirectly such as a name, a photo, a fingerprint, a postal address, an email address, a telephone number, etc.
The perimeter of personal health data relates to the physical or mental health—past, present or future—of a natural person (including the provision of health care services) which reveal information about the health condition of that person. They cover health data such as medical history, illnesses, care services provided, examination results, treatments, disability, etc. ; but also those, which by virtue of their crossing with other data, become health data in that they allow a conclusion to be drawn about the state of health or the risk to the health of a person. As you can see the field is wide open!
To get back to your original question, for a company or an insurance company, and this is what we did within C3Medical, it is important to carry out an internal analysis aimed at providing the best protection of personal and health data that may be provided by third parties. For this study to be effective, we must begin by asking ourselves a number of questions. Does the company have good visibility regarding the personal data that it handles? Is the data in its possession vulnerable? Are there data management rules within the company ? Are appropriate security and management rules implemented ? And if these rules exist, is the company able to respond to requests from users or other third parties (authorities, customers, partners, etc.)?
Another crucial issue is whether the company is in compliance with regulations by which it is governed. With regards to France, these are the National Commission of Computing and Freedom (NCCF), and the General Protection of Data Regulations (GPDR), which regulate the processing of personal data and ensure that everyone's rights are respected.
Lastly, regardless of the size and type of the business, it is important in the long run to remain compliant with the laws in force and to regularly monitor their changes and development .
What tools do C3Medical have to guarantee the confidentiality and security of health data?
At C3Medical we have a strict policy in this area, which begins by communicating to the patient the importance of the data that concerns him, and by obtaining his consent so that we can access and use this data to respond to his request for service .
We limit ourselves to receiving only the data that we need and we never keep the elements which are sent to us, if they are not necessary for the analysis of a file. We have implemented a data protection policy that has been adopted and validated at the general management level and which is steered by a referent person, our “Mr. GPDR” in some sorts. The policy defines the way in which, and the duration for which, data is conserved according to its type.
With regard to the storage of health data, we have selected health data hosting providers (HDHP), which are approved as such and have developed the necessary processes and know-how to guarantee the protection of sensitive data.
We developed BestCARE, an integrated plateform for the consolidation and management of our patients’ medical items and care paths that is 100% secure. BestCARE allows us to virtually free ourselves from the use of email with the various actors with whom we work, and to limit access to medical elements (via the definition of suitable profiles) only to authorized and qualified people. For paper files that we continue to receive, we organize and maintain secure storage facilities.
The company's IT security policy, as well as the information systems incident management process, focus on safety and endeavour to ensure that we give this topic the appropriate priority status. These policies include of course our executive management and our teams, as well as our IT staff and our subcontractors. They aim to take into account and resolve those problems with a significant impact on data security with the greatest level of vigilance.
Lastly, each employee pledges not to disclose confidential data—including health data, to outside parties—through the signature of the company's Code of Conduct and Ethics upon hiring.
Regarding our relations with our business partners, all contracts signed include clauses, more and more consequential, for the protection of confidential data and health data. It is not unusual for us to spend long moments in discussion with their legal services in order to ensure, together, the coherence and the effictiveness of our “consolidated” respective policies.
What international laws regulate the confidentiality of health data ? In Africa ?
There is international legislation which is not always as strict as that imposed within the European Union and the NCCF follows with interest the work of the African Network of Personal Data Protection authorities (ANPDP).
Generally speaking, most African countries focus on the confidentiality and security of electronic data communication. Countries such as Benin, Burkina Faso, Côte d'Ivoire, Gabon, Mali, Morocco, Senegal and Tunisia are much more advanced. These countries almost all have their own authority which allows them to control the confidentiality of data in their respective countries. Moreover, with the generalization of mobile phone equipment, the development of social networks and the increase in living standards, people's demands in terms of data protection are increasing. This imposes upon countries to be much more rigorous in regards to the type of information collected and the treatment thereof.
For our patients, who mostly come from these countries, we apply French laws and standards.
Data privacy obviously protects patients, but for businesses and insurance companies, what does this confidentiality guarantee?
For companies and insurance companies that handle healthcare data, the management of confidentiality and of data security is a vital subject.
It’s the assurance that these players comply with the law, and that they allow their partners or their clients themselves to also obey the law. It therefore limits the risks in regards to image and financial or legal issues that may arise from improper or ill-mastered communication or use of sensitive data of a confidential nature.
Respecting this confidentiality requires mapping and reviewing one’s processes and means of communication and operation with its stakeholders. From this perspective, the regulations encourage innovation, in order to reduce—as much as possible—the cumbersome procedures to be implemented, and to rationalize for more efficiency, security and the improvement of practices. The establishment of secure data exchange platforms and online signatures are examples of innovations in this field .
Respecting this confidentiality also makes it possible to reassure potential clients or their families, and to position themselves for calls for tenders from companies or institutions which, as part of their security policy, require to work only with suppliers who have themselves put in place coherent policies in this area. It is therefore the opportunity to stand out against other players who will not have been able to invest in or take a sufficiently serious look at this subject and to win markets.