Health data is important for pharma companies. Here, we look at the data protection implications and discuss how pharma companies can collect and use health data compliantly.

Health data is among the most sensitive data that any company collects. Companies that process such data must follow strict laws and guidelines. However, for pharma companies, this data can be a goldmine of useful information. They need to store results from clinical trials, monitor patient outcomes and collect usage data for marketing. In this blog, we will look at how you can store and use this data without falling foul of the law.

What is health data?

Health data is defined in many ways. Of course, there are formal legal definitions of health data. But the simplest definition of it is:

Health data is any data concerning the health and medical history of a living individual.

The important thing to understand is that it relates to specific identifiable individuals.

Why is it so sensitive?

Health data deals with some of the most personal aspects of our lives. There have been cases recently when hospitals have inadvertently revealed the HIV status of patients by CCing them in newsletters. And hackers now actively target health data because it has become so valuable on the Dark Web. So, you need to collect and store the data correctly.

What does the law say?

The two most significant laws for health data are the EU GDPR and US HIPAA. Of course, there are other laws globally, but many of them closely follow the principles laid down in GDPR.

GDPR classes health data as a special category of personal data. This means that it receives additional protections and has to be protected by more advanced technical measures. HIPAA relates to the collection, sharing and storage of PHI (protected health information). The HIPAA Security Rule mandates exactly how this data must be stored and accessed.

How must I store the data?

Both GDPR and HIPAA recommend the use of strong encryption and pseudonymization for storing health data. Specifically, you should be storing the data using application-level encryption (sometimes called record-level encryption). Where you need to share the data with trusted parties (e.g. doctors, pharmacists), you should use pseudonymization.

How can I process the data?

Both GDPR and HIPAA give rules for how you can use this data. Under GDPR, there are several legal bases that can be used to justify collecting and storing the data. The basis for most cases is informed consent. That is, the person chooses to let you use their data in a way that you clearly explain to them. Most of the other bases relate to cases where there is a statutory need to store the data, for instance for public health reasons. This is referred to as primary use of data.

Primary vs secondary use of health data |

How can I share the data?

Under GDPR personal data cannot be shared without explicit consent, and this consent can be withdrawn at any time. If you want to use the data for marketing, analytics, business intelligence, etc. you need to anonymise it. This involves removing all personal identifiers and then treating the data such that you can no longer re-identify any individual. This is called secondary use of data. Note that there are some cases where this secondary use of data is not permitted.

How does Chino help?

Our speciality is solving data security for digital health and pharma companies. We offer a complete package including a secure storage platform, technical consultancy and legal expertise. We are the only company certified for storing health data in compliance with MDR and related regulations. If you want to know more about GDPR, HIPAA and health data, download our eBook or contact us.