The Coronavirus pandemic is causing major disruption to our lives. It's also creating unprecedented demand for digital health solutions, especially telemedicine. Here, we explain how to develop such an app rapidly without sacrificing privacy and data protection.

Coronavirus has caused unprecedented disruption to our lives. More and more restrictions are being imposed and we are all being encouraged to avoid contact with other people. Of course, people are still getting ill and needing to see a doctor. But these are often just the people who shouldn’t be going out and being exposed to the virus. Here, we show you how quick and easy it is to develop a fully-compliant telemedicine app that enables doctors to give remote consultations.

Telemedicine covers a whole host of use cases, ranging from apps to store and share clinical notes, to real time monitoring and analysis of ECGs. Many of these applications can take months to develop and require medical device certification. However, some of the easiest to develop will be particularly valuable in the fight against Coronavirus. Nonetheless, they should still be compliant with data protection regulations like GDPR.

The importance of compliance

Compliance with GDPR and other regulations might not seem a priority right now. But this pandemic won’t last forever, certainly less long than the data needs to be retained for medical governance purposes. Therefore, it’s essential any app is compliant with data protection regulations. For healthcare apps there are two types of data you need to protect.

  • Personal data (or PII) is data that identifies a particular person. Obvious things like their name and insurance number as well as less direct identifiers like their postal address or device IP.
  • Health data (or PHI) is data “which reveal information relating to the past, current or future physical or mental health status of the data subject.” (GDPR Article 4.15). Importantly, most personal data becomes health data if it can be related to a health application.
  • Anonymous data is anything that cannot be associated with a specific individual. However, successfully anonymising health data is hard.

There are many different types of data in a telemedicine app. can help you understand the implications.

All personal data has to be protected, but health data is a special category that requires extra protection. Getting this wrong is expensive (fines can run to millions of euros), damaging (even huge companies are damaged by bad headlines), and  can even lead to criminal charges.

Medical notes app

Probably the simplest app possible is one for taking and sharing notes. Now obviously, there are plenty of such apps out there. But in a healthcare setting you are dealing with particularly health data, which is particularly sensitive. As a result, you have to think a bit more carefully.

How this helps with Coronavirus

The obvious use case for a medical notes app is to store and share records about calls between a doctor and patient. The most vulnerable group of patients for Coronavirus are the elderly, many of whom have no Internet access. As a result, their only access to telemedicine is over a ‘POTS’ landline.

How to create a compliant app

A medical notes app is simply a way to store and share text-based notes, such as those made during a doctor’s consultation. It needs the ability to create and manage users, to make and store notes, and to allow those notes to be shared with other authorised users.

A medical notes app is simply a way to store and share text-based notes, such as those made during a doctor’s consultation. It needs the ability to create and manage users, to make and store notes, and to allow those notes to be shared with other authorised users.

GDPR poses strict requirements on collecting and storing health data like medical notes. You’ll need to consider quite a few things if you are going to get it right from a compliance standpoint.

Create a compliant medical notes app with

  • User profiles. A user profile contains personal data, and as noted above, should be treated as if it is health data when associated with a telemedicine app. Profile data must be encrypted and stored separately from the other data. You also need to collect and store “informed consent” from the users. Fortunately, both these things are really easy using the API.
  • Notes. The actual notes must be encrypted and pseudonymised. This means ensuring that they can only be linked to a user profile via a pseudonym. The strongest encryption is record-level—that means you encrypt each user’s notes with a different key. This is offered by default with the API.
  • Permissions. Note sharing requires you to implement secure login and permissions management. This means that your app can control who has access to the notes. For instance, all the doctors in a shared practice are allowed to read a patient’s notes. But their receptionists aren’t. Permissions management and audit logs are both features of the API.
  • Logs. You need to store a log for every time someone logs in, accesses or changes a note. These logs provide a legal audit trail and are required both for GDPR and clinical governance. Our API stores a record of every interaction in an immutable log.

Is it hard to do?

Creating a GDPR-compliant app has the potential to be very hard. You need to implement record-level encryption, key management, permissions management, consent tracking, etc. However, with our API it can be done in just a few hundred lines of code (probably 100x less code than doing it from scratch). To show you how easy it is, take a look at our demo Notacy app.

Virtual consultation app

A chat app allows a doctor or therapist to chat with their patient in real time or asynchronously. There are plenty of well-known chat apps like WhatsApp. However, WhatsApp is really not suitable for healthcare chats. However, it is actually quite easy to create such an app from scratch using the API and a suitable SDK.

How this helps with Coronavirus

Chat apps allow doctors to offer better remote diagnosis, even offering the ability to send photos or to start a video chat. Such an app is particularly useful when a doctor is overwhelmed, since they allow a patient to have a consultation asynchronously.

How to create a compliant app

An app like this can be built on top of the medical notes app above. You will need to add the ability to send and receive chat messages. This can be done using an SDK. The main differences between this and the notes app are the need to transfer messages between end devices and the server, and a need to send notifications that are compliant with GDPR.

Create a compliant medical chat app with

  • User Profile: As mentioned above, this personal data counts as health data when associated with a telemedicine app. You need to ensure you encrypt and store all profile data in a separate location to the actual health data. You will also have to collect and store explicit consent from the end users (patients). Our API solves all these things with its encryption, pseudonymisation and consent management.
  • Messages: Any messages are particularly sensitive, since they involve discussions about a patient’s medical condition. They must be encrypted at record-level and linked to the user profile using a pseudonym. Fortunately, both encryption and pseudonymisation are easy to do with our API.
  • Search: You usually need to store the history of the chat. You might also want to offer search functionality, which is hard to do with encrypted data. With our search API, this is really simple.
  • Notifications: Your app probably needs to send notifications, especially if it is being used for asynchronous consultations. However, you must ensure these don’t accidentally reveal any sensitive data, and you must inform your users of the implications. Our experts can give you advice here.
  • Media. If your app can send pictures or store recordings of video chats, these have to be encrypted. Unlike the messages, this counts as unstructured data. Our API offers the ability to store this data in BLOBs.
  • Logs. It’s vital to include logging of all data access and changes. This audit log can be used if there’s any future legal issues. Our API logs every interaction in an immutable fashion.

Is it hard to do?

You should be able to create an app such as this quite quickly. You need to implement all the same technical aspects as the medical notes app above, but once you have that base app, it isn’t too hard to add chat and video. However, you will need some legal advice relating to things like notifications. The specific rules vary between countries, so you will need to speak to our consultants about this. During this pandemic, we are offering startups and nonprofits 2 hours of free consultation time specifically to address issues like this.

How helps solves data security for digital health apps all over the world. We offer legal assistance, technical consulting and a compliant platform for data storage and more.

Book a call