Digital solutions in healthcare? Just a few years ago, “No way, data protection!” was the deadly argument. Now it’s clear that you can’t have one without the other. But data protection doesn’t have to be a brake on technology or digitization, as our Chief Legal Officer Dr. Silke Scholz explains. Let’s talk tech on a completely different level.
Silke, you are the head of our legal department and now sit here with me for the Let’s talk Tech format. Perhaps we should first explain to readers how the two fit together?
When I started at m.Doc four years ago now, data protection was always the death knell argument. A patient portal, a digital solution in the hospital was not possible, was not even conceivable, data protection did not allow for that. I am a passionate data protectionist and have said from the very beginning that this is just a pseudo-argument. Data protection doesn’t have to be an obstacle; on the contrary, it can become an important support – for example, when a patient’s data that was collected in one hospital can also be used later in another facility (e.g., the subsequent rehab). The challenge is simply to make it technically feasible for patients to know, consent and track. Data protection and technology are therefore two sides of the same coin in healthcare. Digital solutions are not possible without well thought-out data protection. At the same time, the technology available to us today improves data protection immensely.
Why do you think the protection of healthcare data in Germany is still such a difficult issue?
I think because we take the protection of our health data very seriously in this country, but also in other European countries. And I personally think that’s a very good thing. While in our private lives we have become accustomed to everyone knowing our e-mail address, for example, people are more sensitive when it comes to their health data – perhaps also because they are not used to encountering digital solutions in healthcare. Paper was and still is predominantly the medium of choice here. So it takes time to build up a certain level of trust. Patients must first experience for themselves that they will not receive any obscure e-mails in the aftermath of a hospital stay for which they use a patient portal, i.e., that their data will not be used elsewhere or even resold.
Has the Corona pandemic already broken down some of these barriers, because digital solutions – be it video consultation hours or even the digital vaccination certificate – were used very naturally in a short time?
I am convinced of that. If there is one positive thing to take away from the pandemic, it is that it has made digital solutions a matter of course in even more areas of our everyday lives. What’s more, in the healthcare sector it has impressively underscored the added value of technology. And a rethink has also taken place in clinics and institutions. The best example is certainly the cloud, which is now used as a matter of course in many clinics. A few years ago, it would have been unthinkable to know data outside the clinic premises.
If we go back to the technical level, at what point in the process – let’s say in the development of a new module on our platform – do you get involved as a data protection officer?
At the very beginning. As soon as anyone in the company has an idea – say, for a new module that enables secure digital signatures – it goes across my desk. Fortunately, I’m not only a data protection officer, but also a lawyer, so the contracts with external providers – essential for the secure certificate – also end up with me. What’s more, my colleagues in product management now know that they have to ask me first when they are planning something new, especially when it involves personal data.
We are currently working on the next generation of platforms, Generation 7. Do you have an example of the role you and data protection play here – after all, a large part of the code is being renewed for the next generation?
Patient onboarding is a good way to explain my role and thus that of data protection. After all, the central question is: What personal data do we really need? First name, last name, e-mail were still relatively clear. The next question was more difficult to answer, namely whether the date of birth is also absolutely necessary. As a data protectionist, I first say no – a bit heretical, I admit. What matters to me at that moment is whether good arguments come forward that justify data processing. And of course, onboarding needs the date of birth, because otherwise patients with common names – mine is one of them here, by the way – can’t be clearly identified. This also ensures that they can only see their own data. Next question: Do I need the gender? German first names are usually unique for us. An Italian first name such as Nicola, Simone or Andrea makes assignment difficult again. And so we work our way through step by step – for maximum data protection and long before our developers write a single line of code. Once the code is ready and we are in the test phase, I am asked again. The goal is to work with as little personal data as possible, and to achieve this it is essential to ask ourselves at an early stage what I need and what I don’t need. This is also called privacy by design.
In terms of logic, data protection and coding obviously have a lot in common…
Exactly, both fields move in if-then worlds. Law and data protection can be very logical (laughs).
What about the data security of the solutions, for example if a patient loses his or her smartphone?
And again: privacy by design. We don’t load any data onto any end devices. Only information is displayed there. This, by the way, is where you see the great advantage of digital solutions, because if someone comes to a clinic with a briefcase full of doctor’s letters and it is stolen, the data is not only in the wrong hands, it is also gone for the time being. If only the smartphone was in the briefcase, the thieves have no access to the data, but the patients can retrieve it from the cloud.
That is the current status quo. In the long term, however, shouldn’t the journey be toward using personal data – anonymized, of course – to improve the quality of care?
That is definitely the long-term goal, as quality of care would benefit. If you are a patient in a clinic for a hip surgery, it is not unlikely that the second hip will also need surgery in the foreseeable future. From the knowledge gained from the first surgery and, anonymously, many other hip surgeries, the second surgery may already be optimized so that you as a patient benefit directly.
But we’re not there yet, are we?
Technically, it wouldn’t be a problem. But no, we’re not there yet. But the direction is already right when I look at the growing importance of PROMs, Patient Reported Outcome Measures. In principle, these are quality questionnaires that patients fill out digitally via the patient portal after treatment, thus voluntarily providing feedback that the respective clinic can then work with and optimize. I think this will also have a positive effect on trust in digital solutions.