Blog

Sorting the wheat from the chaff. Choosing a digital health app.

Why use a digital health app?

With more than 90,000 digital health apps being added in 2020 alone, physicians are bombarded with download options as much in their professional life as in their private life.1 However, not all apps are equal, with the top 110 apps accounting for almost 50% of all downloads.1

So why use a digital health app? It might seem like an obvious question, but like anything related to screens, it is important to think about apps in a meaningful way. Especially in a professional context. The answers to the question include convenience, safety, and extended knowledge. Or do they?

The days of the trainee carrying around a well-thumbed Oxford handbook are over. Now the entire Harrison fits into your phone and then some. However, I’m sure that I’m not the only one who has excitedly downloaded a textbook to never look at it again. The format of the information needs to be easily accessible in a clinical context. Sometimes you need to know the pathology exists to look for it. In a book, you can thumb a few pages forwards and backwards and, serendipitously, come across the diagnosis.

You also need to be able to personalise your reference tool, adding to it as you go along. Whether it is a dedicated notebook or lines in the margin, many clinicians add local protocols, bleep numbers (yes, they still exist), or extra tips learnt along the way. Often this can take form in a digital form of a notes document on your phone.

There is also the credibility aspect of checking a written text in front of a patient. Somehow looking up a dose on a phone is not the same as checking a paper format. Having said that, no one will argue with the fact that a doctor cannot memorise all the medical conditions and drug dosages. Having a digital memory aid, especially when tired, can be a question of safety.

Another argument favouring digital health apps is that they can easily extend your knowledge to any area for which you can download a protocol or handbook. For non-dermatologists, there is a wealth of image banks with or without artificial intelligence to aid diagnostics. Of particular note is Malone Mukwende’s Mind the Gap project with St George’s hospital in London to reduce the health disparities in diagnosing skin pathologies in people of colour. Of course, providing an online platform of images that can be updated is not the traditional definition of a digital health app. Still, it is arguably one of the platforms which will have the most impact. And the app will surely follow.

However, no doctor is an island and conversations between different specialities, whether family medicine and oncologists, further everyone’s knowledge. An app can never replace an interactive discussion about the best treatment for a specific patient, taking into account the available local resources, patient preference and social context, and preferred outcome. Indeed these conversations often lead to recommendations of more specialised resources. In this day and age, these recommendations often include health apps. Anaesthetists have been at the forefront of apps and are particularly good at knowing which apps are best for drug dosage or retrieval. Family and community medicine physicians often can point you to aids to avoid pharmacological interactions or diagnoses that span various organ systems. Physicians use a lot more health apps than you might think. And the ones they use will be the ones that work. If you have any that you would like to recommend, please send them to via Twitter @alice_bbyram or email. This brings us to the question of validating apps and knowing which ones are safe to use in your daily practice.

What do clinicians need to consider when choosing a digital health app?

When you do decide to use a health app, there are several aspects you need to think about before you start using it. First of all, is the device you will be using it on. Whether it is a personal or professional phone or computer, the memory needed for the app may affect the speed your device runs at. All portable devices should have a remote wipe and automatic delete after several unsuccessful login attempts.2 Of course, if the hospital computer is constantly updating windows XP or the websites are blocked by generic hospital controls, there is a natural selection as to which digital resources you have access to anyway. Similarly, suppose the app is a hybrid version that needs online access to give you all the information you need. In that case, you may find yourself limited by the WIFI available at your hospital or health centre.

            The individual using the apps or digital resources needs to recognise their own limitations. Few physicians receive formal digital health training, which is particularly important for prescription-only FDA-regulated digital resources.2 There is no shame in recognising that we have been washed along with the tide of innovation and haven’t any time to stop and steer our own course. This self-knowledge is fundamental when you consider how much health care professional input is required by the app. Some diabetes apps require quite extensive physician input.1

            Much has been made of the advantages of digital resources in aiding both physicians and their patients, with evidence available supporting the inclusion of digital health tools into health pathways. However, independent organisations caution about the need for more in-depth and long-term research to get a true picture.1 Physicians have a history of being cautious when sold new products by pharmaceutical representatives, for example. Digital health solutions are no different, especially when free. If the product is free, you’re the product as was so aptly demonstrated in ‘The Social Dilemma’.3 It is a valid question to think about who has the resources to set up and maintain a digital health resource.

Compliance and regulatory controls are mandatory for certain types of digital health rather than wellness apps. Still, you have to be aware that being American HIPAA compliant may not mean that an app is also compliant with European GDPR. The focus is different as the GDPR are person-centred, whilst the HIPAA regulations are arguably more focused on the business that deal with health data. You need to make sure that the regulations align with your personal requirements and beliefs around health data.

            National societies provide their own guidance. The Royal College of Physicians, for example, clearly states that you should not use web apps that don’t have a CE mark.4 And it is also up to the individual physician to make sure that it is up to date. Indeed, the college cautions against about being lulled into a false sense of security if you see a CE mark and has produced a fact sheet to help you decide whether you can feel confident about using a certain app.4 Even then it is up to the individual physician to exercise professional judgement when using the app. If you do see any calculation errors you are under obligation to report it to the MHRA.

            Digital formularies provide a library of available apps which could be held to a higher standard than an app store. The NHS has such a library of apps that have been passed according to the DTAC or Digital Technology Assessment Criteria for health and social care. This is a good starting point when you want to find an app covering a specific condition. However, users should be mindful of a possible increased cost due to exclusivity deals or newer and potentially better apps being excluded.2

            Finally, physicians are the end-user testers and are in a unique position to identify issues that come up. There is a professional obligation to flag up any prescribing or other issues that may impact patient care, but there is also the possibility of making a real change.5 Just as Dr Mukwende did with his dermatological diagnoses for people of colour, if you identify a need you can approach the innovation department of your hospital. Barcelona is a hotbed of digital health innovation, and places like the Barcelona Health Hub are spaces where digital health solutions are found by linking clinicians and tech companies.

What do patients need?

As physicians, we all know the need for medications to be easy and practical to take, and if not, the patient will understandably find it difficult to feel engaged. Digital health resources are no different. If an app takes up a lot of phone memory or is not easy to navigate, it will be quickly deleted. Conversely, integration with wearables such as smartwatches may lead to greater compliance. Word of mouth is also important amongst patients, and once one person sees the advantages of an app, others may well follow.

            Yet digital health technology can lead to exclusion. In fact, you may not even be aware of the exclusion your patients are facing. Sitting in a doctor’s waiting room recently, I saw a granddaughter teaching her grandmother how to read text messages to make sure she didn’t miss health care appointments. Now that, in some countries, appointment letters are no longer routinely sent out, you may not be aware of the level of patient exclusion. Specifically, newer methods for accessing appointments were found to be the place where most patients gave up.6

            Healthwatch UK found that exclusion can be linked to a lack of digital skills, affordability and trust concerns.6 However, it also found that statements about reluctance to use telehealth should not be taken at face value as once barriers are overcome, patients may be happy with telehealth options.6

Developers listen up!

When it comes to developing a new app you may have been commissioned by a physician who has seen a gap in the market or by a team who come from a more business background. The end-user is still the same. Patients and physicians along with their team, their family, carers, nurses and other health care assistants or HCAs.

Diabetes, mental health and life style change apps are all well established, but have you thought of patients with AIDs, chronic pain and infectious diseases? Also be reactive to what is going on around you. During the COVID pandemic there have been spikes of related apps peaking with each wave.1

The first step as an app developer is to consider what is needed, rather than what you can offer. Your expertise may lead to many functions but if they are not useful in day to day medical and home usage, the app will be quickly deinstalled. Consider also the accessibility and ease of use. Stay up a night or set an alarm every 3 hours to reach a sufficient level of tiredness and you can start to get into the skin of a physician or carer on call. If you use glasses, hide them somewhere in your house that you can’t find just when you need them most. If you don’t use glasses, borrow some to get that sufficiently fuzzy vison that many people have to deal with. Then reconsider if you app design still works.

Overcoming the reluctance of end users is a team effort, right from the start. Not just relevant to the sales team. As a developer you have to make sure that your app is secure by design and complies not only with country wide compliance laws such as HIPAA or GDPR, but also institutional ones such as in the NHS. Go straight to the end requirements that the physicians and patients will be requesting. The NHS Digital Technology Assessment Criteria for health and social care has an entire section on the requirements which should direct your development. These include clinical safety, data protection, technical security and interoperability criteria. To make your life easier as a developer there is tick box exercise for you to work through to make sure you are complying with good practice by design. Apps need to be accessible to all, follow ethics guidelines. From a technical point of view, you need to be up to the IEC 62304 international standard. Your app must undergo verification, validation and load testing as part of the development process. Bias testing is another aspect for which you may need to seek outside expert help. Humans are notoriously bad at recognizing their own biases.

            In the UK the Caldicott guardian principles are the benchmark for physician decisions when it comes to data protection. This is more likely to be used by physicians than the GDPR which post Brexit will be incorporated as UK-GDPR.  

Physicians are under obligation to report to any problems with an app which may lead to error to the MHRA depending on where they are practicing. You need to provide an easy feedback form to make sure you are also informed and react proactively rather than defensively.

You should be aiming for the CE mark whether the app will be free or not.5 and make sure that you have thought ahead how your health technology may evolve but also how the requirements may also evolve. If you are thinking of expanding to different markets, knowing in advance where the security emphasis is placed is invaluable.

Similarly, looking at the digital formulary of apps you may wish to be included in can help you overcome potential problems of being sidelined for not being updated or outpriced, a couple of the potential disadvantages of digital formularies.7

Finally, we’re all patients or carers/family of patients. So take off your designer hat and ask around you what works in an app. If you are working with a specific condition, speaking to the patient associations for people with that condition will not only help your design but also open doors whilst you are doing it.

In a nutshell.

  • Compliancy may come in many different forms – always use professional judgement on any decision taken.
  • Knowing who is behind the app can help you make decisions and even offer feedback.
  • Practicality has to come first be that automatic updates, storage use, interoperability and hybrid options
  • Think of possible patient exclusions to the digital health option you are offering
  • If you develop an app that is intended for use in any medical context in Europe, it will need a CE mark, whether it is free to download or not.
  • Knowing the criteria used for regulatory compliance can help you as a clinician decide if it is an app you feel safe using.
  • If you see a need be reactive and either develop the digital health resource yourself or go to the people who can help you or take it over.

In short, digital health resources are valuable, not necessarily an intrusion. When used mindfully, they can be a help, not a hindrance in your practice.

References

1.        Kern, J. et al. Digital Health Trends 2021. Digital Health Trends (2021).

2.        Gordon, W. J., Landman, A., Zhang, H. & Bates, D. W. Beyond validation: getting health apps into clinical practice. npj Digital Medicine 2020 3:1 3, 1–6 (2020).

3.        Orlowski, J. The Social Dilemma. (Exposure Labs, Argent Pictures, The Space Program, 2020).

4.        Royal College of Physicians. Using apps in clinical practice. (2015).

5.        RCP issues new guidance on using medical apps | RCP London. https://www.rcplondon.ac.uk/news/rcp-issues-new-guidance-using-medical-apps.

6.        Healthwatch England. Locked out: Digitally excluded people’s experiences of remote GP appointments. (2021).

7.        Gordon, W. J., Landman, A., Zhang, H. & Bates, D. W. Beyond validation: getting health apps into clinical practice. npj Digital Medicine 2020 3:1 3, 1–6 (2020).

Straight from the horse’s mouth – or where to go for verified information about #coronavirus or any other medical topics.

If you work in #digitalhealth it is important that you deal only in facts and validated information to retain credibility.

Over the past years, months and days, we’ve all been exposed to #fakenews in one form or another. Some of it is obvious and maybe even funny. Other fake news maybe less obvious, especially if it comes through a friend or colleague. #coronavirus has led to many fast circulating examples of misinformation so here is a quick guide to how to make sure you have up to date validated information and a list of specific #COVID19 resources.

We often don’t know where to go in the middle of so much available information. Newspapers often get their information second hand and report , as is their function, on ever changing situations early on. Blog posts can look surprisingly well referenced but if you go into the references maybe citing animal studies or non peer-reviewed articles. Did you know that many journals now ask authors to pay for their article to be published, knowing they have a willing market in researchers needing to publish a certain amount of articles a year?

Other sources of potentially biased information due to having vested interests are patient information webpages which appear at the top of google. Often pharmaceutical companies or pressure groups have invested a lot of money in making sure that their page appears first when you type in their name. It may take a while to find out who is behind the page – a red flag in itself.

So where should you look?

The best sources are official, have an obligation to be updated regularly and have been reviewed by someone other than the author. Looking at the site where the information is hosted is one of the first steps.

  1. .ac.uk – university sites in the UK
  2. .gov – official government sites
  3. .nhs.uk – the National Health Service in the United Kingdom
    1. NHS Patient Info
    2. NHS Specialist Info
  4. .org – if combined with it being the national college of a medical speciality, it should be a reliable if not always very easy to use source of specific medical information
  5. .edu – a educational institution which may be a university hospital with information for healthcare professionals and patients.

Clinical guidelines and updates are often published by national societies but there are also a few other places to look:

FDA: The U.S Food and Drug Administration website has a lot of regulatory information but also updates on current events such as donating plasma if you have recovered from COVID-19. Use the search option to find information about your topic of interest.

NICE : The National Institute for Health and Clinical Excellence is a UK based organisation on which clinical protocols are based. if you want to check what is the is the latest guidance on a specific health issue, including coronavirus, then this is a good place to start. Don’t be put off by the sometimes dense text, there is always a summary option available.

For research papers you can look at PubMed where almost all research papers are collated, with links out to the originals and links to other articles citing the information provided in your chosen article. You can specify how recent you want the article to be and whether you are interested in just humans or also animals. Using the “review” filter means that you will get an article looking at all the research on a particular topic. This can be very useful for the general public or non-specialists. You can also set up alerts so that you receive an email every time someone publishes something in your field of interest.

If you do receive a whatsapp or facebook message purporting to come from Stamford University for example, copy and paste the first line into google and you will quickly find out if it is a scam or not. Even videos with an MD explaining something may not be validated information. Always fact check anything you receive.

Specific COVID-19 or #coronavirus resources.

In view of the fast changing events it really is best to go straight to the horse’s mouth, or the specific #COVID-19 pages of the ones informing the experts and the general public:

  1. World Health Organisation
  2. British Medical Journal – Best Practise
  3. John Hopkins Coronavirus Dashboard.
  4. KnowledgeShare compilation of articles and guidelines coming out.

If you want to hear it from those on the ground.

Front-line health workers whether doctors, nursed or paramedics have taken to podcasts as the way of reflecting on their experiences and how it fits in with the evidence. They are ahead of the official guidelines especially in fast-changing situations such as the current coronavirus pandemic.

EMCrit – USA based emergency physician and guests.

The Good GP – Australian Family Medicine Doctors talk about their experiences and latest updates.

Emergency Medicine College explains how to deal with COVID19 for non-EM doctors.

Pondermed – talks about the reality for radiographers amongst other COVID-19 topics.

Paramedic podcasts – prehospital health workers are the first people on the scene and have a unique view on what actually works and is really going on.

Why your #healthtech pizza can’t have too many toppings.

Have you ever been so exhausted with making decisions at work that you decide you just want pizza for dinner (any pizza, as long as someone else decides the toppings)? This decision fatigue (1) is a very real experience for all types of doctors and health professionals who spend their day taking important decisions with life or death consequences immediately or in the future. There has even been a scale developed to assess how health professionals are affected by this (2).

So when you present your amazing healthtech product with its many multiple options to clinicians, don’t feel offended that their eyes glaze over, or even droop. It’s not a case of reducing your offer of special functions available exclusive to your digital health product. Instead, tailor your product to the needs of the health professional in front of you.

What you really need to do is to know which functions will change their practise, decrease their levels of frustration with IT and set it up for them. Of course, they can do it themselves (this and a few more complicated procedures such as saving lives), but if you do it for them, you get a foot in the door. Leave it to them, and it will be pushed to the bottom of the non-urgent pile, and that is how digital health products end up not being implemented.

You can rail against health professionals pushing back against tech, but the reality is that if it doesn’t work for them, you are going to be the one left on the outside.

1. Linder JA, Doctor JN, Friedberg MW, et al. Time of Day and the Decision to Prescribe Antibiotics. JAMA Intern Med. 2014;174(12):2029–2031. doi:10.1001/jamainternmed.2014.5225 

2. Hickman RL, Pignatiello GA, Tahir S. Evaluation of the Decisional Fatigue Scale Among Surrogate Decision Makers of the Critically Ill. West J Nurs Res. 2018;

 

Lost USB? Hacked? What to do in the case of a data protection breach?

Despite all the best will in the world and processes in places, data breaches can happen. It can be as simple as a lost USB with patient information or a more sustained hacking attempt which affects only your clinic or you as part of a wider organisation which has been maliciously attacked.

Informing the supervisory body.

The most important point is that you have 72h to inform the supervisory body as soon as you are aware of the breach as per Article 33. If you don’t do this within 72h, you must give reasons as to why this wasn’t done. The information you will need to provide is:

  • Nature of the breach:
    • Categories of data subjects
    • Numbers of data subjects.
    • Numbers and categories of data records affected.
  • Data protection officer contact details as well as those of other people who may be able to give relevant information.
  • Explain the potential consequences of this breach.
  • Explain what you have done so far and what you plan to do to mitigate the effects of the breach.

Informing the patient.

Once you have informed the supervisory authority, you need to notify the person whose data has been breached (data subject) in clear and plain language. As per Article 34, you do not need to inform the patient if:

  1. The data was encrypted or used other methods to ensure that it is unintelligible to persons not authorised to access it.
  2. The data controller has taken extra measures to ensure the risks of the data breach are not likely to materialise.
  3. It would involve a disproportionate effort. Public communication would be the alternative in this case.

If the supervisory authority feels that this is a high-risk situation and you have not informed your patient/data subject, they make take on the task of informing patients about the data breach and its potential consequences.

Why you need to clinically validate your #healthtech.

Quoted failure rates of #healthtech start-ups are almost as hysterical as the millions said start-ups are said to be receiving. Numbers vary vastly from 44% to 70%. The actual numbers don’t really matter (unless you are one of the investors or workers losing out), the real issue of how to avoid this happening in the first place in #digitalhealth. #Healthtech projects which have clinicians behind them do well both in the private and public sector; they have inbuilt clinical validation from the start. This is why you too should think about doing it. 

So that the #healthtech actually works.

It may seem an obvious point, but many digital health “solutions” fail because they are not in fact a solution. They are a product which is developed by non-healthcare professionals to answer a perceived need. Innovative technology is showcased brilliantly at industry events but then is either rejected or fails when it comes to the medical profession.

Bias in medicine is a dangerous thing, and as clinicians, we are continually being put in our places by patients who don’t conform to expectations. There has been much talk about Babylon’s diagnosing a woman as having anxiety instead of a heart attack, pointed out incidentally on #medtwitter. However, this is just one of many examples of bias which can mean that your non-clinically validate #healthtech not only doesn’t work but also becomes a liability. And as with Babylon, word spreads fast in the medical community. How many #healthtech developers are employing data scientists to look at potentially dangerous biases in their algorithms?

So that doctors support your #healthtech.

Lack of clinical take-up leads to a lot of “doctors will just have to get used to changing their practise whether they like it or not” comments, implying that they are stuck in their ways. This overlooks the fact that doctors, by definition, are lifelong learners, adapting their clinical practice on a daily basis. Every patient you see is a risk-balance assessment of what works best for that patient based on current evidence but also your own professional opinion. Healthcare professionals are your toughest critics because they are the ones who see the #clinicalreality and the aspects which you don’t. No man is an island and no patient is just one disease.

When you diagnose a patient, you do so not just by looking at a set of tests and variables such as heart rate, but by speaking and looking at the patient. The questions often seem random to a layperson, but sometimes the examination is even superfluous. I know I’m not the only person who has gone back into a cubicle to put a stethoscope on for the patient’s benefit as I’d already understood what was going on by the time we’d finished talking. Just how many #digitalhealth people realise that by the time you are ordering the tests, you are often just confirming the diagnosis. When you “treat” a patient, you do so not just following a protocol but based on many other factors.

However, there are many frustrations which we know technology could help with; having access to all the correct patient information, reducing the decision burden by incorporating protocols. So speak to your target clinicians. Now. Often. In their clinical setting. What they will tell you is that they will enthusiastically take on validated and evidence-based #healthtech which answers their needs. In fact, they will probably be able to tell you what you need to do to make your #digitalhealth technology work. Sometimes they have already done it themselves, and you can work with them.

So that patients go to their doctors asking for your #digitalhealth solutions.

And if you speak to the doctors, and nurses, and healthcare assistants, and receptionists, and porters, don’t stop there. Patients, especially chronic patients, have a very clear idea as to what works, what doesn’t work and which of their #digitalhealth needs aren’t being met. There is a whole #wearenotwaiting movement where type 1 diabetes patients have been going faster than the industry at developing openAPS or open artificial pancreas systems and glucose monitoring. After many years of being treated as dangerous mavericks, they are now being incorporated into paediatric diabetes care in major NHS hospitals. Even the fact that they are not FDA approved has not put off parents and doctors using them. That is what “disruptive” in #healthtech really means. Meanwhile, Medtronic and others who provide the “official” solutions, have recognised the fact that it makes more sense to employ directly the #wearenotwaiting developers rather than play catch-up.

Even patients who are not digitally savvy will be quick to tell you why they will or won’t use an app or technology. And often these are for very different reasons to the doctors. Maybe it is because they are more affected by the short-term side effects of a medication whose dose needs to be changed than targets- and they have to be able to access that information quickly. It may be that your amazing frailty support system doesn’t recognise the fact that being part of the #silvereconomy doesn’t mean being bedbound, and that they too want to go places in the world with no internet connection. Patients are whole persons whose disease lives with them once they leave the consulting room, and any treatment, digital or traditional, needs to take that into account.

So that you can expand into the community.

It is fair to say that in an era of influencers, traditional advertising is being rethought to reflect the age-old concept that you are more likely to follow the recommendation of someone you trust that the manufacturer. Doctors, suspicious as they are (!), prefer to hear about new medications and developments in medicine from other doctors. Pharmaceutical companies have long recognised this fact and this is another advantage of clinically validating your product. You speak the language of your target users, and once clinicians are prepared to listen, it can be a useful two-way conversation and is the way you get your #digitalhealth product to a clinical setting.

Patients too ask friends and family for advice. The reason that the instruction to only take medication which has been prescribed for you is precisely because people still take their family member’s medications for something which may or may not be a similar disease. Once you have patients with a vested interest, then others will follow. The way to do that is to listen, speak to and answer their needs.

It’s an exciting time to be in medicine, both as a professional and a patient or carer. It is in everyone’s interest in making sure that the progress in #healthtech works first time round….and keeps on working and being relevant.

Health data – How long can / should I keep it?

Whether you are a data controller deciding which data should be used or a data processor in charge of keeping the health data in the cloud for example, how long you you should keep data for is something you should be proactively thinking about. The general principle is that you only keep it as long as is necessary, which of course can be open to debate and also regional variations.

The purpose for which the data has been collected will help you decide how long to store data so that you are not exposing yourself to a data breach for longer than needed. If you are developing an app then that time should be specified clearly in the terms and conditions. When looking at health data, for individual patient treatment and diagnostics, the concept of “as long as is needed” could be thought, from a clinicians point of view, to be for the duration of the individual’s life. For research, it can be and is argued that the data should be kept beyond an individual’s life. Theses decisions are often taken by the organisation’s data protection officer or DPO.

WIth health data, as long as you still have some responsibility for that patient, and the patient has recognised it, then you can and should keep their health data. As ever it is up to you to make sure that it is accurate and up to date. This includes making sure that contact details are current. Once you have decided which data you are collecting, the amount of time you decide to keep it is the easy bit.

When can you (temporarily) skip the medical data protection?

Health data is by definition and function sensitive data, but as anyone seeing patients knows, it is not always practical to get consent when treating a sick patient.

It is not necessary to encrypt or anonymise patient data if:

  1. The patient as given express consent.
  2. It is in the vital interest of the patient, and the patient is unable to give consent. E.g., an unconscious patient arrives in the ER or if the patient is a minor.
  3. The professional processing the data to provide health care is already under a professional obligation to treat patients according to a code of confidentiality. This is the Hippocratic oath and all other versions which have followed.

When you do find out more information about, for example, an unconscious patient, you are under the obligation to update records immediately. Again standard practise for medical professionals before the GDPR was brought in.

It’s a short article because it’s a short message.

Don’t let the fear of data protection legislation stop you saving lives!

Sharing & transferring health data.

When you share patient data as a doctor, for example, referring your patient to a cardiologist colleague, you are ‘disclosing personal data’. You don’t have to disclose the transfer of the information to the patient or data subject if you are still respecting professional confidentiality. The receiver or recipient of this data then becomes the data controller with the inherent obligations.

Patients too have the right to take their data with them wherever they go, this is the right to data portability.

Apps are not covered by professional confidentiality. So any changes in who has access to or is processing the data have to be informed in full to the app user including the identity of the new app data controller, the categories of data which will be used and the recipients of the data among others. It is a long list, but how many people just click on the “updated terms and conditions” without reading them? Most of us…

Being based outside the EU does not exempt an app from complying with GDPR if the data subject or app downloader is based in the EU. So unless you are 100% certain that you are complying with GDPR you should limit your app store access to countries not covered by the GDPR.

If the data is being shared outside the EU (of particular interest in the context of Brexit), then similar levels of protection should be requested. Chapter V covers the transfer of data outside of the EU and clearly states that once the EU has decided if the minimum requirements are met, this has to be reviewed every 4 years. It is the European Commission who decides if the standards are being met

Data protection for app developers & large organisations.

You may think that ensuring compliance with data protection in a large organisation is even harder than in a smaller clinic. However, it can be the complete opposite as you may find yourself having to appoint a Data Protection Officer (DPO) who takes over this role. Whether you need to do this or not will depend on the conclusions of a Data Protection Impact Assessment (DPIA) as per Article 35.

The use of new technologies such as EHR or health apps combined with large quantities of sensitive data such as in the case of a hospital means it is necessary to carry out a DPIA following the advice of a DPO. It is the data controller (doctor or other in charge of the data) who has to instigate this.

Data processors too have to think about a DPIA and if you are developing a health app this means you also have a responsibility:

When appointing a DPO, whether in the context of a larger clinical setting or app development, you can use the same DPO as other establishments as long as you easy access to that person. They can be part of your staff (and potentially fulfil other functions). You must communicate who your DPO is to the supervisory authority.

Even if a DPO is appointed the data controller is still required to record all the processing activities.