What does 5G and the IoT mean for health tech?

What is 5G?

Like many acronyms, they are demystified once you know what they stand for. 5G simply means the fifth generation of wireless technology. In simple terms, it means speeding up the data due to bigger channels, more responsive technology due to the lower latency or less lag, and the ability to connect a lot more devices at once. Within 5G, these qualities can differ depending on the channels used. For example, the speed itself may be slower if the frequency being used is lower and similar to that used in previous technology, such as old TV frequencies or current 4G. It may be all that is available if the physical infrastructure for the new frequencies is not available.

Where can I find it being used in health?

Decreased latency leads to less “lag” and, therefore, a more real-time experience. Whilst a delay during a videocall is annoying, it is generally not life-threatening. Transfer that to an operating theatre and the ability to operate remotely does depend on real-time transfer of what is happening, and vice versa, the ability to react and stop unexpected bleeding or coordinated efforts between various surgeons.

Similarly, the ability to connect more devices at once is of great importance in ever more connected health care settings. Physicians are forever being asked to adopt the latest wireless monitoring and sensors to create a more seamless experience for the patient. However, if you are still in a system that uses fax or in a department where the internet connection is flaky, the real game-changer for day to day use will be the ability to connect all the devices at once with confidence. In telemedicine, this translates into the ability to not only be seeing and communicating with the patient but also monitoring and receiving real-time data about their physical status. Many experts in the digital health space see these qualities as the gateway to 4P medicine, which is a digital version of what clinicians have been doing for years. 4P stands for predictive, preventative, personalised and participatory.

Another bugbear of out of hours care or just seeing a patient who does not usually attend your hospital or surgery is the inability to see their previous images. Imaging studies are notoriously complicated to transfer between systems and the ability for either the patient themselves or another health professional to send over quickly in a compatible format MRI or CT scans. It may surprise you to know that as a clinician in the NHS, I could not access the recent CT head scan of a patient done at a hospital only 25km away. Or maybe it’s no surprise, and you just shake your head as an inevitable reality. But we need to demand from our clinical workspace the same fast internet and communication we get from our Netflix subscription!

What is the IoT?

IoT simply stands for the Internet Of Things. In other words, “objects with computing devices in them that can connect to each other and exchange data using the internet”. In healthcare, this translates into sensors and technology linked to the patient rather than the clinical setting giving a real picture of what is going on in a person’s life and health. From distance monitoring which is set to alarm the clinician when certain parameters are reached, to active ongoing monitoring that transforms the patient’s home into a virtual hospital, the IoT with 5G gives clinicians more confidence to extend already existing hospital at-home projects. Well established in older and more frail patients, hospital at home with CGA (Comprehensive Geriatric Assessment) has already been shown to decrease hospital admissions with similar long-term outcomes and greater patient satisfaction.1 Distance monitoring will open this option up also because the carers and patients themselves will feel more supported and empowered. In France, where cancer patients wishing to stay at home are limited by the clinician not feeling with that confidence, a better solution may be found with real-time monitoring.2

Of course, no one person is just a patient or a disease, but rather a combination of roles, identities and functions. Where the IOT comes into its own is bringing all of this to the clinician, the information from all sources, including non-medical aspects such as travel, air contamination, favourite activities, brings clinicians closer to the original definition of being a doctor. When you would have known your patients, their families and everything else going on in their lives. This lack of continuity and depth brings many clinicians to burnout, and 5G and the IOT should be seen as facilitating a return to that holistic vision of a person or patient who comes to see them. Only then can the clinician use their knowledge base and experience to personalise the treatments and solutions they offer fully. Digital health augments a clinician’s practice. Those who argue that doctors will become irrelevant have clearly not sat in on patient clinics and surgeries, going through the options available based on local resources, the latest advances and patient preference. In medicine there is never one right treatment, and the art remains in the ability to pull it all together, making use of all the information and resources available.

1.        Shepperd, S. et al. Is Comprehensive Geriatric Assessment Admission Avoidance Hospital at Home an Alternative to Hospital Admission for Older Persons? : A Randomized Trial. Annals of internal medicine 174, 889–898 (2021).

2.        Margier, J., Gafni, A. & Moumjid, N. Cancer care at home or in local health centres versus in hospital: Public policy goals and patients’ preferences in the Rhône-Alps region in France. Health policy (Amsterdam, Netherlands) 125, 213–220 (2021).

AR in medicine. The future?

What is augmented reality in medicine?

Augmented reality, or AR, is a relatively new technology in which a computer-generated image is superimposed on the user’s vision of the world.1  To create this augmented reality, hardware such as headsets, smart glasses or mobile devices are used. The difference with virtual reality is that the user keeps a link to the surrounding physical world.1

Augmented reality has many uses in medicine. These include medical training, especially anatomy but also simulation training. Surgeons can use AR to plan surgery, and all physicians can use AR to explain complex situations to patients and their relatives.2


In diagnostics, AR has been used to improve adenoma detection rate. A combination of computer vision algorithms and a large database of colonoscopy polyp images means the endoscopist gets real-time visual assistance. Images are overlaid on the primary monitor they are using or on an adjacent monitor.3


Therapeutics is another area where AR has been extensively used, especially in rehabilitation. The interactive aspect means that patients are encouraged to improve their motor actions.4 For people with severe mobility issues, including the elderly and paralyzed, AR becomes an integrated part of their daily life as part of a home appliances system. AR interacts with brain-computer interfaces to give back patients a degree of autonomy.5

When ultrasound was brought in, a new 2D perception of a 3D space was needed. Anyone who has ever used an ultrasound knows that this involves retraining your way of looking at spaces in what I felt was initially counterintuitive.  Ultrasound-guided biopsy is a minimally invasive procedure for tumour staging. Still, it requires long training not only on a manual technique level but also taking into account the change in perception of space. AR is used to plan the trajectory of the needle and then execute the process. A robot arm with pressure sensors is used, feeding back high-quality information to the operator. The person undertaking this ultrasound-guided biopsy is then able to overcome any needle deflection or target motion.6 


Anyone who has taken a basic or advanced life support course will remember meeting Resusci Annie, the rubber mannequin used to simulate emergency situations. Although a great resource for many years, there was never any doubt that you were dealing with a floppy doll. High fidelity simulation training uses complex mannequins who can breathe, have a variable heartbeat and affect ECG readings which take training to a level. The ultimate challenge is simulation training with a real person, but there you are limited to one hopefully stable pathology, and obviously, you can’t administer medications or electric shocks. When it comes to training in anatomy, there are financial, ethical and supervisory constraints on the use of cadavers.7

You also can’t see inside the body, and this is where AR takes medical training to a whole new level. One setting is airway training, where learning to intubate often means switching between the student and instructor who attempts to explain what they are seeing and how best to proceed with the tube. In surgery, AR laparoscopic training too has been shown to increase trainee skills, especially when combined with physical models.3 This freedom of sight is also a safety aspect.8 In addition, AR means the training can take place in a professional work environment, undertaking real tasks. Depending on the program used, this training can be independent without the need for an instructor to be constantly there.7 Emergency medicine training has already been done remotely using AR as distances can be a real issue in more remote clinical settings.9

There can be some disadvantages. Sometimes trainees find that AR can lead to dizziness or blurred vision, although less than with VR or virtual reality.7 Cost is another consideration, although this may be less important to students and institutions who see the skill gain as non-negotiable.

How soon will AR come into my practice, and how should I prepare?

Google Glass was the forerunner of easy access VR and which some considered being low-level AR. Some of you may have tried out these glasses in a non-clinical setting. Google Glass is a good entry-level AR due to the familiarity of the concept. Many of us already use normal eyeglasses. The first version is now obsolete, but the 2020 revised version has been launched with an increased facility for developers to build their own software.10 Now more than ever, as a practising clinician, if you think of a solution for an everyday frustration, you can approach developers to build it for you. The hands-free aspect in a sterile or semi sterile environment is an attractive proposition for situations where you need access to information but don’t have the staff, such as in primary care. Being able to easily scan patient records without the need to be looking at a computer all the time would in itself make a lot of patients and doctors happy.10  In the same way as AR has helped with polyp identification in real-time, external dermal or other lesions too will be superimposed with AR and the corresponding algorithms and knowledge databank.

However, machines, like humans, are not infallible and knowing where they may fall down leads to using them more safely. Although some authors claim that AR will be trained to see with fidelity and without bias, bias in algorithms is only now starting to rear its ugly head.3  There have been several high profile cases of algorithms misidentifying people of colour in facial recognition programs.11 The algorithm will only ever be as good as the input data, even if the data is extensive in quantity. Humans choose the data which will be used, and we all have our own unrecognized biases. Hidden or unidentified health inequalities are often a direct result of these biases, whether race, age or other.

Physicians may be concerned with privacy issues. In cultures where scribes writing down the notes are usual practice, the idea of someone doing the same thing remotely as you use google glass or another similar device may not be a problem.10 For other clinicians, this may take a bit more getting used to. The developers need to think like a doctor, like all doctors, to overcome resistance. Perhaps some clinicians prefer to have limited options, not all of them. At least at the beginning.

What do patients think about it?

It’s very hard to know what patients think of their doctors using AR. There is a lot of information available projecting on to patients what they should be thinking and how they should see improvements. Yet this may not be the reality. We need to ask them and listen. Specific AR therapies have good outcomes as defined by the study researchers, but you don’t know what you don’t know. Perhaps dizziness may be too much of an issue, or perhaps there are other side effects or worries which have yet to be voiced. As with telemedicine, these reticences can often be overcome once the real underlying worries are identified.12

So what now?

AR is one more technology that will come to the patient interaction. It’s only a matter of time. Like POCUS, point of care ultrasound, there will be fans and detractors. Individual knowledge and training are the keys, as is listening to patients. Even if you don’t like it, your patient may have heard about great outcomes for their specific condition. Or you may be encouraged by the increased safe prescribing options of AR but find that you lose patient engagement, and much as the course of antibiotics is not finished, the AR stays in the box after the first couple of days.

If you’ve had any feedback or have any thoughts on VR or AR from your patients or yourself, I’d love to hear from you. @alice_bbyram on Twitter or email me abyram@ab-health-solutions.com.

1.        Tang, S. L., Kwoh, C. K., Teo, M. Y., Sing, N. W. & Ling, K. V. Augmented reality systems for medical applications: Improving surgical procedures by enhancing the surgeon’s “view” of the patient. IEEE Engineering in Medicine and Biology Magazine 17, 49–58 (1998).

2.        Eckert, M., Volmerg, J. S. & Friedrich, C. M. Augmented Reality in Medicine: Systematic and Bibliographic Review. JMIR mHealth and uHealth 7, (2019).

3.        Mahmud, N., Cohen, J., Tsourides, K. & Berzin, T. M. Computer vision and augmented reality in gastrointestinal endoscopy. Gastroenterology Report 3, 179–184 (2015).

4.        Yeo, S. M. et al. Effectiveness of interactive augmented reality-based telerehabilitation in patients with adhesive capsulitis: protocol for a multi-center randomized controlled trial. BMC Musculoskeletal Disorders 2021 22:1 22, 1–9 (2021).

5.        Park, S., Cha, H. S., Kwon, J., Kim, H. & Im, C. H. Development of an Online Home Appliance Control System Using Augmented Reality and an SSVEP-Based Brain-Computer Interface. 8th International Winter Conference on Brain-Computer Interface, BCI 2020 (2020) doi:10.1109/BCI48061.2020.9061633.

6.        Freschi, C. et al. Ultrasound guided robotic biopsy using augmented reality and human-robot cooperative control. Proceedings of the 31st Annual International Conference of the IEEE Engineering in Medicine and Biology Society: Engineering the Future of Biomedicine, EMBC 2009 5110–5113 (2009) doi:10.1109/IEMBS.2009.5332720.

7.        C, M., Z, Š., A, R. & A, S. The effectiveness of virtual and augmented reality in health sciences and medical anatomy. Anatomical sciences education 10, 549–559 (2017).

8.        D, P. & K, M. Current Perspectives on Augmented Reality in Medical Education: Applications, Affordances and Limitations. Advances in medical education and practice 12, 77–91 (2021).

9.        Munzer, B. W., Khan, M. M., Shipman, B. & Mahajan, P. Augmented Reality in Emergency Medicine: A Scoping Review. Journal of Medical Internet Research 21, (2019).

10.      TriHealth invests in Augmedix Inc.’s Google Glass health care venture – Cincinnati Business Courier. https://www.bizjournals.com/cincinnati/news/2016/04/25/trihealth-invests-in-groundbreaking-google-glass.html.

11.      Raji, I. D. et al. Saving Face: Investigating the ethical concerns of facial recognition auditing. AIES 2020 – Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society 7, 145–151 (2020).

12.      Healthwatch England. Locked out: Digitally excluded people’s experiences of remote GP appointments. (2021).

13.      Liu, Y., Stiles, N. R. B. & Meister, M. Augmented reality powers a cognitive assistant for the blind. eLife 7, (2018).

14.      Kulkov, I., Berggren, B., Hellström, M. & Wikström, K. Navigating uncharted waters: Designing business models for virtual and augmented reality companies in the medical industry. Journal of Engineering and Technology Management 59, 101614 (2021).

Sorting the wheat from the chaff. Choosing a digital health app.

Why use a digital health app?

With more than 90,000 digital health apps being added in 2020 alone, physicians are bombarded with download options as much in their professional life as in their private life.1 However, not all apps are equal, with the top 110 apps accounting for almost 50% of all downloads.1

So why use a digital health app? It might seem like an obvious question, but like anything related to screens, it is important to think about apps in a meaningful way. Especially in a professional context. The answers to the question include convenience, safety, and extended knowledge. Or do they?

The days of the trainee carrying around a well-thumbed Oxford handbook are over. Now the entire Harrison fits into your phone and then some. However, I’m sure that I’m not the only one who has excitedly downloaded a textbook to never look at it again. The format of the information needs to be easily accessible in a clinical context. Sometimes you need to know the pathology exists to look for it. In a book, you can thumb a few pages forwards and backwards and, serendipitously, come across the diagnosis.

You also need to be able to personalise your reference tool, adding to it as you go along. Whether it is a dedicated notebook or lines in the margin, many clinicians add local protocols, bleep numbers (yes, they still exist), or extra tips learnt along the way. Often this can take form in a digital form of a notes document on your phone.

There is also the credibility aspect of checking a written text in front of a patient. Somehow looking up a dose on a phone is not the same as checking a paper format. Having said that, no one will argue with the fact that a doctor cannot memorise all the medical conditions and drug dosages. Having a digital memory aid, especially when tired, can be a question of safety.

Another argument favouring digital health apps is that they can easily extend your knowledge to any area for which you can download a protocol or handbook. For non-dermatologists, there is a wealth of image banks with or without artificial intelligence to aid diagnostics. Of particular note is Malone Mukwende’s Mind the Gap project with St George’s hospital in London to reduce the health disparities in diagnosing skin pathologies in people of colour. Of course, providing an online platform of images that can be updated is not the traditional definition of a digital health app. Still, it is arguably one of the platforms which will have the most impact. And the app will surely follow.

However, no doctor is an island and conversations between different specialities, whether family medicine and oncologists, further everyone’s knowledge. An app can never replace an interactive discussion about the best treatment for a specific patient, taking into account the available local resources, patient preference and social context, and preferred outcome. Indeed these conversations often lead to recommendations of more specialised resources. In this day and age, these recommendations often include health apps. Anaesthetists have been at the forefront of apps and are particularly good at knowing which apps are best for drug dosage or retrieval. Family and community medicine physicians often can point you to aids to avoid pharmacological interactions or diagnoses that span various organ systems. Physicians use a lot more health apps than you might think. And the ones they use will be the ones that work. If you have any that you would like to recommend, please send them to via Twitter @alice_bbyram or email. This brings us to the question of validating apps and knowing which ones are safe to use in your daily practice.

What do clinicians need to consider when choosing a digital health app?

When you do decide to use a health app, there are several aspects you need to think about before you start using it. First of all, is the device you will be using it on. Whether it is a personal or professional phone or computer, the memory needed for the app may affect the speed your device runs at. All portable devices should have a remote wipe and automatic delete after several unsuccessful login attempts.2 Of course, if the hospital computer is constantly updating windows XP or the websites are blocked by generic hospital controls, there is a natural selection as to which digital resources you have access to anyway. Similarly, suppose the app is a hybrid version that needs online access to give you all the information you need. In that case, you may find yourself limited by the WIFI available at your hospital or health centre.

            The individual using the apps or digital resources needs to recognise their own limitations. Few physicians receive formal digital health training, which is particularly important for prescription-only FDA-regulated digital resources.2 There is no shame in recognising that we have been washed along with the tide of innovation and haven’t any time to stop and steer our own course. This self-knowledge is fundamental when you consider how much health care professional input is required by the app. Some diabetes apps require quite extensive physician input.1

            Much has been made of the advantages of digital resources in aiding both physicians and their patients, with evidence available supporting the inclusion of digital health tools into health pathways. However, independent organisations caution about the need for more in-depth and long-term research to get a true picture.1 Physicians have a history of being cautious when sold new products by pharmaceutical representatives, for example. Digital health solutions are no different, especially when free. If the product is free, you’re the product as was so aptly demonstrated in ‘The Social Dilemma’.3 It is a valid question to think about who has the resources to set up and maintain a digital health resource.

Compliance and regulatory controls are mandatory for certain types of digital health rather than wellness apps. Still, you have to be aware that being American HIPAA compliant may not mean that an app is also compliant with European GDPR. The focus is different as the GDPR are person-centred, whilst the HIPAA regulations are arguably more focused on the business that deal with health data. You need to make sure that the regulations align with your personal requirements and beliefs around health data.

            National societies provide their own guidance. The Royal College of Physicians, for example, clearly states that you should not use web apps that don’t have a CE mark.4 And it is also up to the individual physician to make sure that it is up to date. Indeed, the college cautions against about being lulled into a false sense of security if you see a CE mark and has produced a fact sheet to help you decide whether you can feel confident about using a certain app.4 Even then it is up to the individual physician to exercise professional judgement when using the app. If you do see any calculation errors you are under obligation to report it to the MHRA.

            Digital formularies provide a library of available apps which could be held to a higher standard than an app store. The NHS has such a library of apps that have been passed according to the DTAC or Digital Technology Assessment Criteria for health and social care. This is a good starting point when you want to find an app covering a specific condition. However, users should be mindful of a possible increased cost due to exclusivity deals or newer and potentially better apps being excluded.2

            Finally, physicians are the end-user testers and are in a unique position to identify issues that come up. There is a professional obligation to flag up any prescribing or other issues that may impact patient care, but there is also the possibility of making a real change.5 Just as Dr Mukwende did with his dermatological diagnoses for people of colour, if you identify a need you can approach the innovation department of your hospital. Barcelona is a hotbed of digital health innovation, and places like the Barcelona Health Hub are spaces where digital health solutions are found by linking clinicians and tech companies.

What do patients need?

As physicians, we all know the need for medications to be easy and practical to take, and if not, the patient will understandably find it difficult to feel engaged. Digital health resources are no different. If an app takes up a lot of phone memory or is not easy to navigate, it will be quickly deleted. Conversely, integration with wearables such as smartwatches may lead to greater compliance. Word of mouth is also important amongst patients, and once one person sees the advantages of an app, others may well follow.

            Yet digital health technology can lead to exclusion. In fact, you may not even be aware of the exclusion your patients are facing. Sitting in a doctor’s waiting room recently, I saw a granddaughter teaching her grandmother how to read text messages to make sure she didn’t miss health care appointments. Now that, in some countries, appointment letters are no longer routinely sent out, you may not be aware of the level of patient exclusion. Specifically, newer methods for accessing appointments were found to be the place where most patients gave up.6

            Healthwatch UK found that exclusion can be linked to a lack of digital skills, affordability and trust concerns.6 However, it also found that statements about reluctance to use telehealth should not be taken at face value as once barriers are overcome, patients may be happy with telehealth options.6

Developers listen up!

When it comes to developing a new app you may have been commissioned by a physician who has seen a gap in the market or by a team who come from a more business background. The end-user is still the same. Patients and physicians along with their team, their family, carers, nurses and other health care assistants or HCAs.

Diabetes, mental health and life style change apps are all well established, but have you thought of patients with AIDs, chronic pain and infectious diseases? Also be reactive to what is going on around you. During the COVID pandemic there have been spikes of related apps peaking with each wave.1

The first step as an app developer is to consider what is needed, rather than what you can offer. Your expertise may lead to many functions but if they are not useful in day to day medical and home usage, the app will be quickly deinstalled. Consider also the accessibility and ease of use. Stay up a night or set an alarm every 3 hours to reach a sufficient level of tiredness and you can start to get into the skin of a physician or carer on call. If you use glasses, hide them somewhere in your house that you can’t find just when you need them most. If you don’t use glasses, borrow some to get that sufficiently fuzzy vison that many people have to deal with. Then reconsider if you app design still works.

Overcoming the reluctance of end users is a team effort, right from the start. Not just relevant to the sales team. As a developer you have to make sure that your app is secure by design and complies not only with country wide compliance laws such as HIPAA or GDPR, but also institutional ones such as in the NHS. Go straight to the end requirements that the physicians and patients will be requesting. The NHS Digital Technology Assessment Criteria for health and social care has an entire section on the requirements which should direct your development. These include clinical safety, data protection, technical security and interoperability criteria. To make your life easier as a developer there is tick box exercise for you to work through to make sure you are complying with good practice by design. Apps need to be accessible to all, follow ethics guidelines. From a technical point of view, you need to be up to the IEC 62304 international standard. Your app must undergo verification, validation and load testing as part of the development process. Bias testing is another aspect for which you may need to seek outside expert help. Humans are notoriously bad at recognizing their own biases.

            In the UK the Caldicott guardian principles are the benchmark for physician decisions when it comes to data protection. This is more likely to be used by physicians than the GDPR which post Brexit will be incorporated as UK-GDPR.  

Physicians are under obligation to report to any problems with an app which may lead to error to the MHRA depending on where they are practicing. You need to provide an easy feedback form to make sure you are also informed and react proactively rather than defensively.

You should be aiming for the CE mark whether the app will be free or not.5 and make sure that you have thought ahead how your health technology may evolve but also how the requirements may also evolve. If you are thinking of expanding to different markets, knowing in advance where the security emphasis is placed is invaluable.

Similarly, looking at the digital formulary of apps you may wish to be included in can help you overcome potential problems of being sidelined for not being updated or outpriced, a couple of the potential disadvantages of digital formularies.7

Finally, we’re all patients or carers/family of patients. So take off your designer hat and ask around you what works in an app. If you are working with a specific condition, speaking to the patient associations for people with that condition will not only help your design but also open doors whilst you are doing it.

In a nutshell.

  • Compliancy may come in many different forms – always use professional judgement on any decision taken.
  • Knowing who is behind the app can help you make decisions and even offer feedback.
  • Practicality has to come first be that automatic updates, storage use, interoperability and hybrid options
  • Think of possible patient exclusions to the digital health option you are offering
  • If you develop an app that is intended for use in any medical context in Europe, it will need a CE mark, whether it is free to download or not.
  • Knowing the criteria used for regulatory compliance can help you as a clinician decide if it is an app you feel safe using.
  • If you see a need be reactive and either develop the digital health resource yourself or go to the people who can help you or take it over.

In short, digital health resources are valuable, not necessarily an intrusion. When used mindfully, they can be a help, not a hindrance in your practice.


1.        Kern, J. et al. Digital Health Trends 2021. Digital Health Trends (2021).

2.        Gordon, W. J., Landman, A., Zhang, H. & Bates, D. W. Beyond validation: getting health apps into clinical practice. npj Digital Medicine 2020 3:1 3, 1–6 (2020).

3.        Orlowski, J. The Social Dilemma. (Exposure Labs, Argent Pictures, The Space Program, 2020).

4.        Royal College of Physicians. Using apps in clinical practice. (2015).

5.        RCP issues new guidance on using medical apps | RCP London. https://www.rcplondon.ac.uk/news/rcp-issues-new-guidance-using-medical-apps.

6.        Healthwatch England. Locked out: Digitally excluded people’s experiences of remote GP appointments. (2021).

7.        Gordon, W. J., Landman, A., Zhang, H. & Bates, D. W. Beyond validation: getting health apps into clinical practice. npj Digital Medicine 2020 3:1 3, 1–6 (2020).

Lost USB? Hacked? What to do in the case of a data protection breach?

Despite all the best will in the world and processes in places, data breaches can happen. It can be as simple as a lost USB with patient information or a more sustained hacking attempt which affects only your clinic or you as part of a wider organisation which has been maliciously attacked.

Informing the supervisory body.

The most important point is that you have 72h to inform the supervisory body as soon as you are aware of the breach as per Article 33. If you don’t do this within 72h, you must give reasons as to why this wasn’t done. The information you will need to provide is:

  • Nature of the breach:
    • Categories of data subjects
    • Numbers of data subjects.
    • Numbers and categories of data records affected.
  • Data protection officer contact details as well as those of other people who may be able to give relevant information.
  • Explain the potential consequences of this breach.
  • Explain what you have done so far and what you plan to do to mitigate the effects of the breach.

Informing the patient.

Once you have informed the supervisory authority, you need to notify the person whose data has been breached (data subject) in clear and plain language. As per Article 34, you do not need to inform the patient if:

  1. The data was encrypted or used other methods to ensure that it is unintelligible to persons not authorised to access it.
  2. The data controller has taken extra measures to ensure the risks of the data breach are not likely to materialise.
  3. It would involve a disproportionate effort. Public communication would be the alternative in this case.

If the supervisory authority feels that this is a high-risk situation and you have not informed your patient/data subject, they make take on the task of informing patients about the data breach and its potential consequences.

Health data – How long can / should I keep it?

Whether you are a data controller deciding which data should be used or a data processor in charge of keeping the health data in the cloud for example, how long you you should keep data for is something you should be proactively thinking about. The general principle is that you only keep it as long as is necessary, which of course can be open to debate and also regional variations.

The purpose for which the data has been collected will help you decide how long to store data so that you are not exposing yourself to a data breach for longer than needed. If you are developing an app then that time should be specified clearly in the terms and conditions. When looking at health data, for individual patient treatment and diagnostics, the concept of “as long as is needed” could be thought, from a clinicians point of view, to be for the duration of the individual’s life. For research, it can be and is argued that the data should be kept beyond an individual’s life. Theses decisions are often taken by the organisation’s data protection officer or DPO.

WIth health data, as long as you still have some responsibility for that patient, and the patient has recognised it, then you can and should keep their health data. As ever it is up to you to make sure that it is accurate and up to date. This includes making sure that contact details are current. Once you have decided which data you are collecting, the amount of time you decide to keep it is the easy bit.

When can you (temporarily) skip the medical data protection?

Health data is by definition and function sensitive data, but as anyone seeing patients knows, it is not always practical to get consent when treating a sick patient.

It is not necessary to encrypt or anonymise patient data if:

  1. The patient as given express consent.
  2. It is in the vital interest of the patient, and the patient is unable to give consent. E.g., an unconscious patient arrives in the ER or if the patient is a minor.
  3. The professional processing the data to provide health care is already under a professional obligation to treat patients according to a code of confidentiality. This is the Hippocratic oath and all other versions which have followed.

When you do find out more information about, for example, an unconscious patient, you are under the obligation to update records immediately. Again standard practise for medical professionals before the GDPR was brought in.

It’s a short article because it’s a short message.

Don’t let the fear of data protection legislation stop you saving lives!

Sharing & transferring health data.

When you share patient data as a doctor, for example, referring your patient to a cardiologist colleague, you are ‘disclosing personal data’. You don’t have to disclose the transfer of the information to the patient or data subject if you are still respecting professional confidentiality. The receiver or recipient of this data then becomes the data controller with the inherent obligations.

Patients too have the right to take their data with them wherever they go, this is the right to data portability.

Apps are not covered by professional confidentiality. So any changes in who has access to or is processing the data have to be informed in full to the app user including the identity of the new app data controller, the categories of data which will be used and the recipients of the data among others. It is a long list, but how many people just click on the “updated terms and conditions” without reading them? Most of us…

Being based outside the EU does not exempt an app from complying with GDPR if the data subject or app downloader is based in the EU. So unless you are 100% certain that you are complying with GDPR you should limit your app store access to countries not covered by the GDPR.

If the data is being shared outside the EU (of particular interest in the context of Brexit), then similar levels of protection should be requested. Chapter V covers the transfer of data outside of the EU and clearly states that once the EU has decided if the minimum requirements are met, this has to be reviewed every 4 years. It is the European Commission who decides if the standards are being met

GDPR and fitness apps.

Do you own a fitness tracker? Or even just activate the steps counter on your phone?

Most of us have used some sort of health or fitness app, whether to go running or record more intimate details. Most of us have also ticked all the terms and conditions automatically. To comply with GDPR, the information should be clear, and the data collection limited to what is needed by the app. Is geolocation and access to your contacts always necessary? How do you feel about your age and gender combined with your fitness level being shared with undisclosed third parties? While medical data for clinical trials usually have to be anonymised, this is not necessarily the case for your data which is then shared with your insurer or your mortgage broker…without you even knowing it. This is when the targeted ads for new running shoes pale into insignificance. Higher health insurance premiums or rejected mortgage applications have a real impact on our life.

As a doctor, you will be the controller of the fitness data of the data subject, who is your patient. In the context of fitness trackers, you need to be sure that you comply with Article 5, being especially mindful that the data you collect is limited to the specific healthcare purpose. As apps can often collect a lot more data than you would imagine, as a doctor and controller, you need to be sure that you don’t end up collecting everything indiscriminately. This same data can make it unexpectedly easy to identify patients even if you remove the distinct identifiers such as name, age and gender.

Personal data is any data that can identify you as an individual and more specifically, health data is anything that refers to your specific health status. Furthermore, this is classed as sensitive data as the consequences of this data becoming more widely known can have more serious implications as previously mentioned.

If you are integrating the information from an app as part of an EHR program you have contracted, this is one of the questions to ask the EHR seller. How do you ensure that only relevant information is brought across? This is something they may not even have thought about.

If you are incorporating the information in a report format generated by the app that the patient has sent you by email for example, then just make sure you have a copy of preferably written consent. It should cover the data being incorporated into their EHR and therefore, everyone else who also has access to the EHR.

Although fitness trackers can be a good way of getting people or your patients to a better state of health, you may want to have a chat about “free” trackers. Some health insurance companies are offering almost free fitness trackers. However, they then access your data and premiums may be affected by how the health company evaluates your fitness and therefore, your risk for future illness. They might not turn out to be so cheap after all.  There are many less expensive if less prestigious fitness trackers on the market. In reality, most people only need an activity monitor and heart rate monitor. The ECG monitoring option has been controversial and may not be relevant to your patient. It is a fast changing industry and clinical need rather than opportunity should be the dictator as to whether you incorporate a fitness tracker or other wearable into your practise. It is important to think if the information provided is useful or will potentially lead to more testing as with the incidentalomas (incidental imaging finding) which appeared when full body CTs became available. Just because you can, doesn’t mean you should!

GDPR and health data – the questions you need to ask as a doctor.

As a doctor, I have always been very aware of the importance of patient confidentiality. Not only for ethical or legal reasons but also for purely practical purposes. If you don’t have all the information you can’t make the right decisions, and you will only get all the embarrassing information if patients are confident it won’t go any further.

However, from a legal perspective, it is not always that clear, especially when we are talking about health data which now comes from sources other than just the patient. Fitness trackers, for example, give useful information, but how should I store that data?

And if you are looking to buy into some new digital technology, what are the questions you need to ask?

If you are still using paper records or are outside of the EU, this too affects you as all data are covered by articles 2 and 3 of the GDPR.

Historically this has been recognised as a concern as early as 1970 with privacy being covered in the European Convention on Human Rights. Data protection was mentioned in 1981 in the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. Therefore the right to data protection is a fundamental right. Now, most people will have heard of the General Data Protection Regulation or GDPR which came into effect in May 2018, if only because of the pop-ups requesting permissions or in the case of certain non-EU websites, refusing access altogether.

For doctors, the essential concepts to understand about data processing or actions on information that can identify their patient are:

  1. Data controller: Person who decides what data is collected, how this data is collected and for which purpose. As a doctor, you or your institution can be a data controller.
  2. Data processor: Person or service who processes the data under the instructions of the controller and as a doctor using #digitaltech this can be the software you are buying storing the data and which needs to be formalised with a contract.
  3. Data subject: Patient or identifiable person.

Article 5 of the GDPR covers data processing, and as a doctor/data controller, you need to be aware that the data you collect should be:

  1. Lawful, fair and transparent.
  2. Limited to purpose – you need to be recording data with a specific, limited and explicit purpose.
  3. Minimised – irrelevant data should not be recorded.
  4. Accurate – doctors are used to keeping treatment changes, for example, and we are all aware of the legal consequences of not keeping legible notes.
  5. Storage limitation – this refers to not keeping the data for longer than required. Health is probably one of the few exceptions where you can argue that the data should be stored for the entire life of a person to give the best care.
  6. Integrity and confidentiality. This refers to the fact that the data must be protected appropriately through technical and organisational means. You need to consider not only loss and damage (accidental or other) but also that it is not accessed inappropriately by different members of staff. This is a core question when being presented with a new medical application or technology for your practice. Larger institutions such as hospitals will have an information security officer, but if you practise in a smaller setting, this responsibility will be yours.

Finally, to process any data, you need to be sure that there are legal grounds for processing the data you have collected. For doctors, the concepts are familiar:

  1. Consent has been given.
  2. It is necessary for a contract to be carried out and specifically, in the health care setting, this includes an agreement to medical treatment either implicitly or explicitly.
  3. You are complying with a legal obligation.
  4. You are protecting the vital interests of a patient.
  5. You are carrying out a task in the public interest or in your capacity as an official authority.
  6. There exists a legitimate interest for processing.

Sensitive data, as health data is, get more privacy protection, and Article 9 covers this specifically. Safeguards used include:

  1. Pseudonymisation: This is removing identifying fields such as name, date of birth and address but in health needs to go even further. A diagnosis of a specific disease and treating hospital plus gender may be enough to identify the patient. With big data and large amounts of patients, it becomes harder to identify individuals, but even there it is important to think about unusual characteristics which may make the patient stand out. Some doctors have fallen foul to this on twitter when making what they thought were generic comments about a type of patient they may have seen during a specific shift. However, at the same time you still have to have the correct data to treat your patient. This means that you need additional information in order to access all the information about your specific patient.
  2. Anonymisation: This means that you strip away all the identifying aspects from the data and can no longer identify the patient. This is a valid technique for research. You can no longer identify the person even if you have the additional information. As mentioned previously, it is very hard to anonymise medical data and there is a chilling report here for al those with any level of data protection responsibility about how supposedly anonymised health data sets were not so anonymous once compared to local newspaper reports. 43% of the individuals were identified.
  3. Encryption: This encoding of the data is very much more a technical aspect.  Most doctors would find it hard to know what questions to ask and then interpret the answers. However, thinking of specific clinical contexts may make the technical team think about uses and deviations which they had not come across.

In general, observing good medical practice will set you on the right road, but the questions come when you want to contract a new software.

  1. What / who is the data processor you use? Are they compliant with GDPR and what sort of guarantees do they offer?
  2. As this is sensitive data, how is it:
    1. Pseudonymised?
    2. Encrypted?
  3. How are you complying with data protection by design and default?

Although most clinicians without any programming or technical knowledge would find it hard to ask specific questions and then understand the answers. However, technicians don’t have the situation-specific understanding of how this data will be used and going through a typical consultation together step by step can help uncover moments when there may be data compliance issues. This is the data protection by default – only the sensitive data needed for the specific process can be processed. For example:

  • How do you lock the screen temporarily while examining a patient when family members may be present?
  • How do you deal with multiple doctors using the same computer?
  • How are blood results transferred between the laboratory and your EHR?
  • Are emails encrypted if you have to do a referral to a colleague?

The company selling you any software should be able to give you clear answers and explanations as to how they are helping you comply with your obligations as a data controller in the clinical setting. Your obligations when contracting a data processor are set out in Article 28, and even if you don’t know the article in detail (!), the people selling you the EHR should.