Patient consent and digital health data in GDPR and HIPAA context

6 min read


Medical service provision is not only about the contact between the patient and the doctor. It’s equally important to evidence the visit properly and the medical procedures implemented. The information in the records is essential for the patient and the provision of further services – by other specialists or other facilities. Who can aggregate patient data, and on what basis? Do you need patients’ consent to use digital health data? Read on to find out.

Medical records – what do they contain?

A medical record is a set of data that includes information that allows patient identification, a description of their health condition, and details of the health services provided. The data contained in medical records are protected. Key ones include:

  • surname and forename;

  • date of birth;

  • gender;

  • address of residence;

  • type and number of an identity document;

  • in case of a patient who’s a minor, totally incapacitated or incapable of conscious consent: surname and first name(s) of the legal representative and the address of their place of residence;

  • designation of the body providing healthcare services, indicating the organisational unit where healthcare services have been provided;

  • a description of the patient’s state of health and/or the health services provided;

  • preparation dates.

EU regulations – medical data and the General Data Protection Regulation

As of 2018, the European Union has unified legal conditions for the processing of medical data. It happened due to the entry into force of the provisions of the Regulation of the European Parliament and the Council on the protection of individuals concerning the processing of personal data and on the free movement of such data.

Under the General Data Protection Regulation (GDPR), health data is seen as a particular category of personal data. Therefore, it requires even more extraordinary measures to protect it than other, “ordinary” types of personal data. Article 4(15) of the GDPR defines personal health data as “personal data related to a person’s physical or mental health, including the provision of healthcare services, which reveal information on their health status”.

The GDPR points to the following principles for processing digital health data:

  • lawfulness;

  • fairness and transparency of processing;

  • limited purpose;

  • data minimization;

  • regularity;

  • limitation of storage;

  • integrity and confidentiality.

This means that digital data (including medical data) should be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Data should also be kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed and in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.

In particular, respect for the principle of confidentiality and integrity is essential when transferring data to external servers. Therefore, on top of other challenges, they’re facing, medical facilities that collect digital health data must ensure their security and prevent unauthorised use.

The key difference between GDPR and HIPAA is the focus

Letters “GDPR” on top of the European Union flag and “HIPAA” on top of the U.S. flag

Among the key differences between HIPAA and GDPR are:


HIPAA, to some extent, allows for the disclosure of digital health data without patient consent. Under the Act, healthcare providers may send protected health information (PHI) to another provider for treatment purposes. The term “treatment” has a fairly broad meaning ‒ it means providing, coordinating, or managing healthcare and related services by one or more providers. Besides, medical data can be shared to conduct healthcare business and, if specific criteria are met, a healthcare provider can even share medical data with other healthcare providers without requiring the patient’s consent.

With GDPR, it’s different. Explicit consent must be obtained from medical data subjects for any insider interactions that aren’t related to direct patient care. This rule also applies to marketing or communication activities, whether via phone, email, direct mail, or other methods.

Right to be forgotten

GDPR provides EU citizens with the “right to be forgotten,” which in practice boils down to the fact that they can request their digital health data be deleted. To fulfill this right, a medical facility must have knowledge and control over where patient data is stored by the service provider, affiliates, and related entities. The same applies to all medical software that stores the patients’ data.

Data violations

Data breaches are a serious concern for healthcare providers. The HIPAA Privacy Rule directs organisations and business partners to protect personal health information and limit its disclosure. The Privacy Rule gives patients the right to review their health information and digital medical records and request corrections. In addition, under the HIPAA Breach Notification Rule, covered entities are required to notify individuals whose medical information has been breached.

The situation is different in the case of the GDPR. Under Article 33 of the GDPR, there is a 72-hour breach notification requirement. In addition, healthcare providers must report the breach to their supervisory authority.

Obligations of medical institutions regarding patients’ digital data

One of the biggest challenges for the healthcare system is the increasing amount of digital data being collected and the burden of selecting and accurately interpreting that data. Data can be a source of savings for the system but since it’s sensitive, its use must be lawful. Thus, medical facilities providing healthcare services are obliged to:

  • keep and store patients' records in a proper way;

  • make the data available to authorised entities;

  • protect the patient data with the use of appropriate security measures (this applies to both paper and electronic documentation).

Particular attention should be paid here to the issue of sharing digital medical data. It can be made available by the health facility to the patient upon consent. This entitlement derives from the patient’s right to be informed about their state of health.

If the patient is a minor or incapacitated, his legal representative has the right to access the digital health data and may execute this right independently of the patient. However, it’s important to remember that the representative’s request excludes the patient’s right and vice versa.

The digital data can also be made available to a person authorised by the patient. It’s worth noting that the authorised person doesn’t necessarily have to be a relative. The consent can also be granted to several people simultaneously, and each of them can exercise the authorisation independently. There’s no prescribed form for approval – the patient can do it in writing, orally, or electronically. This should be noted in the records.

The patient should indicate to what extent they’re authorising a particular person, i.e., whether they’re authorising them to inspect the whole digital health data or just a specific part of it. Notably, the consent is valid against the facility where it was given, but also against any health care provider at that facility. In addition, the authorisation is perpetual unless otherwise specified in the approval, and the right to access the medical records doesn’t expire upon the patient’s death.

Consent for digital patient data – why is it so important?

Patient consent is now crucial for collecting and storing digital health data. Regulations that have been put in place give people more control over the data they share, but they can also place restrictions on who accesses it. Complications can arise in this process due to interactions at multiple points of contact – the same patient can have different profiles across various systems (clinics, hospitals, pharmacies). In addition, the number of places where data is stored can lead to difficulties establishing patient identity. The problem is compounded when consent is delegated to a caregiver or other individuals. Therefore, it’s essential to ensure that patient consents include all of this data and that it’s easily identifiable, up-to-date, and compliant with all necessary regulations.

Proper selection of digital health data is also necessary to perform management and clinical tasks. For this, medical entities need to become digitised. What for? So that access to data is possible in real-time, because only then do they have the most significant value. Similar solutions should also function at the central level to facilitate taking the right decisions on financing services, investments, and reimbursement of medicines. Such data is also incredible knowledge that can be used in scientific research to determine trends and look for growth or decline in certain variables.

Technology has changed and is changing medicine, not only making life more comfortable but becoming increasingly effective in protecting it. Once, a significant breakthrough was the invention of the stethoscope, X-ray tubes for medical purposes, and the introduction of antisepsis principles in hospitals. Currently, we’re dealing with the digitisation and integration of medical data, advanced processing of large data sets, and the use of virtual environments. As the history of medicine shows, those who innovated, could save lives more effectively and reduce costs. We’re now entering the era of digital healthcare and digital health data, which is a huge innovation that affects pretty much all lives. Making sure those lives are protected, also from the regulatory perspective, is something we always need to have in the back of our minds.

You can read more about other technical and legislative challenges of the healthcare sector here.



You may also like