GDPR. Telemedicine, sensitive data and privacy protection

A patient is using Kari Konnect by Euleria Health for her remotely monitored exercise-therapy path.
What happens to sensitive patient and practitioner data when the service is delivered online?

Share This Post

What happens to sensitive patient and practitioner data under telemedicine when the service is delivered online? Is it possible to fully protect – in compliance with the GDPR – users’ privacy, during a televisit and, even before that, at the height of data collection? Today we talk with about some of the best-practices about managing users’ personal data before, during, and after a rehabilitation journey.

Digital healthcare: what is meant by “sensitive data” in telemedicine

Considered by the GPDP to be a subset of personal data, sensitive data are those pieces of information that denote an individual’s origin (racial or ethnic), beliefs (religious, political or philosophical), opinions and health status. In relation to the latter, Regulation (EU) 2016/679 included genetic and biometric data among the sensitive ones, i.e., those most shared in telemedicine.

In general, “personal data” is defined as all those references that enable an individual to be identified: from biographical data to data on physical appearance, gender, kinship, social relationships, and economic status, to codes contained in documents and geolocation and digital provenance data.

What are the sensitive data to be protected in telemedicine

The scenario ofpost-Covid health care has seen many public and private specialist services, previously provided only on an outpatient basis, transformed into televisits or in digital diagnoses thanks to the possibilities offered by telemedicine, defined as “an innovative approach that reorganizes the health care network by facilitating remote service delivery through digital devices, the Internet and the new systems of long-distance communication” from the official document for the disbursement of the outpatient specialist services a distance, signed as early as July 2020 by the Italian regions and the autonomous provinces of Trento and Bolzano.

In an era of next normality, in which we are all grappling with a general reorganization of clinical practice (rather than a mere restoration of previous modes of delivery), digital medicine appears to be a decisive modality that can optimize time and costs even in the areas closest to emergency. However, the issue of confidentiality of information provided and recorded by the patient and professional (but also by caregivers and health care personnel who support physicians and specialists) is imposed. What, then, are the sensitive data to be protected under telemedicine?

Let us start with the patient, who shares sensitive data as early as the moment he or she logs on to the booking platforms of one or more televisions. In addition to agreeing to share their image, voice, and private context with the professional, the patient (and/or their caregiver) needs to safely transmit, depending on the service requested, all or part of the following data:

  • Biographical references (first name, last name, date and place of birth)
  • elements to frame the pathology and the ASL of reference
  • email address and phone number
  • tax code
  • Date and time preferences for television delivery.

At the televisit stage or at times immediately before and afterwards, the practitioner may need other personal and/or sensitive information from the patient, such as:

  • diagnostic reports previous
  • Monitoring details of prescribed therapy
  • Answers to questions of a clinical and/or personal nature

If he or she then purchases services, the patient must also share:

  • billing information
  • references and payment arrangements
  • possible address for mailing, of paper invoice or other material useful in the initiation of a remotely monitored treatment pathway.

In the course of a digital clinical relationship, then, inevitably it is also the practitioner who releases personal and/or sensitive documents and data, starting with his or her own references and ending with the treatment plan and operational directions for the specific patient.

It follows that both sensitive data and the entire body of personal data need to be shared securely in a way that protects the individual’s privacy to the fullest extent possible.

Protection of sensitive data in telemedicine: what does the law say?

Although the legislature has intervened on the topic with some frequency, especially recently, to date there has not yet been a dedicated regulatory reference to the processing of sensitive data only in a telemedicine context.

The Personal Data Protection Code provides that the sensitive data are processed by public and private entities always in close relation to their legal foundation, and the law reminds us that the most common legal foundations include consent, legal obligations, and the vital interests of the person concerned, thus also his or her right to health.

Again: the processing of sensitive data is always provided for in Art. 9 of the Regulation (EU) 2016/679 in the presence of “purposes of preventive medicine or occupational medicine, assessment of the employee’s ability to work, health or social diagnosis, care or treatment, or management of health or social systems and services on the basis of the law of the Union or member states or in accordance with the contract with a health professional.

What does the processing of sensitive data consist of

In general, the processing of sensitive data is to ensure each user that the data he or she provides is used only for purposes related to the provision of specific services, and that these purposes are clearly declined.

The provider, in addition to requiring explicit consent from the user for the processing of such data, must make explicit the third-party entities with which the data will be shared, the expiration date, if any, and the methods available to the user for deletion.

How do we protect sensitive patient data in Euleria? We talk about it with, consultant for compliance services in digital health

Riablo and Kari, the medical devices manufactured and distributed by Euleria, are both dedicated to rehabilitation; Riablo is mainly used in physiotherapy clinic, while Kari is designed for remote digital rehabilitation experience. The secure cloud-based personal and sensitive data collection system associated with Kari allows the user to become a rehabilitation patient in effect, including through:

  • KariKonnect, a companion app that also channels data from the chat with the movement professional into the secure system;
  • the built-in video calling feature, which is a secure alternative to third-party services and allows for video recording of the patient and annotation of clinical details kept within Euleria’s secure system at all times.

Kari: Euleria’s secure personal and sensitive data collection system

To ensure the complete security of sensitive data under telemedicine, Euleria is consulting with, a reference in the digital health industry on compliance and compliance with respect to GDPR and HIPAA.

We asked the CEO, Jovan Stevovic, to explain to us exactly what sensitive data are shared by the patient and the practitioner during a televisit:

“In television-explains Jovan-you typically deal with two types of data: streaming video, which is implemented using third-party protocols or tools to establish a secure exchange, and the set of reports, details, and chats that make up the patient’s medical history.”

When a practitioner assigns rehabilitative exercises to a patient within Kari and remotely monitors his or her results, he or she does so through a personally accessed web-based management system. The level of data consultation is then regulated as follows: Euleria only has access to aggregate Kari usage data (e.g., quantity, type, and result exercises performed) but Not to sensitive patient data; the professional, on the other hand, has a virtual key that allows him to access sensitive data, but only those Of his patients:

“Jovan, how is sensitive data of Kari and KariKonnect users handled in the cloud managed by”

“Since this is a device specifically for telemedicine, carried out a specific risk analysis for Kari, and then came up with consequent security measures related especially:

– To the encryption of the individual record data;
– To the tracking of data operations;
– To application-level data sharing.

Before that, we worked on an identity management system for users and access that would go through ad hoc pseudonymization and tokenization procedures. On the sidelines, the acquisition of consents was also handled according to the dictates of the GDPR, so as to make explicit to users the purpose of processing sensitive data.”

Are you a Physical Therapist or Doctor of Physical Education? With Kari, you can continue to follow your patients’ rehabilitation journey remotely, digitally and with complete security.

Subscribe To Our Newsletter

Scopri di più

rivoluziona oggi stesso il tuo modo di fare riabilitazione
Si, voglio ricevere maggiori info