Privacy and GDPR in Healthcare

In healthcare, privacy and data protection do not just mean an annoying cookie pop-up on a website. 

The rules on handling people’s personal information in Europe are built on widely adopted general data protection laws. When it comes to health information, they are further complemented by national laws on healthcare services and the rights of patients. 

This article examines the EU GDPR and UK GDPR in the context of self-measurement kiosks and stations used in healthcare, and draws practical examples from the healthcare services field.

GDPR in Healthcare: Beyond Marketing Consent

When most people hear "GDPR" (General Data Protection Regulation), they think about "Accept Cookies" buttons or unsubscribe links in marketing emails. 

This is not exactly wrong, as the "General" part of the name does indeed mean that online advertisement is covered under this law.

However, it covers all personal data related matters as well. 

For everyone working in or with healthcare, it also means that it covers how all health-related information is processed and stored at every stage.

1. GDPR in the EU and UK

The GDPR is a massive shared legal framework implemented across the whole EU aimed to ensure the lawful and fair processing of personal data of individuals within the EU. 

Post-Brexit the UK has its own GDPR, the UK GDPR, which is nearly identical to the EU GDPR it was split from.

In short, the GDPR governs

  • how and if organizations can collect personal data

  • how long they can keep it, and, most importantly,

  • what rights does the person have whose data we are talking about.

2. General vs. Stricter Standards

When we look at industry-specific laws for healthcare, the rules do not get more relaxed; they get significantly stricter. When talking about healthcare, there is no customer. There is a patient.

In general, the minimum threshold of what is legal or feasible regarding health data is raised a lot. Health data is in a higher classification of personal information, shared by other sensitive types of data like political opinions, genetic information and workers union membership.

European legislation usually comes with an additional safeguard: Because health data is so sensitive, individual people should not even be allowed to "agree" to have it handled with less protection than defined as standard in law. Therefore you cannot simply "consent" your way into a lower privacy standard in a hospital or clinic.

3. The "Mandatory Service" Paradox of consent

In publicly funded healthcare services, like the services provided by Finnish wellbeing counties (in Finnish: hyvinvointialue, HVA), the British NHS, or the German social insurance system, healthcare is considered statutory. This means the service has to be provided to the people who need it, or everyone has a legal right to it.

In these cases where the service provider is mandated to provide services on a legal basis, consent cannot actually be the basis for processing your data. That is because you can’t really "opt-out” of data processing without giving up your right to the services you are entitled to. 

Basically you cannot give the service provider consent to use your data, because they are already required by law to do it. This logic might sound more intuitive in the context of government registries: Nobody is asked for permission before they are documented as being born.

As a practical example, If someone is in a serious accident, the paramedics are not going to wait for an unconscious person to sign a GDPR consent form, and the person cannot forbid the paramedics from processing their personal data because the state forces the service on the person for their own good.

Because the patient cannot opt-out, the statutory healthcare service provider has a heightened, almost extreme responsibility to make sure that data is handled correctly. If they mess it up, the consequence is not just a customer lost; it is human rights violation and massive fines can be issued from supervisory bodies, such as the Data Protection Ombudsman in Finland or the respective local authority.

Defining Health Information in the GDPR

Health data is a specific sub-type of personal data.

While standard personal information is private, health data is considered to be Special Category Data. It means the information is generally secret and private by its very nature.

According to the Art. 4 of the EU GDPR, data concerning health is defined as follows:


“‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;”

Two Tiers of Personal Data in Healthcare

In the regulatory world, we essentially look at a hierarchy of sensitivity:

  • Standard Personal Data: This includes things like ones’s name, address, or phone number.

  • Special Category Data: This is where health data lives. It sits alongside other deeply sensitive information, such as a person’s race, ethnic origin, or political views. These require significantly tighter regulation than an individual’s contact information.

Examples of Special Category Data in Healthcare

  1. Medical records

  2. Sickness records

  3. Disabilities

  4. Pregnancy

  5. Mental health conditions

  6. Health measurement results

  7. Fitness tracker data, or 

  8. Appointment details with a medical professional

Processing Special Category Data in Healthcare

As stated in the Art. 9 of the EU GDPR, processing special category data is generally prohibited:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

However, there are exceptions to the rule, including:

Art. 9, 2. (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Art. 9, 2. (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

In summary, one or more of the following conditions need to be fulfilled for an institution to have the right to process health data:

  1. Explicit Consent: The individual has explicitly agreed to it.

  2. Employment/Social Security Law: It is necessary to meet legal obligations.

  3. Vital Interests: It is necessary to protect someone's life when they cannot consent.

  4. Substantial Public Interest: It is defined as mandatory for the pursuit of common good in Union or Member State law. 

Summarizing Health Data Privacy

European privacy laws do not make a distinction between types of health data.

Whether it is the positive result of a HIV test or a measurement of one’s weight or blood pressure, it all falls under the exact same paragraph of the law when used in the context of health care.

To emphasize, there is no light version of health privacy for seemingly less sensitive forms of data. It would be considered universally unacceptable and irresponsible for an organization to livestream their latest lab test results on the internet or have them show up on a screen in their lobby - but the legal case is exactly the same for all other health data as well.

It is not legal to show anyone's blood pressure data or BMI to outsiders either. 

All health data is sensitive data, and requires the exact same level of protection - including protection from "over-the-shoulder" prying eyes.

GDPR Articles 24 and 25 and their effect on Privacy in Healthcare

There are two specific articles both in the EU and UK GDPR that are of particular importance when looking at the provision of healthcare services and the choice of technologies used. The same rules of course apply to other fields of business and public services as well, but that is outside the scope of this article. 

  • Article 24 (Responsibility of the Controller): The organization providing care ( a Finnish Wellbeing Services County or an NHS Trust for example) must implement technical and organizational measures to ensure and demonstrate that processing of personal data is performed in accordance with the regulation.

  • Article 25 (Privacy by Design and by Default): The organization providing care has to minimize the collection and processing of personal data to the level that is mandatory for their operations. Alongside this requirement, the amount of people who can access personal information must be kept to a minimum by default. Personal data must never be made accessible to an indefinite number of persons without the individual's own intervention.

GDPR Article 24 Responsibility of the controller: The Requirement to "Ensure and Demonstrate"

The GDPR Article 24 poses a strict requirement for the "data controller" (the healthcare provider organization) to not only follow the rules, but to also prove they are following them.

Complexity of Risk

The law requires organizations to evaluate their data processing very specifically, taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity posed to the rights and freedoms of natural persons.

Active Proof of Compliance

Compliance is about verifiable technical safeguards. 

As Article 24 states: “…the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

If someone’s health information is publicly available, for example shown on a screen in a public lobby or available in a database online, the organization has not implemented these measures. They therefore by definition cannot demonstrate that they are protecting patients’ rights when anyone curious can see the health data of a real person. 

Article 25: Privacy by Design and by Default

If Article 24 is about the responsibility to follow and prove you’re following the rules, Article 25 sets the ground rule for how to actually start building the system to begin with, making it as limited as possible: “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” 

In healthcare, privacy leads to physical, technical and contractual limitations that must be baked into the architecture of all processes, including the self-measurement of health parameters in our example case.

Architecture of Minimization 

The GDPR requires that healthcare providers implement measures to effectively protect the data on their patients in all foreseeable scenarios. Now let’s explore our example case.

When looking to adopt self-service health kiosks or stations, the healthcare organization in question must think and demonstrate that they have thought of (among others):

  • Data minimization: Processing should be restricted to the absolute bare essentials required for clinical utility, which limits the data footprint handled by both the technology provider and the healthcare organization.

  • Structural protection: The physical space where the health kiosk or station needs to function as an essential technical safeguard, ensuring that sensitive clinical data is shielded from unauthorized view at the moment it is being used. 

  • Physical output: If the kiosk or station provides printed results it must be taken into account that such print outs are likely to sooner or later get displaced, forgotten or lost due to mishaps of individual users. The impact this has can be mitigated by designing the print outs to be intentionally anonymous, excluding names, birthdates, and all personal contact details if they are not genuinely needed.

  • User authentication: Data entered into electronic patient information systems becomes part of a legally mandated permanent record. These systems are even required to keep a record of corrections made, so if wrong information, or the information of another user makes it in by accident, it will never come out. 

  • Data Protection Impact Assessment (DPIA): Whenever new processes or technologies are introduced bearing a new risk to the rights of individuals, data controllers are required to perform and document a data protection impact assessment. Neglecting to make this assessment is in itself a violation of the GDPR even if nothing “bad” happens.

The "Default" Accessibility Test

The most critical part of Article 25 in this context is that personal data must not, by default, be made accessible to an "indefinite number of persons" without the individual's intervention.

Think about having a blood pressure monitor in the lobby of a hospital. By default, placing such a device there is creating the risk that health data becomes visible to anyone walking by when the device is used. If the screen is small and unlit, it is unlikely that anyone will see the numbers on the screen, but this still has to be taken into account. 

If you put the same information on a big brightly lit screen facing the waiting area you suddenly have a direct violation of the " not accessible by default" requirement. 

If a person chooses to share their health measurement results with everyone in the lobby of a hospital, that is their own choice and their “own intervention”, and they are allowed to do that. But the healthcare provider cannot be the one exposing that data to the public by default under any circumstances.

Summarizing Articles 24 and 25

When you take the responsibilities set out in Articles 24 and 25 together, you get a binary outcome. 

A healthcare provider either has taken care of the necessary technical and procedural measures that demonstrably protect patient rights by default, or they have not.

If it is not done, or if it is done but not documented, it is not done.

A few practical examples of GDPR / privacy violations in healthcare

  • Example A: A person visits a clinical laboratory to get their blood drawn and blood tests made. Due to system error their results are sent to another person via mail. 

  • Example B: A curious healthcare employee does not follow the rules of their workplace or the law and reads through the patient file of a person they know outside of work.

  • Example C: A healthcare service provider sets up an unprotected health kiosk in their lobby with the screen facing the waiting room. Passers by can see all of the health parameters of the user without having to break any rules.

In all of these cases, via a unique mechanism, the healthcare provider has failed their legal duty to protect the person’s health data from being made accessible to the wrong person(s) without the individual's intervention. Human errors and technical problems can never be fully eliminated, but all reasonable actions must be taken to minimize the risk.

When a healthcare provider places an open-air health kiosk in a hallway, they are not following the law on "Privacy by Default". 

They are relying on their patients to be ill-informed on their rights, and to accept that their data will be exposed to others without it being an exception. 

Complying with the GDPR in regards to health kiosks and stations: Space Design

Privacy needs to be seen as a physical constant.

All solutions, as adopted into use, need to comply with the principle of the Art. 25 GDPR: Data protection by design and by default, to ensure users’ personal data is protected.

If a healthcare provider decides to improve their patient experience, patient autonomy and offer the chance to take preventive actions like never before, they might want to add health kiosks or stations offering the self-measurement of health parameters to their facilities.

When making decisions on the adoption of new technologies they need to ensure that they do not create new problems, or violate the basic rights of the individuals they serve.

We wanted to make sure we fully commit to the privacy and safety of our users. At the same time we decided to make compliance as easy as possible for the organizations using our solutions. 

This is one of the main reasons why the eHealth Station™ was designed to incorporate a lockable soundproof booth that anyone can use without risking their health data being exposed to overlookers.

The eHealth Station™ offers a private space where users can measure their:

  • Blood pressure

  • ECG (Electrocardiogram).

  • AGE (Advanced Glycation End-products)

  • Oxygen saturation

  • Respiratory rate

  • Body temperature

  • Body fat percentage

  • Weight

Once all the measurements are completed, the user can decide where their data stays. It is possible for the user to keep the only copy of their health data - or to securely transfer it to the digital systems of their healthcare provider for review.

To sum it up, having physical protection from prying eyes is a prerequisite for making self-measurements in a healthcare setting GDPR-compliant - which has the added benefit of making the users more comfortable.