Mobile health or m-health is that branch of electronic health or e-health that encompasses information and communication technologies (ICTs), wearable devices and other tools for the prevention, promotion, treatment and maintenance of health.
More generally, mobile health can be defined as the informed use of smart devices and medical sensors to improve people’s quality of life.
Table of contents
Mobile health applications
Emerging technologies in m-health are:
- mobile learning or m-learning, which makes unprecedented ways of learning in public possible;
- mobile CME (continuing medical education) platforms;
- healthcare performance analysis and reporting services;
- disease surveillance and control systems;
- automated emergency calls or messages, which alert designated contacts in the event of accidents and/or other dangers.
Health mobile devices collect clinical data and monitor vital signs to provide personalised digital assistance. To do this, however, they must comply with GDPR guidelines.
Mobile health and GDPR
EU Regulation 2016/679, known as the General Data Protection Regulation (GDPR), defines the requirements that apps and mobile devices must meet in order to process personal data while remaining compliant with the regulation.
User consent
Articles 7 and 9.2(a) stipulate that device manufacturers and m-health app developers – as data controllers – must obtain the free, specific, informed, unambiguous and explicit consent of the data subject in order to process his or her personal data.
This must be done before the app is installed for acknowledgement (and understanding). The data controller must also be able to prove that the data subject (user or patient) has given consent to the processing of personal data.
According to Article 7.3 of the GDPR then:
- the data subject has the right to revoke his or her consent at any time;
- revocation of consent does not affect the lawfulness of the processing based on the consent before revocation;
- before giving consent, the data subject is informed thereof;
- consent is revoked with the same ease with which it is given.
Purpose limitation, data minimisation and secondary purposes
Article 5.1 b states that personal data may be collected for certain, explicit and legitimate purposes. Furthermore, the processing must not last longer than necessary and only process data that is strictly necessary for the functioning of the app or mobile device.
The purposes also include research of a scientific or historical nature, which is considered compatible with the original purposes provided that all national and European provisions are complied with.
Default privacy
According to Article 25.1 of the GDPR, the device manufacturer and the app developer must choose by default the least invasive solution for the privacy of the user or patient.
The text reads: «the data controller shall implement appropriate technical and organisational measures […] aimed at effectively implementing the data protection principles» from the planning (design) to the implementation of the device or app.
The obligation applies to the amount of personal data collected, the scope of the processing, the retention period and accessibility. These measures ensure, by “default”, that personal data are not made accessible to an indefinite number of natural people without the intervention of the data owner.
Simple and accessible information
Another important point of the GDPR is Article 12, which stipulates that processing information must be provided:
- in simple and clear language, in a concise and intelligible form, understandable by the majority of users and/or patients;
- respecting the principles of transparency, i.e. what is present must be corresponding to reality and be easily verifiable;
- guaranteeing accessibility to users and/or patients.
Furthermore, according to Article 13 of the GDPR, information on the processing of personal data must obligatorily contain:
- the identity and contact information of the data controller;
- the purposes of the processing (e.g. purposes of medical history, diagnosis, health therapy, prevention and rehabilitation, scientific research, etc.);
- the legal basis of the processing (Art. 6 of the GDPR);
- the recipients of the processing, i.e. the natural or legal person, public authority or body receiving communication of the personal data (Art. 4 no. 9 of the GDPR);
- the international transfer of data to third countries or international organisations non-EU (European Union) or EEA (European Economic Area);
- the data retention period or the criteria used to determine the period;
- the patient’s rights over his or her personal data.
Preservation and security
Personal data may not be kept longer than necessary, unless otherwise stipulated by law. Indeed, the European Commission’s “Privacy Code of Conduct on Mobile Health APPs” recommends that data controllers define the criteria for deletion of personal data and communicate them to users in a timely and appropriate manner. This should be communicated before the app is installed or the device is used and, in any case, before personal data are collected.
Advertisement
The fact that advertisements appear in the app must be communicated to the user in advance; however, if the advertisements are shown without requiring the processing of personal data, the data controller only has to provide the user and/or patient the possibility of removing the advertisements.
Differently, if the displayed advertisements require the processing of personal data, the consent of the data subject must be requested before installation through the “opt-in” clause specifically and separately.
Transferring data abroad
Users and/or patients must be informed about the transfer of their personal data abroad to countries outside the EU/EEA. In the event of transfer, data must be protected by appropriate measures (e.g. standard contractual clauses and Binding Corporate Rules).
Breach
Pursuant to Article 33.1 of the GDPR, in the event of a personal data breach, the data controller shall notify the breach to the competent supervisory authority (e.g. the Garante della Privacy) within 72 hours of becoming aware of it.
If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay. In addition, Article 34.1 states: «when the personal data breach is likely to present a high risk for the rights and freedoms of natural persons, the controller shall notify the data subject of the breach».
Minors
Mobile health apps and devices intended for minors must, according to Article 2-quinquies of the Privacy Code, ensure that the minor has already reached the age of 14 in order to be able to give consent to the processing of personal data.
Otherwise, consent is lawful if given by the person exercising parental responsibility. In any case, a more restrictive approach must be taken with regard to minors.
The goals of the WHO
One of the goals of the World Health Organisation (WHO) is to spread mobile health procedures, apps and devices as widely as possible to achieve universal health coverage.
Mobility, not only digital transformation and dematerialisation, is in fact the answer to the needs of a more dynamic citizenship, typical of smart cities.
If mobile health, in compliance with the GDPR and the law in general, can really help citizens to book a doctor’s appointment, quickly receive the results of blood and urine tests and, with slightly more sophisticated tools such as portable ECGs, monitor their own state of health, so be it.
Mobile health changes medical research, expands the concept of medicine and improves people’s lives. According to data from the European Commission, there are now more than 100.000 mobile health apps.
If you too are interested in mobile health and its untapped potential, contact us. IPPOCRATE AS is a company specialised in the acquisition of European funds for medical research since 2004, we work both with Italy and abroad.
For more information call us or write to us by filling in the contact form below. We will be happy to help you find the right mobile health solution for your needs.