Compliance with the GDPR regulations

Mar 16, 2023

The need for data privacy and security

As cloud computing becomes more and more integrated in medical decision making, privacy and security of a patient’s protected health information (PHI) becomes increasingly more important. In particular, since healthcare data is increasingly being shared between healthcare providers (HCPs) and companies offering such cloud-based solutions (like our own icobrain portfolio and icompanion mobile application), there was a need for a centralized set of principles to be adhered to with regards to PHI. Several such standards have been established, with the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) being the leading data security regulations established in Europe and the USA respectively.

GDPR 

In 1995 the EU passed the European Data Protection Directive, establishing a first framework for data privacy and security standards at the time when the internet was still in its infancy. As the internet matured and became more widely available, the need for a modern and comprehensive approach to the protection of personal data became apparent. In 2011, the EU therefore started to update the 1995 directive, which became known as the GDPR. The GDPR legislation passed the European Parliament in 2016, and by 2018, all organizations operating within the EU were required to be GDPR compliant.

The GDPR applies to everyone who processes the personal data of EU citizens or residents, or offers goods or services to such people. The GDPR outlines seven principles on protection and accountability for data processing:

• Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.

• Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

• Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.

• Accuracy — You must keep personal data accurate and up to date.

• Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.

• Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).

• Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Like GDPR, HIPAA was established in 1996 as a United States federal law to protect the privacy of individuals, medical records, and set the standards for the privacy and security of sensitive patient data. Unlike GDPR that applies to all organizations handling the EU PHI, including those outside the EU, HIPAA is focused on organizations within the United States. See our previous blog post for more details on HIPAA.

icometrix’s compliance to GDPR

icometrix processes personal data of data subjects of the EU. Therefore, icometrix is required to apply GDPR regulations. Here is an overview of how icometrix fulfilled the seven GDPR principles described above.

In context of the clinical use of icobrain, the hospital/image center is considered to be the controller, and icometrix is considered to be the processor. icometrix processing activities are governed by and agreed to a binding contract in line with GDPR (lawfulness, fairness and transparency principle). Appropriate technical and organizational measures are implemented to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage, as described in our quality manual. This includes pseudonymisation and encryption of personal data (integrity and confidentiality principle).

icometrix advises the customer to inform the patient on the use of our services (purpose limitation principle). When a patient calls his/her right of access/ right to rectification/ right to erasure/ right to restriction of processing/ right to data portability, icometrix can be contacted directly by contact details described on the website. The required information will be provided and the required actions will be taken within a reasonable period (accountability principle).

The type of the personal data processed is health and medical information. More specifically, we process pseudonymized brain scans (MRI or CT) with following not anonymised personal data: age (expressed in years) and gender. All DICOM fields not needed for processing are removed. The same approaches are applied to the personal data on icompanion applications. icometrix does not engage other processors without authorisation of the controller of the data: Patient data is only processed on instructions of the customer: the customer uploading patient data via our website or DICOM router (data minimization and storage limitation principles).

icometrix keeps a record of the processing activities under its responsibility. An overview as described in the GDPR is kept in its quality management system. For each medical device product, icometrix maintains detailed traceability records, as described in Product identification, preservation and traceability (accuracy principle).

At icometrix, all personnel receive training on these relevant aspects related to GDPR on a regular basis. Together, we strive to maintain the privacy and security of our EU patient data.