Complying with multiple patient privacy laws
Assistance and aeromedical providers must comply with strict data privacy laws when transferring patients across borders. Cathy Hudson investigates
Assisting patients around the world inevitably involves the exchange of sensitive information, from personal details such as their name, age and gender to intricate details of their medical condition. Assistance and aeromedical providers wouldn’t be able to do their jobs properly without being in full possession of the facts.
Data privacy laws protect this information so it’s used fairly, safely and with the patient’s knowledge. But the international nature of assistance means that providers may have to comply with multiple – and potentially conflicting – laws, which can be challenging. Handling the information in a compliant way can also cause delays in situations where acting quickly may be crucial to the wellbeing of the patient.
The law governing data privacy and security in the European Union (EU) is the General Data Protection Regulation (GDPR), which came into force in 2018 and is one of the strictest data privacy laws in the world. It applies to any organisation collecting and handling the data of people in the EU, whether it’s in the EU itself or not. The UK has implemented GDPR through the Data Protection Act 2018. There are severe penalties for not complying – up to the higher of €20 million or four per cent of the organisation’s global turnover.
Its general principles include that data must be dealt with fairly and with the knowledge and consent of the individual concerned; it must only be used for the purposes originally specified by the organisation; and only as much data as is necessary for the purpose should be collected and handled. It must also be kept appropriately secure and confidential, by using encryption for example, so only those who really need the information should have access to it.
But the international nature of assistance means that providers may have to comply with multiple – and potentially conflicting – laws
There are stricter rules for specific categories of more sensitive information, which includes health. The handling of this data is prohibited unless one of a list of exceptions applies, such as explicit consent has been given for the specific purpose or it’s necessary for providing medical treatment.
Outside Europe
In the US, it’s the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that applies. This specifically covers health information that can identify individuals – known as protected health information or PHI – and stops sensitive health data from being disclosed without the patient’s knowledge or consent, while still allowing it to be used to provide the best healthcare.
As with GDPR, it has requirements for keeping the information secure when it’s stored and transmitted – specifically electronically – to keep it confidential and prevent it from being used in ways that are not allowed. It also has stiff penalties for non-compliance. However, there’s no requirement to get an individual’s consent before collecting the data.
There are a range of different privacy laws in other countries that may have to be complied with too, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the Privacy Act 1988 in Australia.
Although there are many similarities between the various regulations, there are also differences, especially when it comes to medical information, which GDPR in particular applies a wide range of safeguards to.
These differences can cause complexities when data connected to two or more countries is involved and providers have to comply with multiple laws simultaneously. For example, HIPAA covers organisations in the US that deal with health information but they would also have to comply with GDPR if they were handling data relating to EU or UK citizens or anyone else in those regions.
This is an issue faced by aeromedical transport company AirMed International. Its President, Denise Treadwell, said: “Although we are a US-based organisation, we have to ensure that we remain aware of the more stringent requirements for GDPR and the UK Data Protection Act, not only for patient pickups and drop-offs in EU and UK locations, but also if we have tech stops, such as for refuelling, or potential to have to divert within countries governed by the regulations.
“We have to limit the amount of patient information we can obtain prior to obtaining signed consent, unlike with HIPAA, where we can exchange PHI with other healthcare providers more freely.”
Compliance challenges
One of the big challenges is that data often has to be transferred multiple times between multiple providers for a single patient. Medical information may have to be collected, sent or received by the assistance company, medical transport provider, clinical teams at the original and receiving hospitals, and insurance company. If the patient is able to be transported on a commercial flight, the airline and medical escort will need information.
Data is both created and required when evaluating the patient and determining whether they’re fit to fly. It may also be collected during a flight when the patient is assessed. Once the patient is back in their home country, information has to be given to the team on the ground, which means transferring it across borders. Then the assistance company needs a final medical report, as does the insurance company in some cases.
Claudia Schmiedhuber, Managing Director of the European Aero-Medical Institute (EURAMI), which accredits aeromedical transport providers, said: “You can have five or six different providers forming parts of the chain that need the information, so it’s important that they have accurate systems in place so they can safely store and provide the information.”
Where providers store the information can also be an issue, as if it’s stored in the country they’re based in but they’re operating in another, they will need to transfer it between countries.
Protecting confidentiality
Who should be allowed access to the data can also cause issues, especially since the Covid-19 pandemic, when more agencies expect to receive medical information than before because of the measures to limit infection that were put in place. It’s heavily regulated, especially under GDPR.
One of the big challenges is that data often has to be transferred multiple times between multiple providers for a single patient.
Steve Williams, Senior Director of Global Air Medical Operations at air ambulance company REVA, has seen many instances of data requests from organisations that may not really need it, despite the regulations that apply. “For example, when we bring a foreign national into the US, the US Customs and Border Protection wants a medical letter with detailed medical information in it,” he said. “The immigration officers clearly do not have the medical training or background to interpret the medical information they are sent, so why do they need it? Ultimately, it’s down to us in the industry to push back against requests we think are inappropriate.”
Consent requirements to transfer medical data is another area that can cause problems. “This can be complicated as we need to navigate different consent forms and languages and there are different rules on the scope and form of consent,” commented Brad Bonser, UK Branch Manager at Australian travel insurer World Nomads. “Conflicts between different countries’ laws can cause delays, but someone might be very unwell and need to be moved quickly.”
Treadwell agreed: “HIPAA makes the consent ‘optional’ but GDPR makes it a ‘requirement’ to have it in hand before information exchange, which can delay setting up the patient transport.”
Navigating privacy laws
Providers have developed a range of policies, procedures and systems to make sure they can comply with privacy laws while still being able to do their job effectively. CONNEX Assistance, which has offices in Cairo and Dubai, has gone to the lengths of obtaining ISO/IEC 27001 certification since the advent of GDPR to make sure it’s compliant. This is a standard for information security management systems.
According to its Managing Director, Lara Helmi, CONNEX Assistance is one of the few businesses of its kind to have this. “It takes a lot of preparation but the industry would benefit from more companies being certified,” she said. “We have a system in place to secure and minimise any data breaches that occur and reduce the risk greatly.” Helmi said the company also asks all the providers it deals with for their data protection protocols to make sure none of the information is at risk.
Staff training is essential to make sure everyone involved is aware of the rules that must be complied with and stays up-to-date with any changes. “We conduct training for staff in our onboarding process, which includes HIPAA and GDPR compliance courses, and we also do annual GDPR and HIPAA training,” said Stephanie Kluver, Medical Operations Manager at critical event management company FocusPoint International. “Staff are required to do it and there’s a test at the end.”
Being prepared for all eventualities when it comes to handling data is also important, for example by doing impact assessments to mitigate against risks, and having clear policies on areas such as consent and data security. But it’s a balancing act, as procedures that are too stringent could get in the way of doing the job that’s required.
Bonser said: “You can’t really shortcut complying with the privacy laws but you can ensure you’ve got the processes baked in. You need to be prepared and have a full understanding of what’s required at the outset to make it as efficient as you possibly can, but it’s a challenge as you have a duty of care to patients who have emergency medical needs.”
Information often needs to be obtained verbally over the phone as there may be no time to go through lengthy procedures and it can be the best way to get the most up-to-date information. Williams said: “The most important thing for us in mission planning and risk assessment is to know exactly what’s going on with the patient. It’s better to get that directly from the hospital as the information from the assistance company or insurer could be out of date.”
Having partners or offices in different countries is also helpful, as those on the ground will be more familiar with local procedures and medical staff may be more comfortable giving out information to people in the same country.
Industry-wide standards
There are many examples of standard forms that are used to make exchanging medical information easier in assistance cases, such as ‘Fit to Fly’ forms, used by physicians to provide information about the patient, and medical information forms, known as ‘MEDIFs’, required by commercial airlines to be completed when passengers have medical needs.
However, creating a standard document for aeromedical and assistance providers to use to make sure all the necessary information is given at the right time is very difficult. EURAMI looked at data security when working on its new standards for accredited providers, which it launched last year, and was unable to come up with a general standard other than that companies must comply with the laws in the areas they provide services in.
“There are no guidelines you can apply across the board as all countries are different – even within Europe,” said Schmiedhuber. “I don’t think it would be possible to create a standard document as it would have to be thousands of pages long to address everything from every country, and sometimes the rules contradict each other.”
Williams has also seen first-hand how challenging this kind of exercise can be. “In 2006 we tried a similar thing when the WHO [World Health Organization] implemented the International Health Regulations (2005),” he said. “I was on a WHO/IATA [International Air Transport Association] working group about how you could provide information across national boundaries. Although it was set up under the auspices of IATA and WHO, it was still very difficult.”
Despite the complications aeromedical and assistance providers sometimes face as a result of having to comply with data privacy laws around the world and the limited opportunities for putting industry-wide solutions in place, it’s clear that providers have developed their own sophisticated systems for making sure they comply while also acting in the best interests of patients.