mHealth and Data Protection

14. May 2020

By Manuel Lobato. Patents Lawyer.

mHealth or “telemedicine”

One of the remarkable changes that technology has brought in recent times is mHealth. This technology gives the possibility -among others in the field of health- of being able to be assisted by a doctor without the need to physically attend any hospital, directly from the comfort of home, having only an electronic device with the possibility of internet connection. This is what is commonly known as “telemedicine”, which is developed through applications.

However, it must be taken into account that between these mobile apps and the user there is an interesting flow of personal data, and more precisely of sensitive data, as represented by access to the patient’s medical history. That is why it is necessary that these tools are accompanied by specific regulation of the State, in order to avoid the violation of user data, e.g.: encryption of information.

The implementation of these applications also involves several actors, mainly: companies that provide health services, the Ministry of Health, the agencies that regulate health issues, and those that are in charge of protecting personal data.

For example, in the United States, the FDA is the body in charge of supervising the implementation and operation of mobile applications intended to offer health services, as long as they comply with a series of pre-established requirements and standards and depending on the function that they develop -diagnosis, treatment, access to clinical information, etc-.

Data protection 

Lastly, it is essential to point out that, in addition to the control that the corresponding institutions must carry out regarding the data that is processed through mHealth Devices, these apps must not only comply with approval standards as such but also with regulations and standards that protect private data in general and sensitive data in particular, highlighting the following measures:

1) Risk assessment analysis;

2) Pseudonymization and encryption of personal data.

3) The ability to guarantee the permanent confidentiality, integrity, availability, and resilience of the treatment systems and services.

4) The ability to restore availability and access to personal data quickly in the event of a data breach;

5) A process of regular verification, evaluation, and assessment of the effectiveness of technical and organizational measures to guarantee the safety of the treatment.