The law of unforeseen consequences is ever-present. Especially when two great ideas clash.
Take for instance Population Health Management (a great idea that relies on profiling, marketing new services and great communication with patients) and privacy and data legislation (a great idea that prevents automated profiling and electronic marketing without explicit consent).
Doctors trying to implement population health management are already butting up against the problem.
The question they are asking themselves is: “If I profile people to determine who might be at risk, is that legal under data laws and if it is, how do I communicate that information efficiently and effectively without breaking electronic privacy laws?”
Data and Privacy Legislation and Health (GDPR)
While GDPR governs the data you use for email marketing, the required permission to send email marketing is defined by PECR (sometimes known as the European e-privacy directive).
Before embarking on Population Health Management, you need to understand what GDPR says about Profiling and Legitimate Interest and how PECR views email and text marketing without explicit consent.
Profiling in Healthcare
GDPR gives people the right not to be subject to “solely” automated decisions, including profiling, which have a legal or similarly significant effect on them. These provisions restrict when you can carry out this type of processing and give individuals specific rights.
Solely means a decision-making process that is totally automated and excludes any human influence on the outcome. A process isn’t considered solely automated if someone weighs up and interprets the result of an automated decision before applying it to the individual.
However, human involvement has to be active and not just a token gesture. The question is whether a human reviews the decision before it is applied and has the discretion to alter it, or whether they are simply applying the decision taken by the automated system.
If Vision’s Outcomes Manager software provides your practice with a list of people at risk of cardiovascular disease, you might be in breach of GDPR if you contacted them immediately without reviewing or assessing them. This process of reviewing and assessing would also have to be documented to prove that it wasn’t a token gesture. So good practice would be to look at the information generated case by case.
GDPR has a “legitimate interest” clause which should allow practices to send out letters (we explain why only letters below) to patients calling them in for checks or telling them about new services, like a diabetes clinic, they may want to use.
But a healthcare organisation can’t just assume that you have a legitimate interest to use someone’s data to profile them and send them information about a new service that might benefit them.
To be certain, the Information Commissioners Office (ICO) recommends healthcare organisations document the process and ask more than 30 questions to examine:
- the precise purpose,
- the clear necessity,
- whether you’ve balanced the individual’s rights,
- whether the patient would reasonably expect the data to be used and the likely impact on the patient.
Ultimately, your organisation has to be satisfied that there are no ethical issues that might prevent you from using your patient’s information.
For instance, a GP practice would need to satisfy itself that it can achieve the same purpose by processing less data, or by processing the data in another more obvious or less intrusive way.
The practice needs to satisfy itself it is not having an impact on individuals’ interests and rights and freedoms and assess whether this overrides the practice’s legitimate interests.
The practice needs to assure itself that the patient would reasonably expect their data to be used for the purpose proposed.
At the end of these questions, the practice should be satisfied that there is no reason why an individual would not expect their information to be used for the purpose proposed.
Finally, the practice has to examine the likely impact on the person and mitigate any risk by offering the individual an opt-out.
Your organisation also needs to keep a record of this process and explain how you concluded that you had a legitimate interest to use your patient’s data in the way you propose. Essentially the practice needs to be accountable and transparent.
The ICO’s guidance says: “Under the new accountability principle, you need to be able to show that you have a lawful basis for each processing operation. If you are relying on legitimate interests, you need to document your assessment of how it applies to the particular processing, and ensure that you can justify your decision if necessary.”
However, just because you have a legitimate interest doesn’t mean the manner in which you carry out the marketing isn’t contrary to the Privacy and Electronic Communications Regulations (PECR).
PECR requires marketers to ask for consent in certain circumstances (see the ICO PECR guide). And the ICO has been very clear that granular consent is required when using patient data to market a new service.
Organisations that send text and email communications must be able to differentiate between:
- Direct care purposes (such as appointment reminders)
- Secondary purposes (e.g. the establishment of a new clinical service)
- Non-healthcare purposes
Where an activity is not part of the direct care of a patient, organisations must inform patients that they can choose to opt in to receiving text messages and emails about a new service.
Any patient who has exercised their national data opt-out right should not expect to receive a text message from a health or care organisation for a non-direct care purpose
The ICO provided this example:
“If a GP surgery starts a new asthma clinic the surgery is not allowed to automatically send text or email messages to all the people on their list who have asthma that the new clinic exists because a) there may be people in that cohort who do not want to use the service and therefore do not want to be informed under PECR and b) because it could be construed as automated profiling under GDPR.”
Your health organisation may have a legitimate interest in processing the patient’s data, but PECR does not recognise legitimate interest. Whether the people on the list would benefit is not considered to be a factor for consideration.
Under PECR, if you feel emailing or texting is more efficient than posting a letter, you have to gain “granular” consent. Which means getting written consent in the surgery, sending the patient a letter asking them to return a consent form or asking them to give specific consent through a patient portal.
One way around issue (a) is to send your information by post. PECR only regulates electronic communication.
So, if you are happy that you haven’t “solely” used automatic means to profile your patients and you have a documented legitimate interest you should be safe to send a letter, without gaining the patient’s granular consent.
That may increase your costs but may be more effective than emailing. The direct marketing association estimates 79% of consumers act on direct mail immediately compared to 45% who act on email. Although this survey wasn’t carried out looking at NHS branded communications, the effect of the NHS brand would probably be to increase both figures.
The worst thing a GP practice or CCG could do is profile patients and then hand the information over to a third party to carry out the marketing.
Even before the introduction of GDPR, the ICO took action against Bournemouth and Poole PCT. The PCT hired a company to call thousands of people they felt were at risk of coronary heart disease in 2012.
Local resident, Chris Kone-Roberts, objected and told the BBC he felt "awful" when he was called by a woman purporting to be from his local surgery.
He added: "She knew enough to say that I'd been identified as being in an at-risk group and she started speaking to me about coronary heart disease."
When the PCT was questioned by the ICO it replied that it was not practical to obtain prior consent from all patients by writing to them and asking permission to contact them.
The office concluded that the PCT's processing of personal data was not fair.
The ICO wrote: "Individuals should have been informed by the trust that they would be receiving a call inviting them to attend a risk assessment, and that this letter should ideally give them some method for asking not to be contacted.
"The reason for this is that even if their health data is not being processed, people would generally not expect to hear from an unknown company regarding health checks, and given the context (and lack of information provided in that phone call), people could be concerned as to who has had access to their medical records."
The fact that the intervention by Bournemouth and Poole PCT was highly effective had no bearing on the ruling. The initiative contacted 13,000 patients by phone and 4,000 submitted to check-ups. Of these, 1,000 were determined to be at risk and underwent further medical treatment.
Ironically, Bournemouth and Poole PCT would have been in the clear if they had made the calls internally and not transferred the data to a third party.
Cold calling by phone is legal under PECR – unless the person is on the Telephone Preference Service (TPS) or has told the organisation not to call.
As long as you screen the numbers you are calling against the TPS lists (which you can rent or buy from the TPS itself).
PECR Soft Opt-in and Health
There is a potential loophole in PECR for surgeries wanting to use emails and texts to inform patients of new services but it has not been tested in healthcare.
Under PECR if an email address is: provided “during the sale or negotiation process”; an opt-out is provided at the time and where subsequent marketing is limited to goods and services relating to the purchase made by the customer - electronic marketing is allowed, as long as the customer is offered the option to opt-out of every message.
The question that hasn’t been tested is could the “sale of negotiation process” referred to in the PECR regulation be the patient registration process or re-registration?
Could the option to opt-out be given at this point? And if the practice only informed the patient about health-related services and only the practice communicated and an opt-out was offered in every communication, might this count as a “soft opt-in” to electronic messaging under PECR?
Recording Granular Consent from Patients
If you go down the route of gaining explicit granular consent for every electronic communication think about these points:
- Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
- Consent should be obvious and require a positive action to opt-in.
- Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
- Consent request should include:
- the name of your organisation;
- the name of any third party data controllers who will rely on the consent;
- why you want the data;
- what you will do with it; and
- that individuals can withdraw consent at any time.
You must ask people to actively opt-in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
Keep records to evidence consent – who consented, when, how, and what they were told.
Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.
Emergency Contact with Patients
You will be comforted to know that none of this regulation applies where there is an emergency.
The duty of NHS staff to communicate with patients who are at clinical risk overrides the duty of confidence. The GDPR allows communications like this where it is in the patient’s ‘vital’ interests.
If you need to contact a patient urgently for a vital medical reason, you should do so by whatever means will be most effective.
There have been cases where clinical staff have not left voicemail messages for patients, for fear of breaching confidentiality, and patients have suffered harm as a result.
The balance between confidentiality and protecting the patient’s health will be based on:
- The nature and urgency of the contact
- The medium used to contact the patient (e.g. a voicemail message left on a mobile phone is more likely to be picked up by the intended recipient than a message left on a landline answerphone).
This is a potential minefield but, with a bit of common sense, practices and other healthcare organisations should safely be able to operate within the law. The key things to remember are:
- Profiling – always instigate a documented case-by-case review of profiled data to ensure you can’t be accused of using “solely” automated data.
- Legitimate Interest – don’t assume every patient will think your intervention is a benefit to them. Work through the ICO’s questions.
- Electronic Communication – think ahead and start collecting granular consent for sending specific communications for secondary care and non-healthcare purposes.
- Letters – they are still effective if a little more expensive and they are unlikely to contravene GDPR or PECR if you have satisfied points one and two above.