Deep Thoughts On GDPR and MedPayRx

This article from our newsletter has been updated in light of the precident-setting GDPR fine just levvied against Google.


GDPR is now approximately 8 months old across Europe. And while this affects the entire medical, pharma, insurance, distributor and medical device space, we are also aware of how few people really understand it. And how much the system today will come to be seen as out of compliance on a fundamental level in the future. This regulation also affects banking and payments, of course, and since we are absolutely in a space where all of these industries connect, we have, since the get go, looked at ways to engineer a system that addresses all of the same.

We believe we do get it (although see this great link for another good explanation from Planio). Why? Our team has deep if not decades of experience in understanding and interpreting privacy law and constructing IT solutions that are in compliance, built to spec to regulatory requirement, and further, best in class. We are following the release of new regs by the German Ministry of Health as they are released (for example) and so far, we are absolutely right if not a bit ahead of the game. However, since there is alot of confusion about what this means for the digital health and insurtech space in general, if not what we are doing, we thought we would take a little time to explain the particulars this week.

GDPR in general, and even more specifically Article 9 in a medical claims and prescription space means that patients (nobody else) must have control over their data and the right to know who has it, who stores it and for what purposes it is “processed.”

What does this mean? While people cannot “own” their own data in the way regular property can be owned, they must have a say in where it sits, and how it is used. And of course, “to be forgotten.” Or ask that it is removed. Or not at least not “processed”.

How will this work in our space? Despite the recent pronouncements of a powerful CEO in the cannabis space from Canada, we believe there will be no “Google” of the pharma (much less cannabis) space… Why? Because Google (and Facebook and etc) all believe that they own your data – or if not exactly “own” can do many different things with it, covered by ambiguous, overly broad blanket privacy statements that are confusing to users. Plus, as the French regulator just concurred, make it very hard to do. While the Google case specifically is just an early decision, look for more case law on this point. Bottom line, users of any system should not face high burdens when they “wish to be forgotten.” Even more particularly for reasons of protecting their medical privacy.

We believe that the current underlying engineering of most social media represents a major threat to property and privacy rights which was allowed to flourish in the U.S. thanks to the undermining of The Privacy Act and HIPAA that has occurred in a one way path since 2001. And has gone international with the advent of Google and most social media as a result. This was true, even before GDPR. Exhibit A? Google has run into issues all the way along the line in Europe every time it introduces a new banking and or healthcare application and that will only increase. See not only the DeepMind disaster at the NHS, but previous banking projects that have hit the skids when they come into mainland Europe.

Everyone else is now facing the new standards. And so far, we have not seen a single solution except our planned one which even addresses the same in a comprehensive manner, much less offers an answer. “Fixes” in other words, might be a temporary solution for those with established (pre GDPR systems) but in the long term are not sufficient, and run the danger of being found, at some point, non compliant. And will certainly be challenged in the near future, underlined by new concipated systems under the rules of privacy by design

Who “owns” data (in the context of an IT universe, specifically, who owns and has access to the systems it is stored on) and who has access to it long term has been an issue of debate in the privacy and property space for a long time. Technically, legally, there is a valid argument to be made that while data technically cannot be “owned,” the unauthorized use of it, or even storage of it in a way that a user cannot get back or undo (even with a signed release in place) represents a dramatic violation of the concept of “personhood.” And that is where privacy law starts to seep into property law in some very slippery places now on the table in Europe.

In a healthcare setting, it is our argument that systems must be built so that patients control their identifiable data easily and upon request while preserving the mandated and required record of transactions are even able to pull them back for service and of course around the dispensation of care, drugs and applicable medical equipment. This presents a conundrum in the entire medical records and prescription space, and for everyone involved.Why? There are two reasons. The first is because the current infrastructure which has developed over time is very much not compliant from an infrastructure perspective. It is based on centralized databases which cannot “talk” to one another, compounded by the necessity of data storage requirements that contain far too much information (in our opinion) for the other (mandated) function they must perform – namely to preserve records of transaction and dispensation.

One example of this? Prescription drug tracking. Firms have to know where their drugs have gone. So does the government as it has a lawful purpose. Thus creating the necessity – in the world pre blockchain and GDPR, of storing identifiable data at multiple points on the supply chain. This construct by definition, beyond the releases that allowed the same to sit there, creates a situation where patients cannot “get it back.”

MedPayRx solves this problem by literally splitting the compliance tracking record from identifiable patient data. That way, a record of the transition to be paid for (whether it is a doctor visit, MRI scan, or prescription issued drug or medical device), exists permanently, as required by compliance regs. However, this transaction is also split from the actual identifiable record. The transaction piece required for compliance, in other words, is anonymized beyond point of care, approval and dispensation, and preserved in a trusted, anonymous ledger (the blockchain). The identifiable record, of course, is not. From a policy perspective, we believe that tackling this larger problem is why GDPR was passed.

However burdensome for existing operations, we are now in what the Guardian has just dubbed “The Decade of GDPR.” Segments and pieces of data scattered over an ecosystem for compliance purposes, even if they are there with a signed waiver, are now very much on the table. “Data processing” implies more than just storage of course, but to process data, it has to be stored in such a manner. Further, data that can be combined and used for other purposes, in aggregate, very much violates basic privacy law just about everywhere (far beyond medical privacy law in particular). That is also the issue that faces all centralized systems now operating in this space beyond pharma, insurance, and the like. Google and Apple health solutions, for example, fall into that territory. We believe that in these two cases, plus Facebook, present issues that are not solvable longterm without the introduction of new engineering of infrastructure and processing operations because they are incompatible with their business models.

What will the impact be on a compliant insurance-backed health system? Large. And expensive if companies get it wrong. Violations can be fined at 4% of global  companyrevenue per patient record. That can add up fast. In Google’s case, the fine was eyewatering, finally, although far from the maximum. There will be, we predict, more of them.

Here is one example. Insurance companies currently have patient records forwarded by doctors and patients for the purposes of approvals. Pharmacies have records of patient prescriptions over time, which are identifiable and also constitute a “medical record” that the patient does not control, much less cannot get back (for obvious reasons). So do pharmaceutical companies, and in some cases, distributors. In the coming age of GDPR, that is new territory. Especially when there are alternatives.

This is also very much the mindset of the entire Canadian cannabis industry now coming here because in the model that has developed there, manufacturers and distributors can in fact send orders directly to patients. That will never fly here going forward unless there are changes to how particularly German pharmacies fit into the mix.

In the old paradigm, this was the only way to track sales. However the parties that currently have pieces of such information now certainly do not need to have this information, and further, in our opinion, should not over the long term, however much they need this data briefly at point of prescription, approval and sale. What they do need is the trusted record of the transaction, that it was authorized by the right and appropriate parties, and given to the right person.

This presents the first problem that we aim to solve easily and cleanly. Namely, the aggregation of data over time that is also collected at all of these points is most certainly a “patient record” as well as one that is non retrievable.

In the pharma industry, and the cannabis space is no exception to this, including the big companies now coming to Germany and Europe from Canada, this is already on the table.

As a manufacturer or distributor, you should not have lists of patient names connected to the drugs they take beyond the explicit point and time of prescription, approval, payment and dispensation. Even if they are forwarded by a doctor with a patient waiver. Particularly in the cannabis space, and for obvious reasons (including the fact that this is still a highly stigmatized drug). No matter how good your cyber security.

We believe, as a result, that the vast majority of doctors are also out of compliance with the law at present, even if they get releases from patients to forward prescriptions or other identifiable medical records to anyone. Why? Because the patient does not know where they are going and further, cannot easily get them back. The Google case, in other words, creates a precident we saw coming some time ago. And will, in turn, begin to create case law precident that will guide the construction of future systems.

While this seems like a paradox, if not a strange thing to say, anyone who has had to deal with the implications of a misdiagnosis on a formal medical record understands this, viscerally. So do patients who, particularly in the cannabis space right now, face insurance refusals because they might have had a problem with prescription opioids. That is absolutely in our gun sights right now (particularly because we know that cannabinoids represent one of the best paths off of opioids.)

Further, in the case of prescriptions directly, this also puts a kabosh (at the dawn of widespread adoption of a “digital prescription” in several countries in Europe) of the current practice of scanning in paper prescriptions and forwarding them, somewhere. Insurance companies are also on the front lines of this one and we know they have so far at least, not figured this out.

It is not enough, in other words, to require patients to sign releases so that their data is kept in systems for any longer than necessary. And at all points on the chain, even with releases, patients must be able to know where their data sits, and be allowed to expect systems that can separate anonymous but accurate compliant tracking required by regulation from the identifiable data beyond it.

However again, this is why our system separates an identifiable “prescription” from any patient data we allow doctors to forward for approvals to appropriate parties, and why, once the prescription order is filled, an immutable, provable record exists of the transaction exists, but is anonymized for all stakeholders along the chain. This means they meet the compliance regs of tracking drugs, particularly narcotics, without having identifiable patient records over the long term.

We will never know what drugs our clients take, or know about their health conditions, and from the back end, we will be as blind as any of the users of our data. That said, if patients want to share their anonymized data, for the purposes of research and policy making, we give them that option, permanently. As well as the permanent right to unshare. No questions asked. No approvals necessary. Just the flick of the share/unshare button on the patient side of things.

Our goal is to protect patient data while creating the first truly anonymous record of transactions and drug interactions required for compliant approvals and tracking, plus research and policy formation, which we can do, because of the steps we have taken and will continue to take.

Why are we of course a necessary tool for industry beyond a focus on patient rights? We will save massive costs throughout the entire process. For all industry/corporate participants.