Health insurance and chronic diseases: what are the ethical and governance issues?
For many years, the rise of smartphones and other mobile tools such as tablets and connected watches has been a determining factor in the development of m-health #1, thanks to the development of mobile applications dedicated, in particular, to monitoring chronic diseases.
The health platforms behind these applications allow health insurance organisations and mutual insurance companies to broaden their range of services: consultation and monitoring space for contracts taken out, assistance, connected health, prevention, information, etc.
The insurance business consists of assessing the risks to which policyholders are exposed before covering them. Offering them a support or prevention service makes it possible to limit the occurrence of risks. These services, personalised to the insured, create tensions between the insurance world and the protectors of privacy.
In the case of policyholders suffering from chronic diseases, it is appropriate to question the legality of the processing of personal data (GDPR) set up by their insurers, which is a sine qua non condition for the modernisation of the health system and for innovation.
No support without consent
In the face of rising healthcare costs, the support offered by insurance companies helps patients take responsibility for their health. This support aims to reduce incidents, optimise care paths and control expenditure.
Supporting people with chronic diseases is not the insurer’s job: most often, policyholders are therefore followed up by third parties in conjunction with their insurer. The first step for the insurer is to become aware of the policyholder’s illness, and then to transmit this information to the third party designated to assist in the management of the illness.
The transmission of personal data of insured persons concerning their health is strictly regulated by law, especially when it is intended to be transmitted to third parties. The consent of insured persons, as data subjects of data processing concerning their health, is mandatory.
A single legal basis: consent
Personal information collected in the course of monitoring chronic diseases falls under the “special categories of personal data”, the conditions for which are set out in Article 9 of the GDPR. As a matter of principle, the processing of such information is prohibited, with a few exceptions:
- either “the data subject has given his explicit consent to the processing of his personal data” #2;
- or “processing is necessary for the purposes of preventive medicine […], medical diagnosis, health or social care, or the management of health or social care systems and services” #3;
- or “the processing is necessary to protect the vital interests of the data subject” #4.
It should be noted, first of all, that the performance of a contract is not among the exceptions that allow for the processing of special categories of data, including health data.
The last exception, the safeguarding of vital interests, is not privileged in the case of support for the monitoring of chronic diseases by social protection bodies.
The second exception could be validly invoked, on the additional condition that the data are processed by a health professional subject to an obligation of professional secrecy #5.
The first exception, consent, remains the most certain legal basis and a sine qua non condition for the implementation of such processing.
Managing consents in 3 steps
Organisations that offer their policyholders support in monitoring their chronic illnesses are subject to legal requirements (GDPR) that govern the collection and management of consents. These requirements are stricter when it comes to health data, as this is so-called sensitive data.
The European legislator has adopted a deliberately broad definition of health data. Health data is any information relating to the past, present or future physical or mental health of a natural person.
This definition includes all forms of information:
“a specific number, symbol or element assigned to a natural person to uniquely identify him or her for health purposes; information obtained from the testing or examination of a body part or substance, including from genetic data and biological samples; and any information concerning, for example, a disease, disability, risk of disease, medical history, clinical treatment or physiological or biomedical condition of the person concerned, irrespective of its source” #6.
Organisations offering such services #7 must obtain the consent of the persons concerned under the following conditions:
1 – Be able to prove that the persons concerned have given consent #8, especially in the event of an audit.
Consent management solutions make it possible to store consents, manage them in real time (giving and withdrawing consent #9) and thus personalise the exercise of individuals’ rights.
2 – Distinguish consent to the processing of health data from consent to the processing of other data #10. This implies providing for the collection of at least two different consents when personal health data are processed.
To be valid, the consents must be given in a “free and informed” manner. “Informed’ because they are preceded by essential information #11. It is displayed in an understandable way, in clear and simple terms #12 and is easily accessible.
This implies that requests for consent must be “concise [without] unnecessarily disrupting the use of the service for which it is given”. Consents should be the result of a clear positive act #13 such as a checkbox, written or oral statement. A pre-checked box, to be unchecked, silence, inaction, are not allowed by the regulation.
It is in the interest of health insurers and mutuals to banish “dark patterns #14” and invest in the UX of privacy (with icons, diagrams or even videos for example) when developing these new offers, in response to which policyholders may be suspicious.
3 – Provide for the possibility for data subjects to withdraw their consent to the processing of their health data
This right to withdraw consent is one of the rights that individuals have regarding their data. It is accompanied by the rights of access, rectification but also erasure and objection #15 and should be seen in parallel with the condition of freedom of consent #16.
These paragraphs explain respectively:
“consent should not be regarded as freely given if the data subject does not have a genuine freedom of choice or is not in a position to refuse or withdraw consent without suffering prejudice.”
“Consent shall be presumed not to have been freely given if separate consent cannot be given to different personal data processing operations although this is appropriate in the particular case, or if the performance of a contract, including the provision of a service, is conditional on consent despite the fact that consent is not necessary for such performance.”
The management of consents to the processing of sensitive personal data such as health data is an interesting process to automate because it is complex.
Support for the monitoring of chronic diseases can only be an option in the health insurance contract. On the one hand, because not all health policyholders are carriers of chronic diseases. On the other hand, because those who do may not want to benefit from the proposed support. Also, because they may change their mind and give up after having benefited from it. Finally, because it does not seem desirable for the insurer to have to terminate the health insurance contract following the absence of a desire to be monitored for a chronic disease.
For the “insured experience”, the ability to opt out of a service and to withdraw consent to the processing of the data concerned is fundamental. By remaining in control of their data, policyholders do not feel that they are being monitored and the relationship of trust is preserved.
Transfer of data to third parties and information sharing
Once consent has been obtained and managed, the relevant personal data #17 of the insured persons can be transferred to third parties in charge of monitoring their chronic diseases.
As regards the legal regime governing the sharing of information, there are two possible options: the third parties in charge of monitoring are either subcontractors of the health insurance organisations and mutual insurance companies, or they are jointly responsible for the processing carried out.
In fact, third parties are intended to be subcontractors rather than joint controllers. As such, both parties are subject to the requirements of Article 28 of the GDPR. Among other things, third parties #18 must provide sufficient guarantees in terms of compliance and particular attention must be paid to the distribution of roles and responsibilities of each party in the framework of the contract between them.
Access by the insurer to all data related to the monitoring of the insured’s chronic diseases should be prohibited. Such a practice is in breach of the obligation to minimise and ensure the relevance of data. It would run the risk of damaging the image of the insurer, for whom transparency and fairness are essential.
Interoperability of health data, essential for data circulation
The GDPR has brought with it this “new” right, additional to those mentioned above: the right to portability #19. This right is a vector of innovations favourable to the digitalisation of health monitoring.
The text of the above-mentioned regulation states:
“data controllers should be encouraged to develop interoperable formats allowing data portability”.
This right should apply where the data subject has provided the personal data on the basis of his/her consent or where the processing is necessary for the performance of a contract. #20 In the present case, both cases are met.
This incentive to favour, or failing that, to put in place interoperable data formats in the context of the exercise of the right to portability, is also intended to apply to data transfers between third parties.
Here, no or few transfers are to be expected. Data related to the monitoring of chronic diseases should be collected directly from the persons concerned by the third parties in charge of their monitoring. There would be no need for the insurer to collect the data and transfer it to the third party in charge of monitoring. The same applies to the transfer of monitoring data from policyholders to their insurers.
The most legitimate transfer of personal data is the one that summarises the situation most simply: a policyholder has a certain chronic disease for which you are a specialist in monitoring, and we put you in touch with them so that you can accompany them.
Insofar as the circulation of personal health data in accordance with the spirit of the regulation is envisaged, the insurer only transmits to the organisations the information relevant to the support and registration of the insured. It would seem legitimate to transmit their surnames, first names, email address and possibly or optionally their “user ID” (or policyholder number) as well as the chronic disease from which they suffer.
The circulation of data, essential to the modernisation of the health system
Important ethical issues are raised by the case in point: what are the risks incurred by policyholders who are known to be living with a chronic disease but who refuse or renounce the support offered by their insurer? Will they be identified as “bad risks”? Do they risk exclusions from coverage, lower reimbursements, higher premiums? What about policyholders who are already receiving external support for their chronic disease and do not wish to change? Will they have to prove this to their insurer? Will they be encouraged to change?
Insurers could become players in the health of their policyholders and fund preventive medicine, which is less costly and reduces risk. They would be given a new role: helping their policyholders to become actors in their own health, with “co-active” social protection. The imbalance between policyholders and their insurers raises the question of policyholders’ awareness of the risk of losing control of their data.
It is up to health insurance organisations and mutuals to capitalise on the means deployed for the compliance and ethics of this support for chronic diseases. Third-party organisations and the health insurance and mutual organisations that offer it must consider the technical issues raised by such practices in order to optimise them.
It is necessary to agree, in a multidisciplinary manner and with the help of a consortium, on the standards used to ensure the protection and compliance of health data transfers and to optimise their circulation and reuse.
The synergies between the three players in case #21 would benefit from being extended to other health players (hospitals or the Assurance Maladie, for example), so that insured persons/patients benefit from better care and relevant treatment.
Beyond the requirements of regulatory compliance, transparent and patient-centred health data governance seems essential to accelerate the modernisation of the health system, as supported in particular by the ENS and the Health Data Hub.
Preserving the free will of insured persons/patients in the choice of how their data circulates presents an opportunity for them to participate in the progress and acceleration of innovation projects that deal with subjects that are dear to them and in line with their own values. Isn’t this what data altruism is all about, as introduced by the new European Data Governance Act?