With the implementation of the European General Data Protection Regulation (GDPR) in May 2018 and the Medical Device Regulation (MDR) in May 2017, gone are the days when you could simply collect results from patient records, analyze the information, and use it for scientific presentations or publications. Under both regulations, the legal collection and use of any patient data requires appropriate approvals and documented patient consent. This article explains what is meant by patient data and describes how to report clinical results while respecting the requirements of the GDPR and MDR.
WHAT CONSTITUTES PRIVATE PATIENT DATA?
Under the GDPR, the term patient data refers to any information related to a natural person or data subject that can be used to identify the person directly or indirectly (see Protected Patient Data). Health care data, in general, fall under the category of medical information and are treated as private patient data. All health care data, therefore, require the security and privacy protection that applies to all private data. This is true of all of the data that are collected on a patient—a point raised frequently since the enactment of the GDPR.
PROTECTED PATIENT DATA
- Email address
- Phone number
- Banking details
- Posts on social networking sites
- Medical/health care information
- Computer IP addresses
The typical response from health care practitioners is, “This applies only to patients’ names and birthdates, right?”
Wrong. When it comes to health care data under the GDPR, every single data point is considered to be personal information. It is therefore insufficient to assign patient ID numbers and remove names and birthdates. Instead, you must obtain patients’ consent to use their data (Figure). However, this is not as simple as you may think.
Courtesy of Foiman.com
THERE’S THE RUB
You want to collect patient data to report on the results with a new IOL that you are starting to use. Thinking proactively, you add a paragraph to your patient informed consent form that explains that you will be collecting patients’ results to analyze and potentially use in scientific presentations or publications. Patients sign the form, and you start logging the results into a database or spreadsheet. Your intention is correct, but your execution is not.
This is where the MDR comes into play. Collecting and analyzing patients’ clinical results is outside the normal standard of care and constitutes a clinical investigation. To legally include a section on collecting and analyzing patient results in your informed consent form, the permission of an ethics committee is required. (In article 2.45, the MDR defines a clinical investigation as “any systematic investigation involving one or more human subjects, undertaken to assess the safety or performance of a device.”) The MDR applies whether you intend to collect the data prospectively or conduct a retrospective analysis involving a series of patients.
The MDR also states, in article 62.3, that “clinical investigations shall be subject to scientific and ethical review. The ethical review shall be performed by an ethics committee in accordance with national law.” This section on the conduct of clinical investigations in Europe also states that “clinical investigations shall be designed and conducted in such a way that the rights, safety, dignity and well-being of the subjects participating in a clinical investigation are protected and prevail over all other interests and the clinical data generated are scientifically valid, reliable, and robust.”
At this point, you are probably starting to question whether you will ever be able to present your clinical results at a meeting or share them with colleagues. It is true that the GDPR and MDR raise the ethical bar, but this is not necessarily a bad thing. These laws make clear what needs to be done, and they remove ambiguity over what is and isn’t a clinical investigation and what does and doesn’t require ethics committee approval.
THE RIGHT WAY FORWARD
Clinical investigations can be divided into two broad categories: prospective and retrospective. Cohort studies fall under the heading of prospective studies, whereas case-control studies, generally, fall under the heading of retrospective studies.1
Whether you plan to collect data prospectively or retrospectively, ethics committee approval is required, including the committee’s review and approval of the informed consent to be used. This may seem like more trouble than it’s worth, particularly if you do not have someone on your team with clinical study experience, but several options can make it possible.
Retrospective data collection. This is the most straightforward and simplest way to approach authorization, but if your aim is to publish material in a peer-reviewed journal, bear in mind that retrospective data are not viewed as positively as prospective data.
With a retrospective study, you can seek ethics committee approval to recall treated patients and get their permission to use the data. Alternatively, in some cases, you may request an exemption for patient consent based on the type of data that you are collecting.
Prospective data collection and investigations. For these, you must develop a study protocol and informed consent and provide documentation that supports your ability to conduct a clinical study (known as a Good Clinical Practice certificate). Three possible approaches to data collection in this setting are the investigator-initiated trial, registry study, and sponsor-supported study. (These approaches are outlined in Approaches to Prospective Data Collection.)
APPROACHES TO PROSPECTIVE DATA COLLECTION
You act as the sponsor and are responsible for all aspects of how the clinical study is conducted. In some cases, a company may provide a grant to help cover the costs, but the investigator oversees the study.
You can seek approval for ongoing data collection for a specific procedure or technology over a specified period. The limiting factor is that you typically may not perform diagnostic evaluations outside of the usual follow-up tests.
Medical device companies provide the administrative and financial support to help you execute the study.
For investigator-initiated trials and sponsor-supported studies, all major ophthalmology companies have processes for submitting study ideas and obtaining funding support. Smaller companies may also be able to help if approached with study ideas. Another requirement of the MDR is that all medical device companies collect prospective and retrospective clinical data on an ongoing basis in order to maintain their CE Marks. This motivates companies to work with you on clinical projects.
THE NEW REALITY
GDPR and MDR requirements add a level of complexity to working with patient data, but these laws provide the framework that European ophthalmologists and manufacturers must work under. The intention behind both laws is what all involved parties want—to ensure that patients receive the best possible care.
LIKE WHAT YOU’RE READING?
With this article, we are excited to announce a new column in CRST Europe devoted to practice management. Strategic Practice Management will debut in the January 2021 issue and will be led by Kristine A. Morrill, BS, who has been instrumental in the ESCRS Practice Development and Management program since 2008.
Strategic Practice Management will focus on all aspects of managing a clinical practice, from operational issues to staff management and marketing. For this section, we will seek out the best experts in the field to provide timely, practical, and strategic advice.
1. Prospective vs. retrospective studies. StatsDirect. Accessed October 1, 2020. https://www.statsdirect.com/help/basics/prospective.htm