MVision not only provides unique AI-powered solutions for Radiotherapy treatment planning but also follows the highest standards of data protection for clinics and their patients. This is of utmost importance to us so we are very excited to celebrate Data Privacy Week and explain how we protect your data and respect patient privacy!
From the very outset, MVision has followed the GDPR and HIPAA requirements for data security and privacy. What are these requirements and how does MVision fulfill them? Let us explain.
What is HIPAA?
The HIPAA – Health Insurance Portability and Accountability – Act is a federal law issued in 1996 in the USA. In the earliest form, it had dual goals: to make healthcare delivery more efficient and increase the number of Americans with health insurance coverage.
After computers became an integral part of life and patient data migrated from hospital archives to online storage, the issue of data safety and protection became acute.
The HIPAA Privacy and Security rules
On April 14, 2003, the Privacy Rule came into effect. Since then the HIPAA establishes national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as “protected health information” or PHI) and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically.
What is GDPR?
The GDPR – General Data Protection Regulation – came into effect on 25th May 2018. It provides a legal framework to keep everyone’s personal data safe by requiring every company to have robust processes in place for handling and storing personal information.
The key principles of GDPR
Lawfulness, fairness and transparency.
Whenever you are processing personal data, you should have a good reason for doing so. The concept of fairness means you shouldn’t purposely withhold information about what or why you’re collecting data. By following transparency, you act fairly towards your data subjects.
It sets boundaries around using data only for specific activities. Your purposes for processing data must be clearly established and you must follow them closely, limiting the processing of data to only the purposes you’ve stated.
Integrity and security
A company must protect data from unauthorized or unlawful processing and accidental loss, destruction, or damage from both internal and external threats.
A company must have appropriate measures and records in place as proof of its compliance with the data processing principles. Supervisory authorities can ask for this evidence at any time. Documentation is the main key.
So how does MVIsion AI protect your information and safeguard patient privacy?
Before a patient CT or MRI scan is sent to our Cloud AI for processing, it is first handled by the MVision Daemon server. This daemon is installed within the clinic’s network and has the task of de-identifying and encrypting the scans before they are sent to our service. Only the clinic has control over this tool! MVision has no access except when it is temporarily granted by the user for technical support or software updates. Personal data is always retained locally and temporarily in “working memory” (RAM) by the daemon and is never saved or stored anywhere e.g. on the hard drive, thus it is not accessible to anyone, including MVision.
As illustrated in the figure above, only anonymised data is sent to the MVision cloud service where it is automatically processed (segmented) by our deep learning (DL) algorithm to create a 3D model of the anatomical structures. After the segmentation process is complete, the resulting structure set is sent back to the local MVision Daemon which restores the patient details so that the final results can be imported into the treatment planning system (TPS). In this fully GDPR and HIPAA compliant workflow, no personal data (PHI) ever leaves the hospital’s IT systems and the clinic remains in full control of their data with MVision’s role being purely that of data processor.
After the segmentation service is completed, scans are deleted from the cloud within 24 hours – even less if desired by the user. In the unlikely case of inadvertent/accidental submission of a patient’s personal data with the uploaded scans, the MVision Cloud will automatically reject and delete this data. Safeguards such as these and the workflow described above are in keeping with our philosophy of Safety by Design.
MVision is proud to be in the forefront of providing high-quality and ground-breaking AI solutions for advancing clinical care while ensuring patient privacy and data are fully protected.
The HIPAA Journal. “HIPAA History”, https://www.hipaajournal.com/hipaa-history/
Total HIPAA. “GDPR and HIPAA Compliance – Do They Overlap?”, https://www.totalhipaa.com/gdpr-and-hipaa/
Council of the European Union. “The general data protection regulation”, https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/