Levvel Health’s Remote Patient Monitoring solution (levvel.connect) can comply to GDPR regulations as explained here: https://gdpr.eu/
Consent and legal basis for processing
Levvel Health assures that all patients can give their consent to data processing upon initial contact.
Such consent will be stored in the record permanently, or until the patient requests full deletion of data. In addition to consent from the patient, it is the responsibility of Levvel Health’s clients to provide legal basis for processing – in accordance with intended use for the provided Levvel Health solution.
To preserve subjects’ privacy, Levvel Health must:
Only process data for authorized purposes
Ensure data accuracy and integrity
Minimize the exposure of subject identities, and
Implement data security measures.
Levvel Health has fully encrypted database, and encryption keys are stored away from the actual database resulting in full pseudonymisation compliance.
The solution is developed and released as a fully certified ISO 13485:2016 system, which ensures full data control. Every component of the Levvel Health solution is extensively analysed with regard to patient risk, and the conclusion is documented.
Data security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:
Safeguards to keep data for additional processing
Data protection measures, by default
Security as a contractual requirement, based on risk assessment, and encryption
Subject data cannot be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:
Data subjects revoke their consent
A partner organization requests data deletion, or
A service or agreement comes to an end
It is worth noting, however, that if there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however. Levvel Health support the ability to allow any patient or user full access to all data stored in the system. All data can be exported to ensure full portability as well. Furthermore Levvel Health supports the ability to erase a patient’s data if so requested and if the request is legal according to data processing location, institution and country.
Risk mitigation and due diligence
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:
Conduct a full risk assessment
Implement measures to ensure and demonstrate compliance
Proactively help third-party customers and partners to comply, and
Prove full data control
The Levvel Health platform is developed under EN ISO 13485:2016 which implements absolute and fully documentable risk analysis, compliance and data control. Same EN ISO 13485:2016 certification regulates all changes and provides assistance to proactively support partners who are in compliance too.
Levvel Health has full control/track of data in an unbroken chain from user to clinician.
Due to the used EN ISO 13485:2016 QMS, Levvel Health can document all changes throughout the system, and roll back to previous versions on demand as a part of a recall or breach procedure.
Data protection is designed into the system as a default, which is documented by the EN ISO 13485:2016 implementation and can be audited by 3rd parties. Default security is the highest level. Any changes to data processing is likewise fully documented at any time.
When a security breach threatens the rights and privacy of a data subject or subjects, organizations must:
Notify authorities within 72 hours
Describe the consequences of the breach, and
Communicate the breach directly to all affected subjects
Levvel Health’s EN ISO 13485:2016 QMS system implements a full set of procedures for recall and handles data breaches, including who to notify within the relevant time limits.
Records of Activity
As an integral part of the solution, Levvel Health has implemented full audit logs for all activities in the system, including ID of operator and patient. Audit logs can be reviewed at will.
Levvel Health hereby submits full GDPR compliance.
Jesper Lodahl, CEO Levvel Health ApS
Deborah Cooley, Data Protection Officer & Customer Advocate Levvel Health ApS