HIPAA, GDPR and connected health – Interview with Jovan Stevovic, CEO of Chino.io

The number of health and fitness apps has skyrocketed in the last years. By now there are between 400,000 to 500,000 health and fitness apps available.

Digital health has attracted companies not only from the health industry but from lots of different other industries especially IT, app development and young startups that have not been active in healthcare before.

New technologies like development tools and SDKs are enabling a much easier and quicker time-to-market. App analytics, crash reports, data storage, social media, data security, integration of electronic health records can be integrated into apps as third-party tools. 

Since a couple of years even more complex services have been popping up specializing in the needs of the digital health industry. Some of these software-as-a-service companies are solving big headaches for digital health app publishers.

One of those platform-as-a-service providers is Chino.io. Chino.io ensures compliance for healthcare apps. The company solves GDPR and HIPAA requirements for digital health with a set of APIs – tackling issues like data encryption, pseudonymization, consent management, authentication and audit logs.

In this article we are talking to Chino.io’s CEO, Jovan, about connectivity, the changing landscape in digital health, its political framework and the future of technical enablers in digital healthcare. Before founding Chino.io Jovan has worked on a cloud-based Electronic Health Record Systems at Hewlett-Packard Laboratories. He is an expert in the arena of processing and storing medical data, a mix of technical expertise, laws, regulations and compliance.

Research2Guidance: Hi Jovan, thanks for taking the time to talk to us. Can you explain quickly, which problem it is that you’re solving with Chino.io?
Jovan: Since 2011 onwards I became a passionate for innovation in healthcare. I immediately noticed that privacy and data security are topics that worry all stakeholders involved in innovation. For years I constantly observed in different projects how privacy and security represent a costly and time-consuming challenge. In 2014, together with Stefano Tranquillini, we founded Chino.io to help companies that are innovating to solve privacy and security challenges. That’s our mission.

From our mHealth Economics we see that connectivity in digital health is slowly rising. How do have you experienced the professionalization of health apps? Do you see a rising professional level?
I remember that your reports from 2014 and other sources highlighted how something like 80% of apps were of low quality. I don’t think that percentage has changed much, but definitely, we have 3-4 times more apps on the market since 2014, and therefore there must be a rising number of high quality applications. In addition, some pilot ideas and apps from great entrepreneurs that started in 2014 are consolidating and starting to deliver high quality. Only in Berlin, there are ~5-10 such health tech startups who are reaching a high level of maturity.

The internet of medical things has been a big buzzword in 2018. How do you see the field of connectivity changing in the next years?
I remember that when we were developing projects in 2011 we worried about the presence (or better absence) of WiFi connection in hospitals to run our smart apps and tablets.
Currently, this is changing with IoT, e-sim cards, and cost-effective data plans on one side, and the more availability of APIs and interoperable healthcare applications. In fact, one of the biggest challenges in healthcare is isolated silos and 20-30 years old applications that medical staff is using every day. Those applications sitting behind hospitals’ firewalls are being gradually “opened” by providing APIs. Connected devices are useless without those APIs since silos hold all data.

Our surveys show that 27% of digital health app publishers offer an API to access their data. How are you observing the changing landscape in data sharing & connecting apps to 3rd party data via API?
Data security and privacy are one of the main barriers to data sharing in healthcare. However, I consider that the biggest reason for the lack of interoperability and open APIs is related to business interests of different stakeholders who are trying to hold the data as much as they can since data is money and power. For example, interoperability has been solved in banking years ago, where data are equally sensitive.
One nice AI related example is IBM Watson project where many millions have been spent, but still, the main issue in the healthcare domain is the data.
The main and probably the only driver that can make an impact for API availability and interoperability is the public administration. We need to create better projects and policies for interoperability. Much better than previous projects like epSOS.
 
Do you see any major trends here?
A good example where API and interoperability is not an issue are wearables and other consumer targeting hardware projects. They are interested in opening the API so more services can be created on top of their hardware. But wearables face different challenges.

Download our latest report for free: “Connectivity in Digital Health

You have mentioned already that “data is the new gold”. A lot of business models in digital healthcare evolve around having access to exclusive data. But health data are relying on the consent of the patient or user. How do you see the awareness of users or patients of their rights?
I think users are more and more aware about privacy as a human right. However, when they see value in what is provided, they easily sacrifice their privacy. We have seen that over the years with Facebook and Google services, where typically the answer is “I don’t care, I need that service”. As discussed in 2018 after Cambridge Analytica scandal, we need good regulations that consider new technologies and business models – a huge challenge. 

There seems to be a trend of startups creating platforms enabling patients/users to monetize their own data. Business models are being flipped around from companies charging money to process data to companies paying money to have access to these data.
Examples would be Nebula Genomics or Luna DNA, which are enabling users to having their DNA analyzed and earning money with their data-set instead of users paying money for the DNA-analysis. Do you see that development as well?
This is one of the trends. There are other companies creating data platforms based on “My Data” concepts, where you own/control the data and the platform allows you to monetize it. I think those projects are really interesting, and I think that they help to instruct people/patients how precious their data are. So hopefully, they will bring more control, transparency, and regulations.

Complying with GDPR is compulsory in the EU  since May 2018. Just before the May deadline a lot of companies – especially SMEs – became nervous because they did not know if they did everything by the book. What were the effects after GDPR implementation?
The interesting thing is that GDPR was in place since May 2016, but businesses did not care before the deadline. From May onwards, most companies have implemented GDPR on the surface, but we are observing that only now they are implementing GDPR inside their applications from the very beginning. Definitely a positive trend.

Do you have any insights into what percentage of all digital health solutions would fall under HIPAA and/or GDPR compliance?
First of all, GDPR and HIPAA are fundamentally different regarding their targets, while very similar to technical and administrative measures that developers must consider. Namely, GDPR targets anyone collecting personal data (not only health sensitive) of EU citizens or people residing in the EU, while HIPAA targets only B2B service providers to US hospitals or other “covered entities”. So, HIPAA has a much smaller target group.
HIPAA is considered as a must in the US. Violating HIPAA is a huge risk because there are very strict penalties and constant audits from companies. On the other side, we still need to see the impact of the GDPR on SMEs and startups. So far only a few large companies (Uber, Facebook, Google just to name few) were audited, and most importantly only these stories have made it to the newspapers.

From our studies we know that nearly 50% of all digital health solution publishers connect their apps to electronic Health records or to EHR functionalities. How do you think the field of connectivity to EHRs will develop?
Electronic Health Record (EHR) systems are by definition connecting different Electronic Medical Record (EMR) systems, which are typically referred to systems used by single departments in hospitals. The main question is whether they are willing to open via API to 3rd parties. Like mentioned before, it is a slowly changing trend.
A good example of the evolution of ERHs, is the creation of Personal Health Record (PHR) systems, what also consider user generated data. Nowadays we see more and more cases of apps that include wearable measurements, or simple notes created by the end users and used by the doctors for better diagnosis. That was a “taboo topic” in the past years because of data quality and legal validity of such data. Finally this is changing.

You are talking to a lot of health innovators. What do you see as the biggest drivers for increased connectivity?
These are the evolution of technology (IoT connectivity and smart devices that require very low quantity of energy), widespread of standards for API definition and usage, better building blocks that can be used “as a service”, and most importantly awareness of all stakeholders and especially public authority that silos must be opened in order to sustain the healthcare costs in next years.

And what are the biggest barriers to more connectivity?

I see that we can still improve the “ease to use” of connectivity solutions. All APIs should be simple “plug and play” solutions. One of the things that we observed in the last 4 years from work with startups is that they frequently lack technical skills. It’s hard to find good developers to join early stage startup. Nowadays developers are a precious resource.


Download our latest report for free: “Connectivity in Digital Health