eHealth and the AI-regulation

In a growing, worldwide increase of the aging population and a fundamental lack of suitable medical personal, eHealth as supported by AI technology, can be a considerable help to support the flaws in care and medical support. eHealth is considered to be the next step in the medical industry and medical communication on every level, from lifestyle advice to surgery and communication of medical data between professionals as well as between patients or governmental health authorities.

In this next step of the health industry, the use of AI will speed up the pace of all those applications. Massive amounts of data can be analyzed for diagnosis of diseases and ways to cure them, but AI also can be used to profile certain groups within the population to qualify them for cheaper or more expensive health insurance or – on the negative side- even could result in expelling people from necessary care. Also, it could be possible that choices and decisions for treatment between patients will be based on the outcome of AI analysis where the necessary human factor will not be present, resulting in doubtful ethical results. Also, the combination of AI in robotics for medical assistance and treatment, although considered useful, can create doubts about the de-humanization and the required attention for meaningful human control. AI will certainly increase the efficiency in healthcare but is that the most important aspect of healthcare? Will the proposed AI Regulation be a stimulus or an objection to using AI for medical applications?

The medical profession is bound by the Hippocratic oath to follow the ethical as well as practical rules to do no harm. This oath gives specific rules to practice this ‘art’ meticulously. It even gives rules to protect the privacy of patients:

“Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.”

These basic values should also be part of practicing medical professions in a wide sense using new technologies like artificial intelligence (AI) and robotics. AI is everywhere; Pandora’s Box is opened to an unlimited and intrusive number of applications concerning eHealth. AI will be available on different levels, for professionals and supporting patients who need care by telemetry, telemedicine, and connected to caretakers and virtual or human doctors and specialists. It can be used to follow elderly people to mitigate risks or analyze movements of people in case of contagious diseases as it became a useful instrument in the covid 19 pandemics. AI-generated Apps can recognize tumors, nano-robots can remove them. AI will propose medical care actions already.

As eHealth covers a wide spectrum of smart applications, the EU invests heavily to create the underlying policy. The EU recognizes that Artificial Intelligence will have an immense influence on eHealth in all its aspects. Social care, medical services, MedTech industry. The EU is stimulating eHealth on several levels. According to the EU eHealth or digital health comprises the following: Digital health and care refers to tools and services that use information and communication technologies (ICTs) to improve prevention, diagnosis, treatment, monitoring, and management of health and lifestyle. Digital health and care have the potential to innovate and improve access to care, quality of care, and increase the overall efficiency of the health sector.

The EU is not just oriented on the data protection aspect but logically looks at the application of eHealth from a digital single market perspective. In the Commission’s Communication on the Transformation of Digital Health and Care (on enabling the digital transformation of health and care in the Digital Single Market the Commission presents a positive perspective) AI is presented as empowering citizens and building a healthier society.

AI will indeed have a massive influence on the use and exchange of medical and very personal data. This development will certainly have positive effects: direct actions and control for the people who need them, but they will also be connected to exchange platforms, to smart meters and mobile devices, personal computers, and maybe even smart vehicles. These devices are fed with sensitive personal information. This information is shared with third parties who provide services and return the specified information that is required from smart assistants and is analysed by specialists, caretakers, and specified third parties as medical insurances. They will be informed about everything concerning health and care. But are those the natural and legal persons that should be informed? These data are specified in the General Data Protection Regulation (GDPR) as sensitive data and data subjects need to give severe and explicit permission for those data to be processed. So what about the privacy of those people that are subject to these processes? How is this sensitive information protected? How to make the requirement of transparency, explainability, and informed consent of real value to the data subject? Are the security measures and technology sufficient? What regulatory measures are taken? Is the GDPR a valuable instrument to protect personal data and privacy and is the process ‘hack-free’? It is always difficult to make predictions certainly when it considers the future, but we can be sure that the use of AI will increasingly run through all veins of society.

In a public consultation on the EU white paper on AI, these worries were also ventilated by several parties, be it on the present AI developments, requiring an independent supervisory system and liability rules for developing and using AI. Concerning eHealth, AI will be of great help in discovering diseases as well as further research on diagnoses and treatment. In research on the acceptance and use of AI, this is recognized although there is a difference of acceptance between male and female researchers and practitioners. On the darker side, there also will be risks and dangers concerning misuse and vulnerability of personal data and possible bias and discrimination.

That is one of the great fears concerning the use of ehealth data derived from the activities concerning the introduction of the ‘green-covid-19 certificate’ (European Covid passport).

It will be very hard to supervise all use of eHealth data in conformity with the requirements of the GDPR and the proposed European AI-regulation. This regulation will make it very difficult to exchange AI-generated data by governmental agencies and commercial as well as non-commercial actors in the medical sector, in particular insurance, as risk-based impact use of AI is forbidden in article 5 of the AI Regulation where:

“The use of AI systems by public authorities or on their behalf for the evaluation or classification of the trustworthiness of natural persons based on their social behaviour or characteristics where the social score generated leads to the detrimental or unfavourable treatment of certain groups of persons”, and

Article 5 (d) AI systems used for general-purpose social scoring of natural persons, including online. General purpose social scoring consists of the large-scale evaluation or classification of the trustworthiness of natural persons [over a certain period of time] based on their social behaviour in multiple contexts and/or known or predicted personality characteristics.

It will be a problem to create different treatments for different groups based on the AI decision-making supporting systems. Wouldn’t it be sufficient to agree with the requirements of the GDPR considering that

“The processing of personal data must be lawful, fair and transparent, relevant, limited to its purpose, accurate and secure”.

Art 9: Ehealth data are considered to be sensitive or special data as for the purpose of uniquely identifying a natural person, data concerning health not to be processed except for G. necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

I. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health

This last-mentioned sub-paragraph opens the possibility to use AI for the processing of eHealth data in relation to the Covid-19 certificate. This Certificate Regulation pretends to open up the borders of the Schengen area but in fact will close the borders again by making controls possible, even mandatory. Still, that would go against the spirit of protecting fundamental rights in the Charter…

If everything gets back to normal I still think there will be an enlarged possibility to have practices and regulations to share more ehealth data with the use of AI. With a then historical knowledge about the threat of pandemia, it will be hard to contain the further processing and sharing ehealth data, limiting the information sovereignty of the sensitive data subject. This also would be in line with another draft Regulation on Data sharing (Data Governance Act), in which it a.o. is stated to stimulate data sharing a low-intensity regulatory intervention would require that individual public sector bodies allowing re-use of data to be technically equipped to ensure that data protection, privacy, and confidentiality are fully preserved. Let us see how that will work out….

Rob van den Hoven van Genderen