Everything you need to know on data hosting location as a healthcare practitioner

Since the start of your career, making sure patient data remains confidential is something natural. You and your patients are responsible for it. These concepts are relatively simple when they concern your daily work. However, they can become more complex and nuanced when it comes to digital health.

Everything you need to know on data hosting location as a healthcare practitioner

In a series of 2 blog posts following our most recent Fireside Chat segment from the Community (French only), we demystify some concepts on privacy and security in digital health. This article looks at data hosting, more precisely data hosting location, as a critical Digital Health Tools selection criteria. Why should we be aware of this criterion when making decisions on using Digital Health Tools with patients?

First, what is data hosting?

Most websites and mobile applications collect data, often sent or measured by patients. It allows for personalized and concrete experiences. This data includes:

  1. Personal data, which includes, but is not limited to, name, address, email, gender, date of birth, age, identification number (e.g. RAMQ), ethnicity, and credit records;
  2. Health information, which includes, but is not limited to, health metrics reported by the patient or measured by a connected object such as blood sugar, stress level, medications, etc.

This data can be backed up “locally” on a patient’s phone, just like backing up a file to a computer. In much more frequent situations, this data roots to servers over the Internet. Cloud computing often refers to the following concept:

Illustration of data transfer from devices to servers

What regulations govern access to data from servers depends on the jurisdiction in which servers are located. In Canada, federal (Personal Information Protection and Electronic Documents Act) and provincial (Act respecting the protection of personal information in the private sector) laws govern data retention in servers and server operation by Digital Health Tools manufacturers.

Why is this notion of interest?

Data transfer from a device or software to servers located in a foreign country might expose the user to additional risk. In the absence of common legislation between different jurisdictions, information security and protection may be lower in some countries than in Canada.

For example, following September 11, 2001, in New York, the Patriot Act was passed in the United States. It allows several American public entities to access data hosted on servers located on its territory without the user’s authorization (or the one from the owner of the data). Many Canadians use American services or Canadian services whose servers are in the United States. Thus, they expose themselves to some form of surveillance by the American authorities without being aware of it, even if they aren’t citizens of the United States (learn more about the Patriot Act here).

Data hosting becomes of greater importance with the large proportion of Digital Health Tools that collect personal or health information. Based on the 1,371 Digital Health Tools analyzed to date through our process, TherAppX Review, we realized that:
- 55% of tools collecting health information may also identify the user;
- 40% of tools do not collect health information or do not do so in a way that identifies the user;
- 5% of tools do not collect any personal or health information.

What should healthcare professionals using Digital Health Tools do?

"Being informed is essential."

When personal data or health information is collected, the transfer of such data across Canadian borders must be known and accepted by healthcare practitioners and their patients. Determining with patients whether they prefer the data hosted in Canada aligns with the well-known motto: "Primum non-nocere" or "first, do no harm". This responsibility is part of the ethical obligations of professionals and contributes positively to the patient experience.

Therefore, an excellent habit to adopt is to inform patients where Digital Health Tools manufacturers host data when they use such tools. You may suggest an alternative if patients don’t consent to expose their data to foreign laws and regulations. Moreover, when looking for Digital Health Tools for their patients, healthcare practitioners should consider this criterion to obtain informed consent.

TherAppX is here to support you

During the TherAppX Review process, our Digital Health Tool analysts scrutinize the privacy policies for you. In particular, they identify where companies host data when the developer of the tool specifies it in their documents. To support you in your search for Digital Health Tools for your patients, TherAppX has added an advanced filter related to data hosting:

This filter allows you to quickly find where a tool hosts data when it collects personal data from patients. It represents a valuable insight when discussing a given tool’s privacy with patients or when the time comes to share a Digital Health Tool with a patient.

As of today, 104 tools in TherAppX Core mentioned they host data in Canada.

To find out which ones, subscribe to TherAppX Core!