A comparison of healthtech regulatory issues in North Asia: Japan

Healthcare technology is attracting significant attention in Japan, and the market size of the Japanese healthcare industry is expected to continue to grow. According to a report by the Ministry of Economy, Trade and Industry, the healthcare industry’s value is projected to reach JPY33 trillion (USD230 billion) by 2025. In addition, patent applications for healthcare technologies are growing steadily; they doubled worldwide between 2013 and 2019, according to the Japan Patent Office. The Japanese government has been promoting health tech and medical digital transformation (DX). It established what it calls a Medical DX Promotion Headquarters in the Cabinet Office in 2022 for sharing and verifying progress in DX. It appears their mission is to facilitate use of a personal health record (PHR) and they expect a national ID card will become a portal of PHR. Whichever direction it takes, personal information protection is an important legal issue in health tech, including medical DX.

INFO-SHARE ISSUES

Medical DX must simultaneously solve the conflicting issues of improving the availability of large volumes of medical information and appropriately protecting personal information.

Medical information is, as a matter of course, categorised as “personal information” and protected under Japan’s Act on the Protection of Personal Information (APPI). In addition, medical information is subject to stronger protection as “sensitive personal information”.

In principle, the APPI requires data subjects to consent to their sensitive personal information being provided to a third party. However, individual opt-in consent presents practical difficulties for medical institutions wanting to collect and analyse large amounts of medical information – say, for research.

The APPI provides an alternative: sensitive personal information, including medical information, may be provided to third parties without the data subject’s consent if it is anonymised so individuals cannot be identified. However, when using the alternative avenue, each medical institution bears the burden of making the data anonymous. Another drawback is that research institutions that receive anonymised medical data cannot perform cross-institutional analyses because anonymised medical data lacks cross-reference information.

NEXT-GEN LAW

The Next-Generation Medical Infrastructure Law (NGMIL, formally known as the Act on Anonymised Medical Data That Are Meant to Contribute to Research and Development in the Medical Field) was enacted on 11 May 2018, to solve such issues.

It is designed to promote the use of anonymised personal medical information, such as medical checkup results and medical records, for research and development in the medical field. It also establishes a certification system where the government examines whether an applicant producer meets certain technical criteria (for example, whether the applicant producer can ensure high information security and has sufficient anonymisation technology), and whether the applicant producer can appropriately and reliably perform anonymisation for management and utilisation of medical information.

Medical institutions may provide medical information to a certified producer until a data subject refuses (opts out of) the provision. Certified producers may anonymise information and provide the anonymised medical data to research institutions for medical research and development.

In short, the NGMIL aimed to develop a mechanism to facilitate use of medical information by allowing medical information to be provided only to certified producers, unless the data subject refuses the provision, while protecting individual rights and interests.

NGMIL REVISED

However, some issues remained unsolved Certified producers can only provide research institutions with data in the form of anonymised medical data. This means:

(1) Even if research institutions want data containing a small number of medical cases and unique data, such data is virtually unusable because of the possibility of identifying specific individuals when combining it with other data.

(2) Under the pre-amended NGMIL it is almost impossible to keep providing individual patients’ medical data for tracking chronological changes in
their condition.

(3) Even if, after research institutions analyse anonymised medical data, they discover further research should be done, it is almost impossible for them to be provided with other medical information from a data subject’s medical records in the form of anonymised medical data.

(4) It is impossible to verify the reliability of particular anonymised medical data by referring back to the original medical information such as the medical record, even when that would be desirable.

To address such issues, the NGMIL was amended in May 2023 to includes a new data category, later named “pseudonymised medical data”. The amended law is to take effect within one year from its promulgation – that is, May 2024.

Pseudonymised medical data is data that has been processed so an individual cannot be identified unless it is matched with other information. To be categorised in this new data category, it is not necessary to delete unique data from personal medical information. However, it is still necessary to delete names and other identifying information.

The revised law establishes mechanisms to:

Certify a producer to create and provide pseudonymised medical data; and allow the certified producer to provide pseudonymised medical data only to users certified by the government on criteria such as safety management.

The first mechanism – whereby the government certifies a producer who may create and provide pseudonymised medical data – has a common structure with that of anonymised medical data. On the other hand, the second mechanism is unique to pseudonymised medical data.

Pseudonymised medical data is at greater risk of being personally identifiable than anonymised medical data, so users are also restricted through certification by the government. In addition, for the purpose of applying for pharmaceutical market approval, certified users may provide pseudonymised medical data to the Pharmaceuticals and Medical Devices Agency (PMDA) and other regulatory authorities including those in foreign countries under the mechanism of pseudonymised medical data, and a certified producer may submit original data to the authorities.

EUROPEAN PARALLELS

The revised NGMIL appears to have something in common with the European Commission’s proposed European Health Data Space (EHDS), which is intended to regulate the primary and secondary use of medical data. Note:

Primary use refers to use by the data subject, and is intended to allow the patient to retain medical records, prescriptions and test results as electronic data compatible across EU member states. Secondary use refers to utilisation in research and development, policy making and the like.

In the proposed EHDS, member states must designate one or more health data access bodies (HDABs) that are responsible for granting access to electronic health data for secondary use. Data users may apply to the HDAB for data access and, when granted, can use the health data.

In the proposed framework, data users can use only anonymised or pseudonymised health data processed by the HDAB. It may be said that the revised NGMIL has something in common with the secondary use mechanism of the EHDS proposal in that it aims to achieve broader utilisation of medical information by having specific, government-designated bodies serve as data provider and data processer, and having anonymised or pseudonymised medical information available.

Japan’s personal information protection system relies heavily on the consent of data subjects. However, the fact that the design of systems that allow the use of personal information without the consent of the data subject, such as the revised NGMIL and the proposed EHDS, are being considered one after another seems to suggest the consent-centric approach to personal information protection itself should be reviewed in Japan.

OUTLOOK

NGMIL and its amendments are intended to promote the use of medical information and have undoubtedly solved some practical issues. Nevertheless, due to in part a lack of awareness of the systems themselves, they have not been greatly utilised.

This does not necessarily mean they will not be used much in the future. The authors believe the momentum for medical DX will not wane. By thetime databases and other platforms are developed, and the use of medical information becomes even more active, there will be a greater demand for personal information protection law professionals who are also familiar with the medical field.