An Implementation Framework for Trust: National Contact Points

28
An Implementation Framework for Trust SALAR, SENA, ATNA, Elga, IZIP, DENA, Gematik,DKNA,ESNA, CATA,ANDA, GIPDMP, FRNA, LOMBARDY NLNA, NHIC, NHS, PHARMAXIS, Industry

description

An Implementation Framework for Trust: National Contact Points Legal and regulatory issues. Wilson P. eHealth week 2010 (Barcelona: CCIB Convention Centre; 2010)

Transcript of An Implementation Framework for Trust: National Contact Points

Page 1: An Implementation Framework for Trust: National Contact Points

An Implementation

Framework for Trust

SALAR, SENA, ATNA, Elga, IZIP, DENA, Gematik,DKNA,ESNA, CATA,ANDA, GIPDMP,

FRNA, LOMBARDY NLNA, NHIC, NHS, PHARMAXIS, Industry

Page 2: An Implementation Framework for Trust: National Contact Points

National Contact Points

Legal and regulatory issues

Zoi Kolitsi

epSOS L&R WP Leader

Page 3: An Implementation Framework for Trust: National Contact Points

Basic Assumption to be tested

3

if a Member State (MS) already

provides these ehealth services to

its residents…..

then it may also offer these services

to them when they travel abroad to

other epSOS Member States.

In epSOS we shall establish condition so that

Page 4: An Implementation Framework for Trust: National Contact Points

4

epSOS as Pilot

epSOS is a Large Scale Pilot

must be of limited scope but comprehensive, robust

and universally accepted across MS, professions and

cultures.

long-term operation is out of scope of epSOS

But will deliver practical guidance and

recommendations on how to make the transition from

the pilots to normal operation.

Page 5: An Implementation Framework for Trust: National Contact Points

L&R Challenges

Main Issues Legal Certainty

Data Protection and Confidentiality

sufficient Pilot and beyond

Health Systems sufficient pilot

Professional aspects and social context

sufficient pilot

Liability sufficient pilot

Access to standards-IPR issues

sufficientinsufficient

Pilotbeyond

Page 6: An Implementation Framework for Trust: National Contact Points

Trust in epSOS -legal approach

Trust is built by

• elaboration of common epSOS “code of

practice” around important issues such as

privacy and confidentiality,

– Privacy and safety by design

– application of common epSOS safeguards by all

actors involved in the pilots

• systematic audit

– MS level (NCP)

– epSOS Level (PSB)

6

Page 7: An Implementation Framework for Trust: National Contact Points

epSOS Trusted Domain

EU level- federating countries

National level- federating organisations

Page 8: An Implementation Framework for Trust: National Contact Points

epSOS Trusted Domain

epSOS Practice Standards

National level- federating organisations

Page 9: An Implementation Framework for Trust: National Contact Points

epSOS Trusted Domain

epSOS Practice Standards

National level Agreements

- To establish the NCP

- To establish NCP-pilot partners

relationships

-

Page 10: An Implementation Framework for Trust: National Contact Points

National AgreementsepSOS blue print

Security Policy

Pilot Strategy

Pilot sites - duties &

responsibilities

National Pilot Set-up

and Deployment Guide

FW AGREEMENT

Annexes:

Patient Consent

Information to Patients

and HCPs

A Framework Agreement

for the establishment of an

epSOS NCP

Page 11: An Implementation Framework for Trust: National Contact Points

What is the epSOS NCP?

Page 12: An Implementation Framework for Trust: National Contact Points

JANUS

Janus is the Roman god of gates and

doors (ianua), beginnings and endings,

and hence represented with a double-

faced head, each looking in opposite

directions.

Janus was represented with two faces,

originally one face was bearded while

the other was not. Later both faces

were bearded.

Page 13: An Implementation Framework for Trust: National Contact Points

JANUS and the epSOS NCP

Page 14: An Implementation Framework for Trust: National Contact Points

A National Contact Point is…

• an organization delegated by each participating country to act as a

bidirectional technical, organisational and legal interface between

the existing different national functions and infrastructures.

• legally competent to contract with other organisations in order to

provide the necessary services which are needed to fulfil the

business use cases and support services and processes.

• identifiable in both the epSOS domain and in its national domain

as a communication gateway and establishes a Circle of Trust

amongst national Trusted Domains.

• a mediator as far as the legal and regulatory aspects are

concerned.

• an active part of the epSOS environment if, and only if, it is

compliant to normative epSOS interfaces in terms of structure,

behaviour and security policies.

Page 15: An Implementation Framework for Trust: National Contact Points

An epSOS NCP shall…

• General- Terms to be embodied in national

contracts

• Duties and responsibilities to other NCPs

• Duties for Patient Consent

• Duties under the epSOS Security Policy

• Relationships between NCP and other pilot

partners

Page 16: An Implementation Framework for Trust: National Contact Points

Legal Relationships

Page 17: An Implementation Framework for Trust: National Contact Points

Part 2

Patient Consent for

eHealth services across EU borders

Page 18: An Implementation Framework for Trust: National Contact Points

Patient Consent in the

epSOS trial

Petra Wilson, Continua Health Alliance

on behalf of the Legal and Regulation Workpackage

Page 19: An Implementation Framework for Trust: National Contact Points

Patient Consent :

Policy (I)

Patient consent to the processing of health related data is

a legal requirement in every EU country.

It is defined as:

A Freely given specific and informed indication of the

patient’s wishes by which s/he signifies his agreement to

personal data relating to him being processed.( Art 2(h) of the Data Protection Directive 1995/46/EC)

This means:

Patient must be able to withhold consent without fear of getting

less good healthcare.

Patient must be able to withdraw consent previously given

Patient must know who ( or what category) of person will process

the data and why.

Patient must know which data will be

processed and for what purpose.

Page 20: An Implementation Framework for Trust: National Contact Points

Patient Consent :

Policy (II)

In addition national transpositions of the EU Directive

have clauses which:

Limit access to patient data to accredited

healthcare professionals and their support staff.

Require that access to data is only in the context of

a care relationship.

Specify that only relevant information may be

collected and stored.

Page 21: An Implementation Framework for Trust: National Contact Points

Patient Consent :

Policy (III)

There will also be clauses which

provide some exceptions to allow certain data to

be processed for

running an efficient and effective health service.

and

provide some exceptions to allow treating patients

when it is impossible to obtain consent

(incompetence or incapacity)

Some countries may require additionally that

consent is explicit and given in writing for all or

certain categories of data .

.

Page 22: An Implementation Framework for Trust: National Contact Points

Patient Consent:

epSOS (I)

epSOS does not create new uniform patient consent practices

BUT epSOS must ensure that all European Data Protection

duties are observed.

epSOS patients must be aware of the level of data protection

assured in epSOS and must give informed consent for data

access in that context.

Two modes of epSOS consent for data access are envisaged:

General epSOS consent for data access in any Country B given

in the country of origin and confirmed in a specific Country B at the

time of an encounter.

or

Specific epSOS consent given and documented at the time of the

encounter in Country B at the time of the encounter.

Page 23: An Implementation Framework for Trust: National Contact Points

Patient Consent: epSOS (II)

NOTE: No special epSOS consent is needed for epSOS

data collection in Country A if the epSOS data

are part of data already collected. If a new summary

record is created specifically for epSOS normal

country A rules will apply for obtaining consent for

the creation of such a record.

No special epSOS consent is needed for data

collection in Country B for the purpose of

treatment in country B is outside the scope of

epSOS, normal country B rules will

apply

Page 24: An Implementation Framework for Trust: National Contact Points

Patient Consent:

epSOS (III)

General epSOS consent with local confirmation:

The consent confirmation given at the PoC is

valid for the given treatment eposide.

If a further access to the PS or eP is necessary

the HCP will need to confirm consent again, by

asking the patient again if data may be

accessed and again ticking the box

Page 25: An Implementation Framework for Trust: National Contact Points

Patient Consent:

epSOS (IV)

Specific epSOS consent at PoC Once the patient has been given epSOS information at the

first time of registering at a PoC, the patient is in the same

position as the patient who has given a general consent in

his/her home country

Therefore if a further access to PS or eP is necessary only the

confirmation box will need to be completed

Note that this is valid only for the HCO which has

document that epSOS information and general consent has

been documented ( HCO may comprise several PoC)

If access to PS or eP is needed in

another HCO in the same country B or

in another country B the information will have to be given again.

Page 26: An Implementation Framework for Trust: National Contact Points

Patient Consent : process

General + Confirmation

HCP granted access to patient data

Patient obtains epSOS background information in

Country A and provides a generalized prior consent.

Country A stores record of general prior consent

Patient is identified at PoC in country B as

epSOS eligible. ID shows prior general

consent exists

HCP at PoC confirms that patient is still happy

for Country A record dot be accessed. Ticks

box in epSOS process to confirm. Patient is

given opportunity to revoke prior consent

Patient not

able to confirm

consent, HCP

ticks override

box

OR

HCP sends request to local NCP

Some Country A

NCPs may not

require further

confirmation of

consent. In this

case the

confirmation box

may be pre-

poulated and a

note attached

stating that

further

confirmation is

not required

Page 27: An Implementation Framework for Trust: National Contact Points

Patient Consent : process

consent provided at PoC

HCP granted access to patient data

Country B stores record of consent. This consent

is valid only to the given HCO

Patient is identified at PoC in country B as

epSOS eligible. ID shows no prior general

consent exists

HCP at PoC ticks box in epSOS process to

confirm consent has been provided. Opportunity

to revoke any prior consent.

Patient not

able to confirm

consent, HCP

ticks override

box

O

R

HCP sends request to local NCP

HCP at PoC accesses relevant language and format

information for patient, prints copy and asks patient

sign if s/he consents

Some Country A

NCPs may not

require written

proof of consent,

in this case a

further check box

could indicate that

the patient has

been shown the

information

necessary for

informed consent.

Page 28: An Implementation Framework for Trust: National Contact Points

Thank you!