SSRN-id1528461

download SSRN-id1528461

of 20

Transcript of SSRN-id1528461

  • 8/8/2019 SSRN-id1528461

    1/20Electronic copy available at: http://ssrn.com/abstract=1528461

    1

    ELECTRONIC HEALTH RECORDS:

    PRIVACY AND SECURITYISSUES IN ACOMPARATIVEPERSPECTIVE*

    Paolo Guarda

    ([email protected])

    1. Introduction

    Before the digital age, health data processing was not such a problematic issue. It

    was based on a strictly fiduciary relationship between the patient (rectius: data subject) and

    the physician, who in most cases was the so-called General Practitioner (GP). Everything

    was then set on paper, if not simply spoken.

    The advent and widespread diffusion of computers has led to an upsurge ofnew

    problems and demand for protection. Digital technology has provided the extraordinary

    ability to access large amounts of aggregated data very quickly, but on the other hand it has

    also made possible the creation of big databases to which more and more people even if

    limited in number and specifically identified - may have access. This has greatly increased

    the risks associated with the treatment of these data, their unlawful circulation anddissemination, the capability to affect the dignity, and the fundamental freedoms and rights

    of the individual data subject1.

    For these reasons, the European legislator - with the famed Directives 95/46/EC

    (protection of individuals with regard to the processing of personal data and on the free

    movement of such data) and 2002/58/EC (the processing of data personal and the

    protection of privacy in the electronic communications sector) - intervened, devoting to

    the problem of health data processing an ad hocregulation, thus highlighting the specificity

    and the dangers that the operations relating to this particular category of data may show2.

    * Version 1.0 December 2009 2009 by Paolo Guarda Creative Commons Attribution-Noncommercial-No derivative works 2.5 Italy. More information at:.

    1 With respect to telemedicine issues, see U. IZZO, Medicina e diritto nellera digitale: i problemi giuridici dellacibermedicina, in Danno e responsabilit, 2000, 807; G. CANGELOSI, I servizi pubblici sanitari: prospettive e problematichedella telemedicina, in Dir. famiglia, 2007, 431; A.SINHA,An Overview of Telemedicine: The Virtual Gaze of Health Carein the Next Century, inMedical Anthropology Quarterly, New Series, vol. 14, n. 3 (Sep., 2000), 291-309, available at:.

    2

    As regarding data protection regulation in general, see L.A. BYGRAVE, Data Protection Law. Approaching ItsRationale, Logic and Limits, The Hague London - New York, 2002; P. GUARDA.,Data Protection, Information

  • 8/8/2019 SSRN-id1528461

    2/20Electronic copy available at: http://ssrn.com/abstract=1528461

    2

    At the national level, Italian legislator (at art. 4, co. 1, lett. d) of Legislative Decree

    30 June 2003, n. 196 (Code for protection of personal data hereinafter: Privacy Code)

    defines so called sensitive data as follows: personal data allowing the disclosure of racial or ethnic

    origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions,

    associations or organizations of a religious, philosophical, political or trade-unionist character, as well as

    personal data disclosing health and sex life. In order to process such kind of information a

    stricter and more protective discipline has been provided, since their collection,

    communication and dissemination may present the data subject to which they pertain with

    several serious risks of discrimination3.

    The so-called Electronic Health Record (hereinafter, EHR) represents a pivotal

    moment in the digitalization of health data processing. The definition of this new legal

    concept, which has encountered many difficulties, consists of two basic elements: themoment of storage, by means of the digital technologies, of all the data and information

    that until now had been collected and managed on paper; and the moment of sharing of

    data collected by all the actors of the system, entitled to their communication and

    processing4.

    Unlike the traditional electronic platforms of health data management, which

    Privacy, and Security Measures: an Essay on the European and the Italian Legal Frameworks, in Ciberspazio e dir.,2008,65-92(available at: ).

    3 With respect to health data processing in the Italian legal system, see G. BUTTARELLI, Banche dati e tuteladella riservatezza. La privacy nella Societ dellInformazione, Milano, 1997; F. CAGGIA, Il trattamento dei dati sulla salute,con particolare riferimento allambito sanitario, in V. CUFFARO, R. DORAZIO,V. RICCIUTO (eds.), Il codice deltrattamento dei dati personali, Torino, 2007, 405; G. FINOCCHIARO, Il trattamento dei dati sanitari: alcune riflessionicritiche a dieci anni dallentrata in vigore del Codice in materia di protezione dei dati personali, in G.F.FERRARI (ed.), Lalegge sulla privacy dieci anni dopo, Milano, 2008, 207 220; E. PALMERINI, Commento allart. 84, in C.M.BIANCA,F.D. BUSNELLI (eds.), La protezione dei dati personali. Commentario al D. Lgs. 30 giugno 2003, n. 196 (CodicePrivacy), II, Padova, 2007, 1303; S. VICIANI., Brevi osservazioni sul trattamento dei dati interenti la salute e la vitasessuale in ambito sanitario, in Riv. crit. dir. priv., 2007, 315. An old, but very interesting, essay on health data andprivacy by an economic analysis perspective in P.M. SCHWARTZ, Privacy and the Economics of Health CareInformation, 76 Tex. L. Rev. 1 (1997).

    4 See in general A.M. FROOMKIN, Forced Sharing of Patient-Controlled Health Records, Working Paper, 2008,available at: ; N.P. TERRY, L.P.FRANCIS, Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. Ill. L. Rev. 681 (2007); M.A.HALL, Property, Privacy and the Pursuit of Integrated Electronic Medical Records, Legal Studies Paper No. 1334963,2009, available at: ; A.M. FROOMKIN, The New Health Information

    Architecture: Copying with he Privacy Implications of the Personal Health Records Revolution, UM ELSI Group forProject HealthDesign (2008), available at the Web-site:; S. HOFFMAN,A. PODGURSKI, InSickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information, Working Paper 06-15,September 2006, available at the Web-site: ;P. D. JACOBSON, Medical Records and HIPAA: Is It Too Late to Protect Privacy?, 86 Minn. L. Rev. 1497 (2002);N.P. TERRY, Personal Health Records: Directing More Costs and Risks to Consumers, Working Paper, August 2008,available at: . For a further analysis withrespect to the incorporation of privacy legal principles into digital architecture see P. G UARDA, N.ZANNONE.,Towards the Development of Privacy-Aware Systems, in Information and Software Technology, vol.51,2009,

    337-350.

  • 8/8/2019 SSRN-id1528461

    3/20

    3

    privilege the role of health-service providers and give the patient a very marginal and

    limited role, the new approach underlying the concept of EHR is characterized by the

    patient becoming the crucial point of the informationmanagement system. From this point

    of view, any interaction between the patient and the new system involves the creation ofnew data. The first e-health data revolution - the introduction of information technology

    and Electronic Health Records (EHRs) concerned the digitizing and rationalization of

    the flow of data. The second step is represented by the so called Personal Health Record

    (PHR): patients will increasingly create health data (or links to other data) without the

    intermediation of any qualified person5.

    At the international level we found several documents that are pushing the

    implementation of EHR. Above all, we must cite the Working Document on the processing of

    personal data relating to health in electronic health records (EHR) adopted on 15 February 2007 bythe Working Group Party on the Protection of individuals with regard to the Processing

    of Personal Data (hereinafter: Working Document). This document aims to provide

    guidance on the interpretation of the applicable legal framework of data protection for

    EHR systems and to establish some general principles. It also aims at setting out the data

    protection preconditions for establishing a nation-wide EHR system, as well as the

    applicable safeguards. A definition of this new instrument has been proposed by the

    already mentioned Working Group: A comprehensive medical record or similar documentation of

    the past and present physical and mental state of health of an individual in electronic form and providing for

    ready availability of these data for medical treatment and other closely related purposes.

    Also the Italian Garante per la protezione dei dati personali (hereinafter: Privacy

    Authority) enacted by a General Provision some guidelines on the implementation of an

    EHR system (Provvedimento a carattere generale 16 luglio 2009 del Garante per la protezione dei dati

    personali - Linee guida in tema di Fascicolo sanitario elettronico (Fse) e di dossier sanitario) (hereinafter:

    LG). This document follows a public consultation on a previous provision.

    I will focus on the main problematic issues of the implementation of EHR systems,

    as they arise through reading Italian Privacy Authority LG. Then, many issues will be taken

    into consideration: scope of a EHR system, responsibilities and expectations with respect

    to data entered, self-determination principle, consent, access to EHR, data controllers and

    data processors, data communication to data subject (art. 84 Privacy Code), and Security

    Measures. In the final part, a comparative analysis will be provided with the English and

    the French e-health systems.

    5 See R. CUSHMAN, PHRs and the Next HIPAA, 2008, available at:

    ; ID., Primer: Authentication of identity(with application to PHRs/PHAs), available at:

    .

  • 8/8/2019 SSRN-id1528461

    4/20

    4

    2. Scope of an EHR system

    Until recently, the Italian legal system lacked a national definition of EHR. The

    definition that was conventionally used is provided by the Working Document, where itdescribes EHR as A comprehensive medical record or similar documentation of the past and present

    physical and mental state of health of an individual in electronic form and providing for ready availability of

    these data for medical treatment and other closely related purposes.

    Starting at this point, the Italian Privacy Authority provides in the LG the following

    definition of EHR (Fascicolo sanitario elettronico): health data originated from several data

    controllers working more frequently, but not exclusively, in the same geographical area. LG also

    establishes a sub-categorization of the possible tools used to manage health data of a

    patient. Then, we find the so called Dossier defined as an instrument consisting of a medical

    body as the sole data controller (hospital or private hospital) in which most professionals work.

    In the LG the EHR is designed solely as a tool for sharing computer data and

    documents between healthcare organizations and health professionals. In the first

    document submitted to consultation, the patient was not taken into account at all, neither

    as a possible recipient of the data generated and stored relating to him, nor as a generator

    of direct health information that always refers to his person. The final version presented

    this option.

    Actually, this concept, assuming the data stream that feeds the EHR can be

    generated directly by the patient, does reflect an element of the health policy pursued inour country by local and state institutions responsible for the delivery of health services.

    Indeed, it is not a secret that the National Health Plan 2006-008 indicates as a key objective

    to promote the various forms of citizen participation, particularly through the involvement of patients and

    family associations. The citizen is, therefore, recognized as an active player in managing his

    health and care processes.

    These kinds of considerations find their origin in the new challenges that developed

    countries are facing: problems due to aging of the population, consequent increases in

    chronic diseases, increasing costs of health services, increasing demand for high qualityhealth services, etc. It is therefore necessary that we rethink our models of health care,

    focusing on the citizen.

    The incoming flow of data [patient EHR] needs to be better analyzed. The patient

    should be allowed to supply information pertaining to his own health conditions; this set of

    data could be beneficial to professionals who interact with patient health history in order to

    ensure the best possible care.

    All of the information that the patient will provide to the system could be

    conceptually defined as a dossier; the system has to clearly indicate that these data have

  • 8/8/2019 SSRN-id1528461

    5/20

    5

    been generated directly, and on a fully voluntary basis, by the citizen-patient. It is therefore

    necessary to prefigure the possibility that the EHR could also contain this island composed

    of supplied dynamic data that we can call a citizen dossier.

    The scenario can be described as follows: the patient enters data relating to him inthe dossier, which should be placed in the EHR. Who is the data controller of this new

    treatment? A possible solution can be represented by a situation of co-data controllers

    among health organizations (hereinafter: HO) and the PG.

    On the one hand, the HO provides the digital infrastructure and the service which

    benefits the public. The mere fact that the data is stored on an infrastructure managed by

    the HO, even without being accessed by any persons in charge of the treatment, gives the

    HO the qualification of data controller.

    On the other hand, the PG, as authorized and invested with a purpose of nursingand care taking, should be put in a position to access the data that his patient has loaded

    into the EHR.

    It is therefore imperative that the accepted definition of EHR will be designed in

    such a way as to consider the possibility that the system could be composed of an island of

    data generated by the citizen (in the future it could include data from some smart items,

    set to detect a parameter of health and then automatically upload it into the citizen

    dossier).

    3. Responsibilities and expectations with respect to data entered into

    EHR system

    The need for a uniform mechanism to reconstruct the situations of accountability

    with respect to the generation of each single data made available on the EHR must be

    emphasized (I am referring to a tracking system by means of log files and digital documents

    validated through electronic signatures).

    It should be noted that an audit system, able to track user activity and to determine

    ex postany responsibility, represents a key point of any future EHR system. Although theprobative value of the log file is the subject of debate, it is tempting to say that in this case

    the technology offers a possibility to interpret the requirements of protection with a level

    of effectiveness unattainable in the pre-digital era. A system capable of generating a

    warning message (for example, via e-mail) that alerts the patient to the fact that his data has

    been accessed, and by who, is far from chimerical (contrarily, it is rather easy to get from a

    technological point of view).

    This will represent a formidable tool of control for the patient ensuring that data

    pertaining to him are always treated in accordance with the conditions of legitimacy

  • 8/8/2019 SSRN-id1528461

    6/20

    6

    provided by law (rectius, Privacy regulation6). The approach behind such a control would be

    more practical and realistic with respect to the attempt to define ex anteonce and for all the

    several access levels. Information regarding access will allow the patient to check, when he

    wishes, the reason for the display of his data and, where appropriate, to ask for anexplanation in this regard (finally enforcing what is established by art. 7 Italian Privacy

    Code, as regarding, for instance, the Italian legal system).

    There is a problematic point in the implementation of the EHR, which would

    implement the logic of the data directly produced by the citizen-patient: Will the

    professional actors of the system, particularly GPs, but also the stakeholders responsible

    for HO, really trust these data?

    This claim is known and understood: physicians are instinctively suspicious of data

    generated by a patient. They might be led to make mistakes by trusting inaccurate or untrueinformation; or they could be accused of wrong, if they decide to not take into account a

    truthful data posted in the EHR (and therefore added to the availability of medical

    knowledge) directly from the patient.

    The digital scenario is not different and can not be dissociated from the dynamics

    of trust which are expressed in the real world. If a physician met a patient for the first time

    and was assailed with a mountain of documents showing a range of information on past

    medical history of the patient (analysis, personal annotations, recipes for taken medicines,

    etc.), it is plausible to think that the physician would not be led to place a particular degree

    of confidence on this information provided by a person who - at this early stage - he does

    not know. Very different is the level of trust when we have the interaction between a GP

    and(for instance) a chronic patient, who goes twice a week to the medical clinic, carries out

    daily self-measures, and forwards them to his trusted physician. This type of interaction

    builds up a trusted relationship that can be easily translated into an interaction guaranteed

    by the digital infrastructure: this would surely lead to a more efficient and effective path of

    healing.

    4. Self-determination Principle

    The rationale which should characterize the operability of the informative structure

    of the EHR is the self-determination principle7. In this respect, the data subject should be

    able to choose, in full freedom, whether or not to constitute an EHR system, without this

    choice in any way affecting access to the national health service, or having negative

    consequences for the possibility of medical benefits. It should also be ensured that health

    6 In the Italian legal system this is provided by the cited before Italian Privacy Code.

    7 See art. 75 and ff. Italian Privacy Code.

  • 8/8/2019 SSRN-id1528461

    7/20

    7

    data remain available only to the professional/medical body that drafted them, without

    necessarily including them in the EHR, and by preventing communication with other

    players in the system.

    Therefore, the self-determination principle should imply that the person would alsobe given the freedom not to bring into the EHR some health information relating to

    individual clinical events, especially in the case of supersensitive data. The informative

    infrastructure should provide a system fit to obscure the clinical event, which could be

    withdrawn over time. The modularization of the inclusion of health information within the

    EHR system and the choice of levels of data sharing creates very difficult problems. The

    choice of obscure or uncertain data contrasts with the policies that characterize some like-

    EHR systems which are already operating at the regional and provincial level.

    A practical solution could be to provide two categories of obscured datadatacompletely obscured, that is, information for which the patient explicitly asks the non-

    inclusion in the system; and a second category of data which could be collected in a

    reserved section, to which access is regulated directly by the patient (perhaps by giving his

    smart card to the professional to which he could grant access).

    Another important point is to limit access by the qualified actors to only essential

    information. This means that, at least in theory, access to data should be driven by real and

    tangible requirements to a patients visualization and treatment: the access should be

    granted only to information related to the disease being treated8.

    5. Consent

    The consent to this additional health data processing plays a pivotal role9. It must

    necessarily be characterized by the following elements. Although it can be shown together

    with the consent provided for the data processing for care purpose, it must be

    autonomous, collected ad hoc, and specific to the EHR treatment. This is a general consent

    to EHR at the entrance of data, that does not exclude, but rather lets live, a number of

    specific consents to legitimize the EHR consultation by individual data controllers (thisfeature must be duly incorporated within the platform).

    The problem linked to the opportunity to specify what is established by art. 82

    Italian Privacy Code remains to be evaluated. In cases of absolute necessity, dictated by the

    urgency of saving a person from an immediate threat to life, access must be granted to a

    designated person (identified by the system, which belongs to a class of charge to which a

    8A possible criticism to this point could be that proper diagnosis of a particular symptom/disease requires

    consideration of the entire person, not just the locally affected area of the body.

    9 See for instance art. 81 Italian Privacy Code.

  • 8/8/2019 SSRN-id1528461

    8/20

    8

    person who has not yet expressed a willingness to permit access to his personal data) to

    break the glass and allow access to the necessary data. The system must be set to record

    all relevant data to ensure that the data subject will be able to know that the access

    occurred, and to verifyex postthe legitimacy of the treatment.

    6. Access to EHR system, Data Controllers and Data Processors

    The data controller of this new health data processing is the HO or the GP where

    data has been generated, as suggested by the Italian Privacy Authority.

    The data controller is responsible for organizing the entire aspect of processing: for

    this reason it appears to be the main recipient of responsibility and the penalties prescribed

    by law on the processing of personal data. The person who fills the role of the data

    controller must be the one who faces choices about the material treatment of the data andthe type of data to be collected and recorded, the amount of data to be acquired, the time

    of conservation of themselves in relation to the purpose, the sources from which to draw,

    updates, etc. Article 28 of the Italian Privacy Code has clarified that: Whenever processing

    operations are carried out by a legal person, a public administrative agency or any other body, association or

    organisation, the data controller shall be either the entity as a whole or the department or peripheral unit

    having fully autonomous decision-making powers in respect of purposes and mechanisms of said processing

    operations as also related to security matters. Thus, the main characteristic is represented by the

    autonomous power of decision-making in relation to the purposes of treatment, theoperating choices, tools to use, etc10.

    We have the particular case of co-data controllers on the same treatment (co-

    titolarit), when the choices on purpose, method, tools and security measures for the

    treatment are related to multiple subjects. The Italian Privacy Code recognizes this

    possibility despite the European Directive indicating the choice of a sole data controller.

    This issue may represent a crucial point in building up digital infrastructure fit to manage

    health data.

    The concept of co-data controllership in the EHR should be considered in parallel with the concept of data processor (responsabile del trattamento), which identifies an

    optional figure in the data processing, which is detected by the data controller in the light

    of organizational considerations among entities that can appropriately ensure, on account of their

    experience, capabilities and reliability, thorough compliance with the provisions in force applying to

    processing as also related to security matters (art. 29, co. 2, Italian Privacy Code). Its tasks are

    10 See F. GARRI,I soggetti che effettuano il trattamento: il titolare, il responsabile e lincaricato , in G. SANTANIELLO

    (ed.),La protezione dei dati personali, in G.SANTANIELLO (a cura di), Trattato di diritto amministrativo, vol. XXXVI,Padova, 2005, 131 166; C. DI COCCO, Soggetti che effettuano il trattamento (Parte I Titolo IV) , in J.MONDUCCI,

    G.SARTOR(eds.), Il codice in materia di protezione dei dati personali, Padova, 2004, 119 156.

  • 8/8/2019 SSRN-id1528461

    9/20

    9

    specified in detail by the data controller (art. 29, co. 4, Italian Privacy Code).

    The relationship between data controller and data processor has two phases. The

    first of these, the deployment phase, concerns the selection of the entity to be designated

    as responsible. This decision falls within the discretion of the data controller. If, however,the delegation includes the performance of some functions, it is certainly tied to other

    criteria such as experience, capability and reliability which the nominating person must

    have (see art. 29 Privacy Code). The second phase concerns the fact that the data controller

    is also obliged to supervise the data processor. Remember that the obligations of

    supervision and control are also functional to the identification of potential liability with

    respect to the processing.

    The legal structure should reflect the technical and organizational system which

    characterizes the EHR. According to the Working Document, there are different methodsof conservation and management of data:

    a. c.d. Decentralized storage: medical files are kept by health professionals, whoare obliged to record information about the care of patients; within this

    complex structure it could be necessary to identify a central body responsible

    for managing and controlling the whole system and for ensuring its

    compatibility with data protection regulation;

    b. c.d. Centralized storage: medical staff transfers records to a central system ofEHR; this system ensures a greater level of safety and availability: there is only

    one person responsible for the whole system.

    c. storage under the control of the data subject: allows the patient to manage his medicalrecords, providing the ability to store his health data as part of a special on-line

    service directly under his control (see the system developed in France); it

    represents a better solution in terms of self-determination, but presents some

    problems with respect to the accuracy and completeness of the documentation,

    if there is no corrective action of the medical staff.

    The traditional approach to patient EHR management is not generally characterized

    by the deployment of a common database: each entity remains data controller of the

    treatment that performs (in the collection), while communicating a large part of these data

    to other controllers within the network. Each of them is an autonomous institution of the

    treatment.

    Otherwise, the hypothesis to identify a single data processor appointed to manage

    the EHR by the various data controllers involved is a solution that, while being an easy side

    access to data and the system by the patient, presents significant weaknesses in terms of

    effectiveness of the fiduciary relationship between the individual and all the responsible

    controllers of the EHR. The latter should arrange for a standardized appointment, thus

  • 8/8/2019 SSRN-id1528461

    10/20

    10

    depleting the regulation contained in Privacy regulation.

    7. Data Communication to data subject: art. 84 Italian Privacy Code

    The idea of an EHR considering the evidence regarding the patient to whom he can

    have access via computer reflects a feature already present at the level of implementation in

    many regional experiences. With the emergence of the Internet, several HOs have begun

    providing this new service to its citizens.

    From the point of view of the data subject, access to the EHR should be allowed

    under the cautions established by art. 84 Italian Privacy Code, which includes the provision

    of a filter in the communication of health data between the patient and the data itself

    represented by a physician or an health care professional. The issue deserves a further

    study.On this matter we find some interesting suggestions at Community level. The

    Recommendation of 2 July 2008 on cross-border interoperability of electronic health

    record systems in Whereas n. 3 states: Electronic health record systems have the potential to

    achieve greater quality and security in health information than the traditional forms of health records.

    Interoperability of electronic health record systems should make access easier, and enhance the quality and

    safety of patient care throughout the Community by providing patients and health professionals with relevant

    and up-to-date information while ensuring the highest standards of protection of personal data and

    confidentiality. Below there is another statement at point 14, lett. h): [this legal framework isdesigned in particular to:] ensure that patients are fully informed on the nature of the data and the

    structure of the electronic health record containing them. Patients should have alternative (conventional)

    means to access personal data concerning health related to him or her. In this context it is important to

    ensure that information provided to data subjects uses language and a layout that is easy to understand and

    is given in an appropriate manner to persons with special needs (e.g. children or elderly persons).

    The pivotal point of the system must be respect for self-determination the

    decision of a patient on how and when to use data concerning him should play a key role

    as an important guarantee.Lets start the analysis with the positive data in the Italian legal system: the art. 84

    Privacy Code - entitled Data Communication to data subject - states: Personal data

    disclosing health may be communicated by health care professionals and health care bodies either to the data

    subject or to the entities referred to in Section 82(2), letter a), only by the agency of a physician who must

    have been designated either by the data subject or by the data controller. This paragraph shall not apply to

    the personal data that had been provided previously by said data subject. 2. The data controller or processor

    may authorise, in writing, health care professionals other than physicians who, to fulfil their respective

    duties, have direct contacts with patients and are in charge of processing personal data disclosing health, to

  • 8/8/2019 SSRN-id1528461

    11/20

    11

    communicate said data either to data subjects or to the entities referred to in Section 82(2), letter a). The

    instrument by which said task is conferred shall set out adequate arrangements and precautions having

    regard to the context within which the data are to be processed.

    There must, therefore, be an intermediary between data and data subject, in order tosatisfy, on the one hand, the need to facilitate the understanding of clinical data by the

    patient, and on the other hand, to filter the information obtained in order that it be

    communicated in a form compliant with the principles governing the therapeutic

    relationship between physician and patient.

    Art. 84, read in close connection with articles 1 and 2, co. 1, Privacy Code (which

    proves the existence of a new subjective position in relation to the processing of personal

    data), gives a particular qualification to the information arising from the relationship of

    care, recognizing to the physician a sort of therapeutic privilege. Under this principle, thelatter would have the right not to reveal certain aspects of patient diagnosis or prognostic

    character capable of undermining the purpose of treatment.

    From the perspective of building up an architecture that focuses its attention on the

    access to health data by the patient, this kind of regulation raises many kinds of application

    problems, including the introduction of an additional obstacle in designing a platform that

    would bring the citizen closer to the health service.

    The physician cannot serve as a mere vehicle for the mechanical transmission of data:

    the rationale of the provision is that the patient is given an explanation, although synthetic,

    profiled on his psycho-physical conditions. The principle is satisfied only if the person is

    able to easily understand the meaning of the data.

    This requirement does not appear to be an insuperable implementation obstacle.

    First of all, the communication between physician and data subject should not necessarily

    be direct, it being already possible to delegate to a friend or a relative the power to confer

    with the physician or read the notices. This observation allows us to discard the hypothesis

    that the rule necessary requires to provide, for example, a computer tool that could attest

    that the physician is on-line at the same time as the patient accesses the data.

    We could then think of a platform that makes health data accessible to the patient

    only when the record was attached to the communication on the interpretation of health

    data that the physician-filter has given. Indeed we can expect to require the prior viewing

    of this text, before access to medical information is granted.

    As an alternative to the solution proposed, and responding to possible resistance

    from the medical staff (especially on the part of the GP, which could refuse to be burdened

    with additional tasks), we can assume the implementation of an information structure that

    as soon as the patient tries to access the contents of the first communication, creates an

    automatic alert (pop-up of sorts), which makes the patient aware of the necessity to go to

  • 8/8/2019 SSRN-id1528461

    12/20

    12

    his GP in order to receive additional information on the raw data (it happens the same

    today when a paper envelope is delivered to the data subject, bearing the word doctor,

    containing the results of laboratory tests a patient has undergone). This display of

    warning, which could be followed by a screen of acceptance in which the patientdeclares to have understood the warning about the need to obtain an interpretation of data

    relating to him by his doctor, has a dual maieutic purpose: first, the patient would be

    informed that he is not able to analyze and understand the meaning of (raw) health data

    relating to him; on the other hand, it would promote the activity of explanations of clinical

    events, which is in practice unfortunately not always so accurate.

    Within the EHR, we could circumscribe data which really needs this filter, separating

    them from those which the user can access directly, because he is already known (the

    rationale of the provision is expressed only on the first cognitive access by the patient todata that concerned to him) or because he directly provided (i.e.) information collected and

    reported by the professional in the EHR11.

    9. Security Measures

    The sensitivity of personal data processed by EHR requires the adoption of specific

    technical measures to ensure appropriate levels of security (art. 31 Italian Privacy Code), in

    addition to the minimum measures that each data controller must take under Code (articles

    33 ff. Privacy Code). Given the quality of data that an EHR system processes, it is clearthat security aspects are crucial, especially in order to create the right level of confidence in

    the operators and users of the platform.

    By reading the regulatory framework and the LG of Italian Privacy Authority, the

    EHR should ensure: a) a suitable authentication and authorization system of the persons in

    charge depending on the roles and requirements for access and processing; b) procedures

    for periodic review of the quality and consistency of authentication credentials and

    authorization profiles assigned to the persons in charge; c) identification of criteria for

    encryption or separation of the data suited to reveal the state of health and sex life fromother personal data; d) traceability of access and the operations carried out; e) audit logs

    systems in order to monitor access to the database and to detect any abnormalities.

    The adoption of a safe authentication system represents a crucial point in the

    future of EHR. The Working Document, cited below, deals with Identification and

    authentication of patients and health care professionals and stresses that reliable identification of

    patients in EHR systems is of crucialimportance. If health data were used which relate to the wrong person

    11 On 25 June 2009 Italian Privacy Authority enacted a General Provision on on-line communication inorder to partially regulate this problematic matter: Provvedimento a carattere generale 25 giugno 2009: Linee guidain tema di referti on-line 25 giugno 2009.

  • 8/8/2019 SSRN-id1528461

    13/20

    13

    as a result of incorrect identification of a patient the consequences would in many cases be detrimental; and

    further forward again, the special sensitivity of health data requires that no access is possible for

    unauthorized persons. Reliable access control depends on reliable identification and authentication. This

    makes it necessary to uniquely identify and also properly authenticate users.The solution proposed by Working Document is represented by the use of smart

    cards that provide a high level of reliability and security: Health cards on smart card basis could

    contribute significantly to a proper electronic identification of patients and also to their authentication if they

    want to access their own EHR data.

    Information systems include the use of devices for verifying the digital identity of

    users (authentication) before authorizing access to resources in various domains that make

    up the system. In our case it would therefore be helpful to deliver to citizens, in addition to

    login and password, a smart card. In the Italian context this could be represented by therepeatedly promised but never fully implemented Electronic Identity Card (Carta dIdentit

    Elettronica - CIE), which consists of a card with a microchip with the same characteristics

    of the real, and visible, identification document and physical security requirements

    (optical bandwidth, holograms, photos of the holder); by the National Service Card (Carta

    Nazionale dei Servizi - CNS), which consists of a card with a chip that does not have the

    physical security requirements of the CIE but with similar features; and finally by Regional

    Services Card (Carta Regionale dei Servizi - CRS).

    10. A comparative interlude

    E-health is an important innovation that can improve access to healthcare and

    boost the quality and effectiveness of the services offered.

    The European Community has promoted research programs in support of e-Health

    for fifteen years. Many results of these efforts have been tested and put into practice;

    Europe is therefore in a dominant position in the use of electronic health records for

    health care.

    A trend pushing the role of the citizen-patient is becoming increasingly important.As noted in the White Paper Together for health: A strategic approach for the period

    2008-2013 - Brussels, 23 October 2007, the participation of citizens is a fundamental

    value. Health care is increasingly oriented toward the patient, who is becoming an active

    player rather than a mere object of care. He must be able to participate in decision-making

    and influence at that level, and acquire the necessary skills (the so-called health literacy).

    Even the Italian National Health Plan 2006-08 stresses the importance to promote the

    various forms of citizen participation, particularly through the involvement of patients and family

  • 8/8/2019 SSRN-id1528461

    14/20

    14

    associations. The citizen is, therefore, recognized as having an increasingly active role in the

    management of their health and processes of care.

    The EHR aims to foster coordination, quality and continuity of care with better

    information and communication among physicians and among physicians and patients. The Action Plan for a European e-Health (attempts/intends) to agree on

    uniform standards between the Member States for the identification of patients and to

    define standards for interoperability of national systems in order to facilitate the exchange

    of electronic health files.

    In order to establish a comparative analysis for pointing out useful principles for

    the development of an EHR system, we must reference the implementation of other

    projects inside the European Community, and in particular in two important instances: the

    French and English experiences.

    10.1 The French model: Dossier Mdical Personnel

    France has a highly centralized system: the majority of political and administrative

    authorities are located in Paris. Since 1982, however, a trend toward decentralization began,

    which led to the delegation of powers to the regions. The population of France is

    approximately 62 million inhabitants. The health care system is pluralistic: private and

    public bodies co-exist. Patients choose their GPs and have free access to different types of

    hospitals12

    .The e-Health projects are developed by different actors, both regionally and locally.

    At the national level a mapping of all of these initiatives has been carried out. Among

    these, the following are of significant interest:

    SESAM-Vitale: it was introduced at the end of the nineties andinterconnects more than 223,000 healthcare professionals in the National

    Health System for the benefit of more than 48 million assisted. The system

    is based on three elements:

    oCarte Vitale, a chip-card that contains simple administrative-natureinformation (note the insured health insurance and any recipients),

    recently replaced by the new Vitale 2;

    12 As references for this part, see EHRIMPLEMENT, WP5 National reports of EHR implementation France,

    28 May 2009, available at: ; E-HEALTH ERA, Fact sheet France,March 2007, available at: ;EUSER, eHealth Country Brief: France, 2005, available at: ; PEIGNV., Iltrattamento dei dati sanitari in Italia e Francia tra convergenze e divergenze, in Diritto dellInternet, 2008, 296; M.GAGNEUX, Pour un dossier Patient virtule et partag et une stregie nationale des systmes dinformation de sant, 23 april

    2008, available at: .

  • 8/8/2019 SSRN-id1528461

    15/20

    15

    o Carte de Professionnel de Sant(CPS), a microprocessor smart card usedby GPs, created in 1993 (later expanded through the Ordonnances

    Juppof April 1996 to organize a secure infrastructure for electronic

    health information systems); the features included are:identification, authentication and electronic signature of health

    personnel;

    o Rseau sant social (RSS), the health network capable of distributingdata streams and to encourage communication between health

    professionals and health insurance funds.

    Health Web-site (www.sante.fr), developed under the direction of theDirectorate General of the Ministry of Health, which has as its principal

    objective the promotion of information from the public agencies withregard to issues of public health;

    Different applications and platforms in the field of telemedicine are alreadyused in some regional experiences; at a national level we find the Dossier

    Mdical Personnel (DMP), which will be analyzed much more in details.

    The DMP is an ambitious project started in 2004 with Law No 2004-810 of 13

    August 2004 on Assurance maladie (the DMP is stated in art. L. 161-36-1 of the Code de la

    Scurit sociale)13. The reform has not respected the deadline (July 1, 2004) due to the size of

    the project that affects 60 million patients, and also because of not yet widespread

    computerization to health professionals. The project to date is not yet fully completed.

    The purpose of data processing carried out by the DMP consists in ensuring better

    coordination, quality and continuity of health service. Another purpose, more of a political

    nature, is obviously to reduce healthcare expenditures.

    The DMP consists of a storage system of health data for each beneficiary of the

    compulsory health insurance system. It is under the direct control of the patient. It

    contains:

    data that allows the identification of the patient (name, surname, date ofbirth, login to the opening and operation of the files) and information

    identifying the professional;

    data of general practitioners (previous medical history of specialistconsultations, allergy, allergies, vaccinations, etc.);

    data on the treatment (results of examinations, records of preventive andtherapeutic measures, ongoing illnesses, treatments in progress, etc.);

    data on prevention (risk factors individually, reports quotes, etc.);13 See the Web-site: .

  • 8/8/2019 SSRN-id1528461

    16/20

    16

    data on clinical findings (radiography, scanner).The inclusion of new data, their amendment or deletion is subject to the consent of

    the patient. Health care workers have access to the system through the simultaneous use of

    two smart-cards: the CPS and the Vitale-2. For personal use, patients can access the DMP via Internet through the national portal: the access is managed by the use of login and

    password. The information is entered into the system only by authorized health care

    professionals. Each piece of information is dated and signed, and its author identified.

    There is also a special section devoted to information that the patient can add about his

    health (all documents are marked using the IHE-XDS standard).

    Data retention is supervised by the patient who must choose a special service

    provider called hrbegeur which may be a natural person or legal entity approved in

    advance through a process led by a special committee (of which there are currently six).The link between patient and hrbegeuris regulated by a hbergementcontract (the hbergeument

    has an obligation to ensure the security and confidentiality of data in compliance with the

    provisions of the Act and is bound by professional secrecy).

    The French legislature has provided a system of economic incentives for the

    creation and use of the DMP: repayment of the acts and medical services by the national

    system of social security (requires?) the patient to access and complete the DMP (this

    forced freedom is subject to criticisms and doubts at the constitutional level).

    The patient who directly controls the DMP benefits from free access to all data via

    Internet, even without the intervention of a health care professional. He also has access to

    the system log files in order to know exactly who has accessed his data, which data has

    been accessed, and when.

    The patients consent is required for accessing and administrating the DMP (self-

    determination principle). We must however take into consideration that, in cases of

    emergency, a special procedure is provided, called Brise de glace (breaking of the glass),

    which allows access to the DMP when it is impossible for the patient to give consent. This

    represents an ex-post control, since the patient knows exactly who has accessed, when and

    why.

    The patient does not have the capability to modify the content of medical DMP

    (rectius, entered and signed by health professionals data).

    The patient has the right to masquage: this is the right to withhold, even temporarily, access

    to information. This right is adjusted to the reality of the doctor-patient relationship and

    takes into account the fact that the patient reveals the information in a manner

    proportional to the degree of this confidence: the more confidence, more detailed

    information. This possibility has raised many criticisms. Health care professionals claim

    that they could not be held responsible for the fact that it was not the correct procedure or

  • 8/8/2019 SSRN-id1528461

    17/20

  • 8/8/2019 SSRN-id1528461

    18/20

    18

    NHS Care Record Service(NHS CRS): an electronic medical file, which wouldimprove the exchange of patient data within the NHS and give patients access

    to their health data16;

    Choose and Book: a national service that, for the first time, provides theopportunity to make reservations, choose the structure, the date and time of an

    appointment in a hospital facility (first outpatient appointments). It

    revolutionises the current booking system. Various studies in this area have

    shown that patients want to be more involved in decision making and to be

    able to chose their processes of care. The majority of patients who have been

    offered this new option have reacted positively. Since summer 2004, the

    Choose and Book service has been introduced across England. From January

    2006, all patients requiring the booking of an appointment have a choice of atleast four service providers;

    Electronic Prescription Service: a system for electronic transmission of prescriptionsthat provides the possibility to generate, transmit and receive electronic

    prescriptions. The requirements are sent electronically from the writer of the

    prescription to the provider (pharmacist), and finally to the State for payment

    reasons. Since 2007, all GPs and pharmacists have access to the system;

    N3: the NHS National Network, which ensures a safe and reliable networkinfrastructure to connect all organizations belonging to the English NHS. This

    high-speed network obviously strengthens all the other services offered by the

    NHS;

    Picture Archiving and Communications System: a service that allows one toelectronically store and display radiographic images on the screen. As planned,

    it has been available since 31 March 2007.

    The NHS CRS will be gradually introduced step by step across England. The

    process started in 2007 and it will take several years. When the system is running at full

    capacity, it will allow the HO to store medical information on an interconnected digital

    infrastructure. This will allow medical staff faster access to information in a secure manner.

    The patients themselves will have access to their essential health information. The NHS

    CRS will be able to connect more than 30 thousand medical professionals and 270

    generally trusted structures of the health service through a single, secure national system.

    The infrastructure consists of two elements: the detailed data (collected and stored locally),

    and the Summary Care Record (maintained at the national level).

    16 This project will be analyzed more in details below. See the Web-site:

    .

  • 8/8/2019 SSRN-id1528461

    19/20

  • 8/8/2019 SSRN-id1528461

    20/20

    capabilities allowed for by digital technologies, in the health field the user-patient is

    encouraged to acquire a kind of computer literacy and to become a leading actor of the

    processes of care and curative options regarding to him. The big challenge for these EHR

    systems is represented in being able to give expression to this need by coordinating andincorporating within the infrastructure those legal principles that guarantee the integrity

    and the freedom of individuals.

    There is rarely a serious understanding of the significance of the epochal change in all

    its facets. One of the crucial aspects of this innovation is never fully addressed: the weight

    and value that health professionals will give to the data entered in the system, by virtue of a

    legal infrastructure to be built. Interpersonal relations are increasingly driven by electronic

    infrastructures, even in healthcare. Dealing with this issue with maturity and vision means

    facing up to all its possible facets and ensuring a technical-organizational-legal systemintended for its perfect development.

    The advent of a specific regulation aimed to establish a reinforced protection for

    health data processed through the EHR systems marks a turning point in the arduous

    process of developing e-Health. This is a moment of crucial importance, since the legal

    definition of EHR will shape the scope of a series of tasks and measures through which the

    rights of the citizen-patient-data subject will be protected.

    The definition of EHR, however it ends up, will surely have a big impact on the

    development of e-Health. It inevitably assumes the adoption of a conceptual model

    through which, for the sole purpose of improving the care of the patient, it considers the

    relationship between information, the person with whom this information is concerned,

    and the people who treat this information for the purpose just mentioned. This suggests

    the need for great caution in making this delicate and defining transition.