SSRN-id1528461
-
Upload
sagiralam1 -
Category
Documents
-
view
213 -
download
0
Transcript of SSRN-id1528461
-
8/8/2019 SSRN-id1528461
1/20Electronic copy available at: http://ssrn.com/abstract=1528461
1
ELECTRONIC HEALTH RECORDS:
PRIVACY AND SECURITYISSUES IN ACOMPARATIVEPERSPECTIVE*
Paolo Guarda
1. Introduction
Before the digital age, health data processing was not such a problematic issue. It
was based on a strictly fiduciary relationship between the patient (rectius: data subject) and
the physician, who in most cases was the so-called General Practitioner (GP). Everything
was then set on paper, if not simply spoken.
The advent and widespread diffusion of computers has led to an upsurge ofnew
problems and demand for protection. Digital technology has provided the extraordinary
ability to access large amounts of aggregated data very quickly, but on the other hand it has
also made possible the creation of big databases to which more and more people even if
limited in number and specifically identified - may have access. This has greatly increased
the risks associated with the treatment of these data, their unlawful circulation anddissemination, the capability to affect the dignity, and the fundamental freedoms and rights
of the individual data subject1.
For these reasons, the European legislator - with the famed Directives 95/46/EC
(protection of individuals with regard to the processing of personal data and on the free
movement of such data) and 2002/58/EC (the processing of data personal and the
protection of privacy in the electronic communications sector) - intervened, devoting to
the problem of health data processing an ad hocregulation, thus highlighting the specificity
and the dangers that the operations relating to this particular category of data may show2.
* Version 1.0 December 2009 2009 by Paolo Guarda Creative Commons Attribution-Noncommercial-No derivative works 2.5 Italy. More information at:.
1 With respect to telemedicine issues, see U. IZZO, Medicina e diritto nellera digitale: i problemi giuridici dellacibermedicina, in Danno e responsabilit, 2000, 807; G. CANGELOSI, I servizi pubblici sanitari: prospettive e problematichedella telemedicina, in Dir. famiglia, 2007, 431; A.SINHA,An Overview of Telemedicine: The Virtual Gaze of Health Carein the Next Century, inMedical Anthropology Quarterly, New Series, vol. 14, n. 3 (Sep., 2000), 291-309, available at:.
2
As regarding data protection regulation in general, see L.A. BYGRAVE, Data Protection Law. Approaching ItsRationale, Logic and Limits, The Hague London - New York, 2002; P. GUARDA.,Data Protection, Information
-
8/8/2019 SSRN-id1528461
2/20Electronic copy available at: http://ssrn.com/abstract=1528461
2
At the national level, Italian legislator (at art. 4, co. 1, lett. d) of Legislative Decree
30 June 2003, n. 196 (Code for protection of personal data hereinafter: Privacy Code)
defines so called sensitive data as follows: personal data allowing the disclosure of racial or ethnic
origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions,
associations or organizations of a religious, philosophical, political or trade-unionist character, as well as
personal data disclosing health and sex life. In order to process such kind of information a
stricter and more protective discipline has been provided, since their collection,
communication and dissemination may present the data subject to which they pertain with
several serious risks of discrimination3.
The so-called Electronic Health Record (hereinafter, EHR) represents a pivotal
moment in the digitalization of health data processing. The definition of this new legal
concept, which has encountered many difficulties, consists of two basic elements: themoment of storage, by means of the digital technologies, of all the data and information
that until now had been collected and managed on paper; and the moment of sharing of
data collected by all the actors of the system, entitled to their communication and
processing4.
Unlike the traditional electronic platforms of health data management, which
Privacy, and Security Measures: an Essay on the European and the Italian Legal Frameworks, in Ciberspazio e dir.,2008,65-92(available at: ).
3 With respect to health data processing in the Italian legal system, see G. BUTTARELLI, Banche dati e tuteladella riservatezza. La privacy nella Societ dellInformazione, Milano, 1997; F. CAGGIA, Il trattamento dei dati sulla salute,con particolare riferimento allambito sanitario, in V. CUFFARO, R. DORAZIO,V. RICCIUTO (eds.), Il codice deltrattamento dei dati personali, Torino, 2007, 405; G. FINOCCHIARO, Il trattamento dei dati sanitari: alcune riflessionicritiche a dieci anni dallentrata in vigore del Codice in materia di protezione dei dati personali, in G.F.FERRARI (ed.), Lalegge sulla privacy dieci anni dopo, Milano, 2008, 207 220; E. PALMERINI, Commento allart. 84, in C.M.BIANCA,F.D. BUSNELLI (eds.), La protezione dei dati personali. Commentario al D. Lgs. 30 giugno 2003, n. 196 (CodicePrivacy), II, Padova, 2007, 1303; S. VICIANI., Brevi osservazioni sul trattamento dei dati interenti la salute e la vitasessuale in ambito sanitario, in Riv. crit. dir. priv., 2007, 315. An old, but very interesting, essay on health data andprivacy by an economic analysis perspective in P.M. SCHWARTZ, Privacy and the Economics of Health CareInformation, 76 Tex. L. Rev. 1 (1997).
4 See in general A.M. FROOMKIN, Forced Sharing of Patient-Controlled Health Records, Working Paper, 2008,available at: ; N.P. TERRY, L.P.FRANCIS, Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. Ill. L. Rev. 681 (2007); M.A.HALL, Property, Privacy and the Pursuit of Integrated Electronic Medical Records, Legal Studies Paper No. 1334963,2009, available at: ; A.M. FROOMKIN, The New Health Information
Architecture: Copying with he Privacy Implications of the Personal Health Records Revolution, UM ELSI Group forProject HealthDesign (2008), available at the Web-site:; S. HOFFMAN,A. PODGURSKI, InSickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information, Working Paper 06-15,September 2006, available at the Web-site: ;P. D. JACOBSON, Medical Records and HIPAA: Is It Too Late to Protect Privacy?, 86 Minn. L. Rev. 1497 (2002);N.P. TERRY, Personal Health Records: Directing More Costs and Risks to Consumers, Working Paper, August 2008,available at: . For a further analysis withrespect to the incorporation of privacy legal principles into digital architecture see P. G UARDA, N.ZANNONE.,Towards the Development of Privacy-Aware Systems, in Information and Software Technology, vol.51,2009,
337-350.
-
8/8/2019 SSRN-id1528461
3/20
3
privilege the role of health-service providers and give the patient a very marginal and
limited role, the new approach underlying the concept of EHR is characterized by the
patient becoming the crucial point of the informationmanagement system. From this point
of view, any interaction between the patient and the new system involves the creation ofnew data. The first e-health data revolution - the introduction of information technology
and Electronic Health Records (EHRs) concerned the digitizing and rationalization of
the flow of data. The second step is represented by the so called Personal Health Record
(PHR): patients will increasingly create health data (or links to other data) without the
intermediation of any qualified person5.
At the international level we found several documents that are pushing the
implementation of EHR. Above all, we must cite the Working Document on the processing of
personal data relating to health in electronic health records (EHR) adopted on 15 February 2007 bythe Working Group Party on the Protection of individuals with regard to the Processing
of Personal Data (hereinafter: Working Document). This document aims to provide
guidance on the interpretation of the applicable legal framework of data protection for
EHR systems and to establish some general principles. It also aims at setting out the data
protection preconditions for establishing a nation-wide EHR system, as well as the
applicable safeguards. A definition of this new instrument has been proposed by the
already mentioned Working Group: A comprehensive medical record or similar documentation of
the past and present physical and mental state of health of an individual in electronic form and providing for
ready availability of these data for medical treatment and other closely related purposes.
Also the Italian Garante per la protezione dei dati personali (hereinafter: Privacy
Authority) enacted by a General Provision some guidelines on the implementation of an
EHR system (Provvedimento a carattere generale 16 luglio 2009 del Garante per la protezione dei dati
personali - Linee guida in tema di Fascicolo sanitario elettronico (Fse) e di dossier sanitario) (hereinafter:
LG). This document follows a public consultation on a previous provision.
I will focus on the main problematic issues of the implementation of EHR systems,
as they arise through reading Italian Privacy Authority LG. Then, many issues will be taken
into consideration: scope of a EHR system, responsibilities and expectations with respect
to data entered, self-determination principle, consent, access to EHR, data controllers and
data processors, data communication to data subject (art. 84 Privacy Code), and Security
Measures. In the final part, a comparative analysis will be provided with the English and
the French e-health systems.
5 See R. CUSHMAN, PHRs and the Next HIPAA, 2008, available at:
; ID., Primer: Authentication of identity(with application to PHRs/PHAs), available at:
.
-
8/8/2019 SSRN-id1528461
4/20
4
2. Scope of an EHR system
Until recently, the Italian legal system lacked a national definition of EHR. The
definition that was conventionally used is provided by the Working Document, where itdescribes EHR as A comprehensive medical record or similar documentation of the past and present
physical and mental state of health of an individual in electronic form and providing for ready availability of
these data for medical treatment and other closely related purposes.
Starting at this point, the Italian Privacy Authority provides in the LG the following
definition of EHR (Fascicolo sanitario elettronico): health data originated from several data
controllers working more frequently, but not exclusively, in the same geographical area. LG also
establishes a sub-categorization of the possible tools used to manage health data of a
patient. Then, we find the so called Dossier defined as an instrument consisting of a medical
body as the sole data controller (hospital or private hospital) in which most professionals work.
In the LG the EHR is designed solely as a tool for sharing computer data and
documents between healthcare organizations and health professionals. In the first
document submitted to consultation, the patient was not taken into account at all, neither
as a possible recipient of the data generated and stored relating to him, nor as a generator
of direct health information that always refers to his person. The final version presented
this option.
Actually, this concept, assuming the data stream that feeds the EHR can be
generated directly by the patient, does reflect an element of the health policy pursued inour country by local and state institutions responsible for the delivery of health services.
Indeed, it is not a secret that the National Health Plan 2006-008 indicates as a key objective
to promote the various forms of citizen participation, particularly through the involvement of patients and
family associations. The citizen is, therefore, recognized as an active player in managing his
health and care processes.
These kinds of considerations find their origin in the new challenges that developed
countries are facing: problems due to aging of the population, consequent increases in
chronic diseases, increasing costs of health services, increasing demand for high qualityhealth services, etc. It is therefore necessary that we rethink our models of health care,
focusing on the citizen.
The incoming flow of data [patient EHR] needs to be better analyzed. The patient
should be allowed to supply information pertaining to his own health conditions; this set of
data could be beneficial to professionals who interact with patient health history in order to
ensure the best possible care.
All of the information that the patient will provide to the system could be
conceptually defined as a dossier; the system has to clearly indicate that these data have
-
8/8/2019 SSRN-id1528461
5/20
5
been generated directly, and on a fully voluntary basis, by the citizen-patient. It is therefore
necessary to prefigure the possibility that the EHR could also contain this island composed
of supplied dynamic data that we can call a citizen dossier.
The scenario can be described as follows: the patient enters data relating to him inthe dossier, which should be placed in the EHR. Who is the data controller of this new
treatment? A possible solution can be represented by a situation of co-data controllers
among health organizations (hereinafter: HO) and the PG.
On the one hand, the HO provides the digital infrastructure and the service which
benefits the public. The mere fact that the data is stored on an infrastructure managed by
the HO, even without being accessed by any persons in charge of the treatment, gives the
HO the qualification of data controller.
On the other hand, the PG, as authorized and invested with a purpose of nursingand care taking, should be put in a position to access the data that his patient has loaded
into the EHR.
It is therefore imperative that the accepted definition of EHR will be designed in
such a way as to consider the possibility that the system could be composed of an island of
data generated by the citizen (in the future it could include data from some smart items,
set to detect a parameter of health and then automatically upload it into the citizen
dossier).
3. Responsibilities and expectations with respect to data entered into
EHR system
The need for a uniform mechanism to reconstruct the situations of accountability
with respect to the generation of each single data made available on the EHR must be
emphasized (I am referring to a tracking system by means of log files and digital documents
validated through electronic signatures).
It should be noted that an audit system, able to track user activity and to determine
ex postany responsibility, represents a key point of any future EHR system. Although theprobative value of the log file is the subject of debate, it is tempting to say that in this case
the technology offers a possibility to interpret the requirements of protection with a level
of effectiveness unattainable in the pre-digital era. A system capable of generating a
warning message (for example, via e-mail) that alerts the patient to the fact that his data has
been accessed, and by who, is far from chimerical (contrarily, it is rather easy to get from a
technological point of view).
This will represent a formidable tool of control for the patient ensuring that data
pertaining to him are always treated in accordance with the conditions of legitimacy
-
8/8/2019 SSRN-id1528461
6/20
6
provided by law (rectius, Privacy regulation6). The approach behind such a control would be
more practical and realistic with respect to the attempt to define ex anteonce and for all the
several access levels. Information regarding access will allow the patient to check, when he
wishes, the reason for the display of his data and, where appropriate, to ask for anexplanation in this regard (finally enforcing what is established by art. 7 Italian Privacy
Code, as regarding, for instance, the Italian legal system).
There is a problematic point in the implementation of the EHR, which would
implement the logic of the data directly produced by the citizen-patient: Will the
professional actors of the system, particularly GPs, but also the stakeholders responsible
for HO, really trust these data?
This claim is known and understood: physicians are instinctively suspicious of data
generated by a patient. They might be led to make mistakes by trusting inaccurate or untrueinformation; or they could be accused of wrong, if they decide to not take into account a
truthful data posted in the EHR (and therefore added to the availability of medical
knowledge) directly from the patient.
The digital scenario is not different and can not be dissociated from the dynamics
of trust which are expressed in the real world. If a physician met a patient for the first time
and was assailed with a mountain of documents showing a range of information on past
medical history of the patient (analysis, personal annotations, recipes for taken medicines,
etc.), it is plausible to think that the physician would not be led to place a particular degree
of confidence on this information provided by a person who - at this early stage - he does
not know. Very different is the level of trust when we have the interaction between a GP
and(for instance) a chronic patient, who goes twice a week to the medical clinic, carries out
daily self-measures, and forwards them to his trusted physician. This type of interaction
builds up a trusted relationship that can be easily translated into an interaction guaranteed
by the digital infrastructure: this would surely lead to a more efficient and effective path of
healing.
4. Self-determination Principle
The rationale which should characterize the operability of the informative structure
of the EHR is the self-determination principle7. In this respect, the data subject should be
able to choose, in full freedom, whether or not to constitute an EHR system, without this
choice in any way affecting access to the national health service, or having negative
consequences for the possibility of medical benefits. It should also be ensured that health
6 In the Italian legal system this is provided by the cited before Italian Privacy Code.
7 See art. 75 and ff. Italian Privacy Code.
-
8/8/2019 SSRN-id1528461
7/20
7
data remain available only to the professional/medical body that drafted them, without
necessarily including them in the EHR, and by preventing communication with other
players in the system.
Therefore, the self-determination principle should imply that the person would alsobe given the freedom not to bring into the EHR some health information relating to
individual clinical events, especially in the case of supersensitive data. The informative
infrastructure should provide a system fit to obscure the clinical event, which could be
withdrawn over time. The modularization of the inclusion of health information within the
EHR system and the choice of levels of data sharing creates very difficult problems. The
choice of obscure or uncertain data contrasts with the policies that characterize some like-
EHR systems which are already operating at the regional and provincial level.
A practical solution could be to provide two categories of obscured datadatacompletely obscured, that is, information for which the patient explicitly asks the non-
inclusion in the system; and a second category of data which could be collected in a
reserved section, to which access is regulated directly by the patient (perhaps by giving his
smart card to the professional to which he could grant access).
Another important point is to limit access by the qualified actors to only essential
information. This means that, at least in theory, access to data should be driven by real and
tangible requirements to a patients visualization and treatment: the access should be
granted only to information related to the disease being treated8.
5. Consent
The consent to this additional health data processing plays a pivotal role9. It must
necessarily be characterized by the following elements. Although it can be shown together
with the consent provided for the data processing for care purpose, it must be
autonomous, collected ad hoc, and specific to the EHR treatment. This is a general consent
to EHR at the entrance of data, that does not exclude, but rather lets live, a number of
specific consents to legitimize the EHR consultation by individual data controllers (thisfeature must be duly incorporated within the platform).
The problem linked to the opportunity to specify what is established by art. 82
Italian Privacy Code remains to be evaluated. In cases of absolute necessity, dictated by the
urgency of saving a person from an immediate threat to life, access must be granted to a
designated person (identified by the system, which belongs to a class of charge to which a
8A possible criticism to this point could be that proper diagnosis of a particular symptom/disease requires
consideration of the entire person, not just the locally affected area of the body.
9 See for instance art. 81 Italian Privacy Code.
-
8/8/2019 SSRN-id1528461
8/20
8
person who has not yet expressed a willingness to permit access to his personal data) to
break the glass and allow access to the necessary data. The system must be set to record
all relevant data to ensure that the data subject will be able to know that the access
occurred, and to verifyex postthe legitimacy of the treatment.
6. Access to EHR system, Data Controllers and Data Processors
The data controller of this new health data processing is the HO or the GP where
data has been generated, as suggested by the Italian Privacy Authority.
The data controller is responsible for organizing the entire aspect of processing: for
this reason it appears to be the main recipient of responsibility and the penalties prescribed
by law on the processing of personal data. The person who fills the role of the data
controller must be the one who faces choices about the material treatment of the data andthe type of data to be collected and recorded, the amount of data to be acquired, the time
of conservation of themselves in relation to the purpose, the sources from which to draw,
updates, etc. Article 28 of the Italian Privacy Code has clarified that: Whenever processing
operations are carried out by a legal person, a public administrative agency or any other body, association or
organisation, the data controller shall be either the entity as a whole or the department or peripheral unit
having fully autonomous decision-making powers in respect of purposes and mechanisms of said processing
operations as also related to security matters. Thus, the main characteristic is represented by the
autonomous power of decision-making in relation to the purposes of treatment, theoperating choices, tools to use, etc10.
We have the particular case of co-data controllers on the same treatment (co-
titolarit), when the choices on purpose, method, tools and security measures for the
treatment are related to multiple subjects. The Italian Privacy Code recognizes this
possibility despite the European Directive indicating the choice of a sole data controller.
This issue may represent a crucial point in building up digital infrastructure fit to manage
health data.
The concept of co-data controllership in the EHR should be considered in parallel with the concept of data processor (responsabile del trattamento), which identifies an
optional figure in the data processing, which is detected by the data controller in the light
of organizational considerations among entities that can appropriately ensure, on account of their
experience, capabilities and reliability, thorough compliance with the provisions in force applying to
processing as also related to security matters (art. 29, co. 2, Italian Privacy Code). Its tasks are
10 See F. GARRI,I soggetti che effettuano il trattamento: il titolare, il responsabile e lincaricato , in G. SANTANIELLO
(ed.),La protezione dei dati personali, in G.SANTANIELLO (a cura di), Trattato di diritto amministrativo, vol. XXXVI,Padova, 2005, 131 166; C. DI COCCO, Soggetti che effettuano il trattamento (Parte I Titolo IV) , in J.MONDUCCI,
G.SARTOR(eds.), Il codice in materia di protezione dei dati personali, Padova, 2004, 119 156.
-
8/8/2019 SSRN-id1528461
9/20
9
specified in detail by the data controller (art. 29, co. 4, Italian Privacy Code).
The relationship between data controller and data processor has two phases. The
first of these, the deployment phase, concerns the selection of the entity to be designated
as responsible. This decision falls within the discretion of the data controller. If, however,the delegation includes the performance of some functions, it is certainly tied to other
criteria such as experience, capability and reliability which the nominating person must
have (see art. 29 Privacy Code). The second phase concerns the fact that the data controller
is also obliged to supervise the data processor. Remember that the obligations of
supervision and control are also functional to the identification of potential liability with
respect to the processing.
The legal structure should reflect the technical and organizational system which
characterizes the EHR. According to the Working Document, there are different methodsof conservation and management of data:
a. c.d. Decentralized storage: medical files are kept by health professionals, whoare obliged to record information about the care of patients; within this
complex structure it could be necessary to identify a central body responsible
for managing and controlling the whole system and for ensuring its
compatibility with data protection regulation;
b. c.d. Centralized storage: medical staff transfers records to a central system ofEHR; this system ensures a greater level of safety and availability: there is only
one person responsible for the whole system.
c. storage under the control of the data subject: allows the patient to manage his medicalrecords, providing the ability to store his health data as part of a special on-line
service directly under his control (see the system developed in France); it
represents a better solution in terms of self-determination, but presents some
problems with respect to the accuracy and completeness of the documentation,
if there is no corrective action of the medical staff.
The traditional approach to patient EHR management is not generally characterized
by the deployment of a common database: each entity remains data controller of the
treatment that performs (in the collection), while communicating a large part of these data
to other controllers within the network. Each of them is an autonomous institution of the
treatment.
Otherwise, the hypothesis to identify a single data processor appointed to manage
the EHR by the various data controllers involved is a solution that, while being an easy side
access to data and the system by the patient, presents significant weaknesses in terms of
effectiveness of the fiduciary relationship between the individual and all the responsible
controllers of the EHR. The latter should arrange for a standardized appointment, thus
-
8/8/2019 SSRN-id1528461
10/20
10
depleting the regulation contained in Privacy regulation.
7. Data Communication to data subject: art. 84 Italian Privacy Code
The idea of an EHR considering the evidence regarding the patient to whom he can
have access via computer reflects a feature already present at the level of implementation in
many regional experiences. With the emergence of the Internet, several HOs have begun
providing this new service to its citizens.
From the point of view of the data subject, access to the EHR should be allowed
under the cautions established by art. 84 Italian Privacy Code, which includes the provision
of a filter in the communication of health data between the patient and the data itself
represented by a physician or an health care professional. The issue deserves a further
study.On this matter we find some interesting suggestions at Community level. The
Recommendation of 2 July 2008 on cross-border interoperability of electronic health
record systems in Whereas n. 3 states: Electronic health record systems have the potential to
achieve greater quality and security in health information than the traditional forms of health records.
Interoperability of electronic health record systems should make access easier, and enhance the quality and
safety of patient care throughout the Community by providing patients and health professionals with relevant
and up-to-date information while ensuring the highest standards of protection of personal data and
confidentiality. Below there is another statement at point 14, lett. h): [this legal framework isdesigned in particular to:] ensure that patients are fully informed on the nature of the data and the
structure of the electronic health record containing them. Patients should have alternative (conventional)
means to access personal data concerning health related to him or her. In this context it is important to
ensure that information provided to data subjects uses language and a layout that is easy to understand and
is given in an appropriate manner to persons with special needs (e.g. children or elderly persons).
The pivotal point of the system must be respect for self-determination the
decision of a patient on how and when to use data concerning him should play a key role
as an important guarantee.Lets start the analysis with the positive data in the Italian legal system: the art. 84
Privacy Code - entitled Data Communication to data subject - states: Personal data
disclosing health may be communicated by health care professionals and health care bodies either to the data
subject or to the entities referred to in Section 82(2), letter a), only by the agency of a physician who must
have been designated either by the data subject or by the data controller. This paragraph shall not apply to
the personal data that had been provided previously by said data subject. 2. The data controller or processor
may authorise, in writing, health care professionals other than physicians who, to fulfil their respective
duties, have direct contacts with patients and are in charge of processing personal data disclosing health, to
-
8/8/2019 SSRN-id1528461
11/20
11
communicate said data either to data subjects or to the entities referred to in Section 82(2), letter a). The
instrument by which said task is conferred shall set out adequate arrangements and precautions having
regard to the context within which the data are to be processed.
There must, therefore, be an intermediary between data and data subject, in order tosatisfy, on the one hand, the need to facilitate the understanding of clinical data by the
patient, and on the other hand, to filter the information obtained in order that it be
communicated in a form compliant with the principles governing the therapeutic
relationship between physician and patient.
Art. 84, read in close connection with articles 1 and 2, co. 1, Privacy Code (which
proves the existence of a new subjective position in relation to the processing of personal
data), gives a particular qualification to the information arising from the relationship of
care, recognizing to the physician a sort of therapeutic privilege. Under this principle, thelatter would have the right not to reveal certain aspects of patient diagnosis or prognostic
character capable of undermining the purpose of treatment.
From the perspective of building up an architecture that focuses its attention on the
access to health data by the patient, this kind of regulation raises many kinds of application
problems, including the introduction of an additional obstacle in designing a platform that
would bring the citizen closer to the health service.
The physician cannot serve as a mere vehicle for the mechanical transmission of data:
the rationale of the provision is that the patient is given an explanation, although synthetic,
profiled on his psycho-physical conditions. The principle is satisfied only if the person is
able to easily understand the meaning of the data.
This requirement does not appear to be an insuperable implementation obstacle.
First of all, the communication between physician and data subject should not necessarily
be direct, it being already possible to delegate to a friend or a relative the power to confer
with the physician or read the notices. This observation allows us to discard the hypothesis
that the rule necessary requires to provide, for example, a computer tool that could attest
that the physician is on-line at the same time as the patient accesses the data.
We could then think of a platform that makes health data accessible to the patient
only when the record was attached to the communication on the interpretation of health
data that the physician-filter has given. Indeed we can expect to require the prior viewing
of this text, before access to medical information is granted.
As an alternative to the solution proposed, and responding to possible resistance
from the medical staff (especially on the part of the GP, which could refuse to be burdened
with additional tasks), we can assume the implementation of an information structure that
as soon as the patient tries to access the contents of the first communication, creates an
automatic alert (pop-up of sorts), which makes the patient aware of the necessity to go to
-
8/8/2019 SSRN-id1528461
12/20
12
his GP in order to receive additional information on the raw data (it happens the same
today when a paper envelope is delivered to the data subject, bearing the word doctor,
containing the results of laboratory tests a patient has undergone). This display of
warning, which could be followed by a screen of acceptance in which the patientdeclares to have understood the warning about the need to obtain an interpretation of data
relating to him by his doctor, has a dual maieutic purpose: first, the patient would be
informed that he is not able to analyze and understand the meaning of (raw) health data
relating to him; on the other hand, it would promote the activity of explanations of clinical
events, which is in practice unfortunately not always so accurate.
Within the EHR, we could circumscribe data which really needs this filter, separating
them from those which the user can access directly, because he is already known (the
rationale of the provision is expressed only on the first cognitive access by the patient todata that concerned to him) or because he directly provided (i.e.) information collected and
reported by the professional in the EHR11.
9. Security Measures
The sensitivity of personal data processed by EHR requires the adoption of specific
technical measures to ensure appropriate levels of security (art. 31 Italian Privacy Code), in
addition to the minimum measures that each data controller must take under Code (articles
33 ff. Privacy Code). Given the quality of data that an EHR system processes, it is clearthat security aspects are crucial, especially in order to create the right level of confidence in
the operators and users of the platform.
By reading the regulatory framework and the LG of Italian Privacy Authority, the
EHR should ensure: a) a suitable authentication and authorization system of the persons in
charge depending on the roles and requirements for access and processing; b) procedures
for periodic review of the quality and consistency of authentication credentials and
authorization profiles assigned to the persons in charge; c) identification of criteria for
encryption or separation of the data suited to reveal the state of health and sex life fromother personal data; d) traceability of access and the operations carried out; e) audit logs
systems in order to monitor access to the database and to detect any abnormalities.
The adoption of a safe authentication system represents a crucial point in the
future of EHR. The Working Document, cited below, deals with Identification and
authentication of patients and health care professionals and stresses that reliable identification of
patients in EHR systems is of crucialimportance. If health data were used which relate to the wrong person
11 On 25 June 2009 Italian Privacy Authority enacted a General Provision on on-line communication inorder to partially regulate this problematic matter: Provvedimento a carattere generale 25 giugno 2009: Linee guidain tema di referti on-line 25 giugno 2009.
-
8/8/2019 SSRN-id1528461
13/20
13
as a result of incorrect identification of a patient the consequences would in many cases be detrimental; and
further forward again, the special sensitivity of health data requires that no access is possible for
unauthorized persons. Reliable access control depends on reliable identification and authentication. This
makes it necessary to uniquely identify and also properly authenticate users.The solution proposed by Working Document is represented by the use of smart
cards that provide a high level of reliability and security: Health cards on smart card basis could
contribute significantly to a proper electronic identification of patients and also to their authentication if they
want to access their own EHR data.
Information systems include the use of devices for verifying the digital identity of
users (authentication) before authorizing access to resources in various domains that make
up the system. In our case it would therefore be helpful to deliver to citizens, in addition to
login and password, a smart card. In the Italian context this could be represented by therepeatedly promised but never fully implemented Electronic Identity Card (Carta dIdentit
Elettronica - CIE), which consists of a card with a microchip with the same characteristics
of the real, and visible, identification document and physical security requirements
(optical bandwidth, holograms, photos of the holder); by the National Service Card (Carta
Nazionale dei Servizi - CNS), which consists of a card with a chip that does not have the
physical security requirements of the CIE but with similar features; and finally by Regional
Services Card (Carta Regionale dei Servizi - CRS).
10. A comparative interlude
E-health is an important innovation that can improve access to healthcare and
boost the quality and effectiveness of the services offered.
The European Community has promoted research programs in support of e-Health
for fifteen years. Many results of these efforts have been tested and put into practice;
Europe is therefore in a dominant position in the use of electronic health records for
health care.
A trend pushing the role of the citizen-patient is becoming increasingly important.As noted in the White Paper Together for health: A strategic approach for the period
2008-2013 - Brussels, 23 October 2007, the participation of citizens is a fundamental
value. Health care is increasingly oriented toward the patient, who is becoming an active
player rather than a mere object of care. He must be able to participate in decision-making
and influence at that level, and acquire the necessary skills (the so-called health literacy).
Even the Italian National Health Plan 2006-08 stresses the importance to promote the
various forms of citizen participation, particularly through the involvement of patients and family
-
8/8/2019 SSRN-id1528461
14/20
14
associations. The citizen is, therefore, recognized as having an increasingly active role in the
management of their health and processes of care.
The EHR aims to foster coordination, quality and continuity of care with better
information and communication among physicians and among physicians and patients. The Action Plan for a European e-Health (attempts/intends) to agree on
uniform standards between the Member States for the identification of patients and to
define standards for interoperability of national systems in order to facilitate the exchange
of electronic health files.
In order to establish a comparative analysis for pointing out useful principles for
the development of an EHR system, we must reference the implementation of other
projects inside the European Community, and in particular in two important instances: the
French and English experiences.
10.1 The French model: Dossier Mdical Personnel
France has a highly centralized system: the majority of political and administrative
authorities are located in Paris. Since 1982, however, a trend toward decentralization began,
which led to the delegation of powers to the regions. The population of France is
approximately 62 million inhabitants. The health care system is pluralistic: private and
public bodies co-exist. Patients choose their GPs and have free access to different types of
hospitals12
.The e-Health projects are developed by different actors, both regionally and locally.
At the national level a mapping of all of these initiatives has been carried out. Among
these, the following are of significant interest:
SESAM-Vitale: it was introduced at the end of the nineties andinterconnects more than 223,000 healthcare professionals in the National
Health System for the benefit of more than 48 million assisted. The system
is based on three elements:
oCarte Vitale, a chip-card that contains simple administrative-natureinformation (note the insured health insurance and any recipients),
recently replaced by the new Vitale 2;
12 As references for this part, see EHRIMPLEMENT, WP5 National reports of EHR implementation France,
28 May 2009, available at: ; E-HEALTH ERA, Fact sheet France,March 2007, available at: ;EUSER, eHealth Country Brief: France, 2005, available at: ; PEIGNV., Iltrattamento dei dati sanitari in Italia e Francia tra convergenze e divergenze, in Diritto dellInternet, 2008, 296; M.GAGNEUX, Pour un dossier Patient virtule et partag et une stregie nationale des systmes dinformation de sant, 23 april
2008, available at: .
-
8/8/2019 SSRN-id1528461
15/20
15
o Carte de Professionnel de Sant(CPS), a microprocessor smart card usedby GPs, created in 1993 (later expanded through the Ordonnances
Juppof April 1996 to organize a secure infrastructure for electronic
health information systems); the features included are:identification, authentication and electronic signature of health
personnel;
o Rseau sant social (RSS), the health network capable of distributingdata streams and to encourage communication between health
professionals and health insurance funds.
Health Web-site (www.sante.fr), developed under the direction of theDirectorate General of the Ministry of Health, which has as its principal
objective the promotion of information from the public agencies withregard to issues of public health;
Different applications and platforms in the field of telemedicine are alreadyused in some regional experiences; at a national level we find the Dossier
Mdical Personnel (DMP), which will be analyzed much more in details.
The DMP is an ambitious project started in 2004 with Law No 2004-810 of 13
August 2004 on Assurance maladie (the DMP is stated in art. L. 161-36-1 of the Code de la
Scurit sociale)13. The reform has not respected the deadline (July 1, 2004) due to the size of
the project that affects 60 million patients, and also because of not yet widespread
computerization to health professionals. The project to date is not yet fully completed.
The purpose of data processing carried out by the DMP consists in ensuring better
coordination, quality and continuity of health service. Another purpose, more of a political
nature, is obviously to reduce healthcare expenditures.
The DMP consists of a storage system of health data for each beneficiary of the
compulsory health insurance system. It is under the direct control of the patient. It
contains:
data that allows the identification of the patient (name, surname, date ofbirth, login to the opening and operation of the files) and information
identifying the professional;
data of general practitioners (previous medical history of specialistconsultations, allergy, allergies, vaccinations, etc.);
data on the treatment (results of examinations, records of preventive andtherapeutic measures, ongoing illnesses, treatments in progress, etc.);
data on prevention (risk factors individually, reports quotes, etc.);13 See the Web-site: .
-
8/8/2019 SSRN-id1528461
16/20
16
data on clinical findings (radiography, scanner).The inclusion of new data, their amendment or deletion is subject to the consent of
the patient. Health care workers have access to the system through the simultaneous use of
two smart-cards: the CPS and the Vitale-2. For personal use, patients can access the DMP via Internet through the national portal: the access is managed by the use of login and
password. The information is entered into the system only by authorized health care
professionals. Each piece of information is dated and signed, and its author identified.
There is also a special section devoted to information that the patient can add about his
health (all documents are marked using the IHE-XDS standard).
Data retention is supervised by the patient who must choose a special service
provider called hrbegeur which may be a natural person or legal entity approved in
advance through a process led by a special committee (of which there are currently six).The link between patient and hrbegeuris regulated by a hbergementcontract (the hbergeument
has an obligation to ensure the security and confidentiality of data in compliance with the
provisions of the Act and is bound by professional secrecy).
The French legislature has provided a system of economic incentives for the
creation and use of the DMP: repayment of the acts and medical services by the national
system of social security (requires?) the patient to access and complete the DMP (this
forced freedom is subject to criticisms and doubts at the constitutional level).
The patient who directly controls the DMP benefits from free access to all data via
Internet, even without the intervention of a health care professional. He also has access to
the system log files in order to know exactly who has accessed his data, which data has
been accessed, and when.
The patients consent is required for accessing and administrating the DMP (self-
determination principle). We must however take into consideration that, in cases of
emergency, a special procedure is provided, called Brise de glace (breaking of the glass),
which allows access to the DMP when it is impossible for the patient to give consent. This
represents an ex-post control, since the patient knows exactly who has accessed, when and
why.
The patient does not have the capability to modify the content of medical DMP
(rectius, entered and signed by health professionals data).
The patient has the right to masquage: this is the right to withhold, even temporarily, access
to information. This right is adjusted to the reality of the doctor-patient relationship and
takes into account the fact that the patient reveals the information in a manner
proportional to the degree of this confidence: the more confidence, more detailed
information. This possibility has raised many criticisms. Health care professionals claim
that they could not be held responsible for the fact that it was not the correct procedure or
-
8/8/2019 SSRN-id1528461
17/20
-
8/8/2019 SSRN-id1528461
18/20
18
NHS Care Record Service(NHS CRS): an electronic medical file, which wouldimprove the exchange of patient data within the NHS and give patients access
to their health data16;
Choose and Book: a national service that, for the first time, provides theopportunity to make reservations, choose the structure, the date and time of an
appointment in a hospital facility (first outpatient appointments). It
revolutionises the current booking system. Various studies in this area have
shown that patients want to be more involved in decision making and to be
able to chose their processes of care. The majority of patients who have been
offered this new option have reacted positively. Since summer 2004, the
Choose and Book service has been introduced across England. From January
2006, all patients requiring the booking of an appointment have a choice of atleast four service providers;
Electronic Prescription Service: a system for electronic transmission of prescriptionsthat provides the possibility to generate, transmit and receive electronic
prescriptions. The requirements are sent electronically from the writer of the
prescription to the provider (pharmacist), and finally to the State for payment
reasons. Since 2007, all GPs and pharmacists have access to the system;
N3: the NHS National Network, which ensures a safe and reliable networkinfrastructure to connect all organizations belonging to the English NHS. This
high-speed network obviously strengthens all the other services offered by the
NHS;
Picture Archiving and Communications System: a service that allows one toelectronically store and display radiographic images on the screen. As planned,
it has been available since 31 March 2007.
The NHS CRS will be gradually introduced step by step across England. The
process started in 2007 and it will take several years. When the system is running at full
capacity, it will allow the HO to store medical information on an interconnected digital
infrastructure. This will allow medical staff faster access to information in a secure manner.
The patients themselves will have access to their essential health information. The NHS
CRS will be able to connect more than 30 thousand medical professionals and 270
generally trusted structures of the health service through a single, secure national system.
The infrastructure consists of two elements: the detailed data (collected and stored locally),
and the Summary Care Record (maintained at the national level).
16 This project will be analyzed more in details below. See the Web-site:
.
-
8/8/2019 SSRN-id1528461
19/20
-
8/8/2019 SSRN-id1528461
20/20
capabilities allowed for by digital technologies, in the health field the user-patient is
encouraged to acquire a kind of computer literacy and to become a leading actor of the
processes of care and curative options regarding to him. The big challenge for these EHR
systems is represented in being able to give expression to this need by coordinating andincorporating within the infrastructure those legal principles that guarantee the integrity
and the freedom of individuals.
There is rarely a serious understanding of the significance of the epochal change in all
its facets. One of the crucial aspects of this innovation is never fully addressed: the weight
and value that health professionals will give to the data entered in the system, by virtue of a
legal infrastructure to be built. Interpersonal relations are increasingly driven by electronic
infrastructures, even in healthcare. Dealing with this issue with maturity and vision means
facing up to all its possible facets and ensuring a technical-organizational-legal systemintended for its perfect development.
The advent of a specific regulation aimed to establish a reinforced protection for
health data processed through the EHR systems marks a turning point in the arduous
process of developing e-Health. This is a moment of crucial importance, since the legal
definition of EHR will shape the scope of a series of tasks and measures through which the
rights of the citizen-patient-data subject will be protected.
The definition of EHR, however it ends up, will surely have a big impact on the
development of e-Health. It inevitably assumes the adoption of a conceptual model
through which, for the sole purpose of improving the care of the patient, it considers the
relationship between information, the person with whom this information is concerned,
and the people who treat this information for the purpose just mentioned. This suggests
the need for great caution in making this delicate and defining transition.