8/8/2019 SSRN-id1528461

1/20Electronic copy available at: http://ssrn.com/abstract=1528461

1

ELECTRONIC HEALTH RECORDS:

PRIVACY AND SECURITYISSUES IN ACOMPARATIVEPERSPECTIVE*

Paolo Guarda

(paolo.guarda@unitn.it)

1. Introduction

Before the digital age, health data processing was not such a problematic issue. It

was based on a strictly fiduciary relationship between the patient (rectius: data subject) and

the physician, who in most cases was the so-called General Practitioner (GP). Everything

was then set on paper, if not simply spoken.

The advent and widespread diffusion of computers has led to an upsurge ofnew

problems and demand for protection. Digital technology has provided the extraordinary

ability to access large amounts of aggregated data very quickly, but on the other hand it has

also made possible the creation of big databases to which more and more people even if

limited in number and specifically identified - may have access. This has greatly increased

the risks associated with the treatment of these data, their unlawful circulation anddissemination, the capability to affect the dignity, and the fundamental freedoms and rights

of the individual data subject1.

For these reasons, the European legislator - with the famed Directives 95/46/EC

(protection of individuals with regard to the processing of personal data and on the free

movement of such data) and 2002/58/EC (the processing of data personal and the

protection of privacy in the electronic communications sector) - intervened, devoting to

the problem of health data processing an ad hocregulation, thus highlighting the specificity

and the dangers that the operations relating to this particular category of data may show2.

* Version 1.0 December 2009 2009 by Paolo Guarda Creative Commons Attribution-Noncommercial-No derivative works 2.5 Italy. More information at:.

1 With respect to telemedicine issues, see U. IZZO, Medicina e diritto nellera digitale: i problemi giuridici dellacibermedicina, in Danno e responsabilit, 2000, 807; G. CANGELOSI, I servizi pubblici sanitari: prospettive e problematichedella telemedicina, in Dir. famiglia, 2007, 431; A.SINHA,An Overview of Telemedicine: The Virtual Gaze of Health Carein the Next Century, inMedical Anthropology Quarterly, New Series, vol. 14, n. 3 (Sep., 2000), 291-309, available at:.

2

As regarding data protection regulation in general, see L.A. BYGRAVE, Data Protection Law. Approaching ItsRationale, Logic and Limits, The Hague London - New York, 2002; P. GUARDA.,Data Protection, Information

8/8/2019 SSRN-id1528461

2/20Electronic copy available at: http://ssrn.com/abstract=1528461

2

At the national level, Italian legislator (at art. 4, co. 1, lett. d) of Legislative Decree

30 June 2003, n. 196 (Code for protection of personal data hereinafter: Privacy Code)

defines so called sensitive data as follows: personal data allowing the disclosure of racial or ethnic

origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions,

associations or organizations of a religious, philosophical, political or trade-unionist character, as well as

personal data disclosing health and sex life. In order to process such kind of information a

stricter and more protective discipline has been provided, since their collection,

communication and dissemination may present the data subject to which they pertain with

several serious risks of discrimination3.

The so-called Electronic Health Record (hereinafter, EHR) represents a pivotal

moment in the digitalization of health data processing. The definition of this new legal

concept, which has encountered many difficulties, consists of two basic elements: themoment of storage, by means of the digital technologies, of all the data and information

that until now had been collected and managed on paper; and the moment of sharing of

data collected by all the actors of the system, entitled to their communication and

processing4.

Unlike the traditional electronic platforms of health data management, which

Privacy, and Security Measures: an Essay on the European and the Italian Legal Frameworks, in Ciberspazio e dir.,2008,65-92(available at: ).

3 With respect to health data processing in the Italian legal system, see G. BUTTARELLI, Banche dati e tuteladella riservatezza. La privacy nella Societ dellInformazione, Milano, 1997; F. CAGGIA, Il trattamento dei dati sulla salute,con particolare riferimento allambito sanitario, in V. CUFFARO, R. DORAZIO,V. RICCIUTO (eds.), Il codice deltrattamento dei dati personali, Torino, 2007, 405; G. FINOCCHIARO, Il trattamento dei dati sanitari: alcune riflessionicritiche a dieci anni dallentrata in vigore del Codice in materia di protezione dei dati personali, in G.F.FERRARI (ed.), Lalegge sulla privacy dieci anni dopo, Milano, 2008, 207 220; E. PALMERINI, Commento allart. 84, in C.M.BIANCA,F.D. BUSNELLI (eds.), La protezione dei dati personali. Commentario al D. Lgs. 30 giugno 2003, n. 196 (CodicePrivacy), II, Padova, 2007, 1303; S. VICIANI., Brevi osservazioni sul trattamento dei dati interenti la salute e la vitasessuale in ambito sanitario, in Riv. crit. dir. priv., 2007, 315. An old, but very interesting, essay on health data andprivacy by an economic analysis perspective in P.M. SCHWARTZ, Privacy and the Economics of Health CareInformation, 76 Tex. L. Rev. 1 (1997).

4 See in general A.M. FROOMKIN, Forced Sharing of Patient-Controlled Health Records, Working Paper, 2008,available at: ; N.P. TERRY, L.P.FRANCIS, Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. Ill. L. Rev. 681 (2007); M.A.HALL, Property, Privacy and the Pursuit of Integrated Electronic Medical Records, Legal Studies Paper No. 1334963,2009, available at: ; A.M. FROOMKIN, The New Health Information

Architecture: Copying with he Privacy Implications of the Personal Health Records Revolution, UM ELSI Group forProject HealthDesign (2008), available at the Web-site:; S. HOFFMAN,A. PODGURSKI, InSickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information, Working Paper 06-15,September 2006, available at the Web-site: ;P. D. JACOBSON, Medical Records and HIPAA: Is It Too Late to Protect Privacy?, 86 Minn. L. Rev. 1497 (2002);N.P. TERRY, Personal Health Records: Directing More Costs and Risks to Consumers, Working Paper, August 2008,available at: . For a further analysis withrespect to the incorporation of privacy legal principles into digital architecture see P. G UARDA, N.ZANNONE.,Towards the Development of Privacy-Aware Systems, in Information and Software Technology, vol.51,2009,

337-350.

8/8/2019 SSRN-id1528461

3/20

3

privilege the role of health-service providers and give the patient a very marginal and

limited role, the new approach underlying the concept of EHR is characterized by the

patient becoming the crucial point of the informationmanagement system. From this point

of view, any interaction between the patient and the new system involves the creation ofnew data. The first e-health data revolution - the introduction of information technology

and Electronic Health Records (EHRs) concerned the digitizing and rationalization of

the flow of data. The second step is represented by the so called Personal Health Record

(PHR): patients will increasingly create health data (or links to other data) without the

intermediation of any qualified person5.

At the international level we found several documents that are pushing the

implementation of EHR. Above all, we must cite the Working Document on the processing of

personal data relating to health in electronic health records (EHR) adopted on 15 February 2007 bythe Working Group Party on the Protection of individuals with regard to the Processing

of Personal Data (hereinafter: Working Document). This document aims to provide

guidance on the interpretation of the applicable legal framework of data protection for

EHR systems and to establish some general principles. It also aims at setting out the data

protection preconditions for establishing a nation-wide EHR system, as well as the

applicable safeguards. A definition of this new instrument has been proposed by the

already mentioned Working Group: A comprehensive medical record or similar documentation of

the past and present physical and mental state of health of an individual in electronic form and providing for

ready availability of these data for medical treatment and other closely related purposes.

Also the Italian Garante per la protezione dei dati personali (hereinafter: Privacy

Authority) enacted by a General Provision some guidelines on the implementation of an

EHR system (Provvedimento a carattere generale 16 luglio 2009 del Garante per la protezione dei dati

personali - Linee guida in tema di Fascicolo sanitario elettronico (Fse) e di dossier sanitario) (hereinafter:

LG). This document follows a public consultation on a previous provision.

I will focus on the main problematic issues of the implementation of EHR systems,

as they arise through reading Italian Privacy Authority LG. Then, many issues will be taken

into consideration: scope of a EHR system, responsibilities and expectations with respect

to data entered, self-determination principle, consent, access to EHR, data controllers and

data processors, data communication to data subject (art. 84 Privacy Code), and Security

Measures. In the final part, a comparative analysis will be provided with the English and

the French e-health systems.

5 See R. CUSHMAN, PHRs and the Next HIPAA, 2008, available at:

; ID., Primer: Authentication of identity(with application to PHRs/PHAs), available at:

.

8/8/2019 SSRN-id1528461

4/20

4

2. Scope of an EHR system

Until recently, the Italian legal system lacked a national definition of EHR. The

definition that was conventionally used is provided by the Working Document, where itdescribes EHR as A comprehensive medical record or similar documentation of the past and present

physical and mental state of health of an individual in electronic form and providing for ready availability of

these data for medical treatment and other closely related purposes.

Starting at this point, the Italian Privacy Authority provides in the LG the following

definition of EHR (Fascicolo sanitario elettronico): health data originated from several data

controllers working more frequently, but not exclusively, in the same geographical area. LG also

establishes a sub-categorization of the possible tools used to manage health data of a

patient. Then, we find the so called Dossier defined as an instrument consisting of a medical

body as the sole data controller (hospital or private hospital) in which most professionals work.

In the LG the EHR is designed solely as a tool for sharing computer data and

documents between healthcare organizations and health professionals. In the first

document submitted to consultation, the patient was not taken into account at all, neither

as a possible recipient of the data generated and stored relating to him, nor as a generator

of direct health information that always refers to his person. The final version presented

this option.

Actually, this concept, assuming the data stream that feeds the EHR can be

generated directly by the patient, does reflect an element of the health policy pursued inour country by local and state institutions responsible for the delivery of health services.

Indeed, it is not a secret that the National Health Plan 2006-008 indicates as a key objective

to promote the various forms of citizen participation, particularly through the involvement of patients and

family associations. The citizen is, therefore, recognized as an active player in managing his

health and care processes.

These kinds of considerations find their origin in the new challenges that developed

countries are facing: problems due to aging of the population, consequent increases in

chronic diseases, increasing costs of health services, increasing demand for high qualityhealth services, etc. It is therefore necessary that we rethink our models of health care,

focusing on the citizen.

The incoming flow of data [patient EHR] needs to be better analyzed. The patient

should be allowed to supply information pertaining to his own health conditions; this set of

data could be beneficial to professionals who interact with patient health history in order to

ensure the best possible care.

All of the information that the patient will provide to the system could be

conceptually defined as a dossier; the system has to clearly indicate that these data have

8/8/2019 SSRN-id1528461

5/20

5

been generated directly, and on a fully voluntary basis, by the citizen-patient. It is therefore

necessary to prefigure the possibility that the EHR could also contain this island composed

of supplied dynamic data that we can call a citizen dossier.

The scenario can be described as follows: the patient enters data relating to him inthe dossier, which should be placed in the EHR. Who is the data controller of this new

treatment? A possible solution can be represented by a situation of co-data controllers

among health organizations (hereinafter: HO) and the PG.

On the one hand, the HO provides the digital infrastructure and the service which

benefits the public. The mere fact that the data is stored on an infrastructure managed by

the HO, even without being accessed by any persons in charge of the treatment, gives the

HO the qualification of data controller.

On the other hand, the PG, as authorized and invested with a purpose of nursingand care taking, should be put in a position to access the data that his patient has loaded

into the EHR.

It is therefore imperative that the accepted definition of EHR will be designed in

such a way as to consider the possibility that the system could be composed of an island of

data generated by the citizen (in the future it could include data from some smart items,

set to detect a parameter of health and then automatically upload it into the citizen

dossier).

3. Responsibilities and expectations with respect to data entered into

EHR system

The need for a uniform mechanism to reconstruct the situations of accountability

with respect to the generation of each single data made available on the EHR must be

emphasized (I am referring to a tracking system by means of log files and digital documents

validated through electronic signatures).

It should be noted that an audit system, able to track user activity and to determine

ex postany responsibility, represents a key point of any future EHR system. Although theprobative value of the log file is the subject of debate, it is tempting to say that in this case

the technology offers a possibility to interpret the requirements of protection with a level

of effectiveness unattainable in the pre-digital era. A system capable of generating a

warning message (for example, via e-mail) that alerts the patient to the fact that his data has

been accessed, and by who, is far from chimerical (contrarily, it is rather easy to get from a

technological point of view).

This will represent a formidable tool of control for the patient ensuring that data

pertaining to him are always treated in accordance with the conditions of legitimacy

8/8/2019 SSRN-id1528461

6/20

6

provided by law (rectius, Privacy regulation6). The approach behind such a control would be

more practical and realistic with respect to the attempt to define ex anteonce and for all the

several access levels. Information regarding access will allow the patient to check, when he

wishes, the reason for the display of his data and, where appropriate, to ask for anexplanation in this regard (finally enforcing what is established by art. 7 Italian Privacy

Code, as regarding, for instance, the Italian legal system).

There is a problematic point in the implementation of the EHR, which would

implement the logic of the data directly produced by the citizen-patient: Will the

professional actors of the system, particularly GPs, but also the stakeholders responsible

for HO, really trust these data?

This claim is known and understood: physicians are instinctively suspicious of data

generated by a patient. They might be led to make mistakes by trusting inaccurate or untrueinformation; or they could be accused of wrong, if they decide to not take into account a

truthful data posted in the EHR (and therefore added to the availability of medical

knowledge) directly from the patient.

The digital scenario is not different and can not be dissociated from the dynamics

of trust which are expressed in the real world. If a physician met a patient for the first time

and was assailed with a mountain of documents showing a range of information on past

medical history of the patient (analysis, personal annotations, recipes for taken medicines,

etc.), it is plausible to think that the physician would not be led to place a particular degree

of confidence on this information provided by a person who - at this early stage - he does

not know. Very different is the level of trust when we have the interaction between a GP

and(for instance) a chronic patient, who goes twice a week to the medical clinic, carries out

daily self-measures, and forwards them to his trusted physician. This type of interaction

builds up a trusted relationship that can be easily translated into an interaction guaranteed

by the digital infrastructure: this would surely lead to a more efficient and effective path of

healing.

4. Self-determination Principle

The rationale which should characterize the operability of the informative structure

of the EHR is the self-determination principle7. In this respect, the data subject should be

able to choose, in full freedom, whether or not to constitute an EHR system, without this

choice in any way affecting access to the national health service, or having negative

consequences for the possibility of medical benefits. It should also be ensured that health

6 In the Italian legal system this is provided by the cited before Italian Privacy Code.

7 See art. 75 and ff. Italian Privacy Code.

8/8/2019 SSRN-id1528461

7/20

7

data remain available only to the professional/medical body that drafted them, without

necessarily including them in the EHR, and by preventing communication with other

players in the system.

Therefore, the self-determination principle should imply that the person would alsobe given the freedom not to bring into the EHR some health information relating to

individual clinical events, especially in the case of supersensitive data. The informative

infrastructure should provide a system fit to obscure the clinical event, which could be

withdrawn over time. The modularization of the inclusion of health information within the

EHR system and the choice of levels of data sharing creates very difficult problems. The

choice of obscure or uncertain data contrasts with the policies that characterize some like-

EHR systems which are already operating at the regional and provincial level.

A practical solution could be to provide two categories of obscured datadatacompletely obscured, that is, information for which the patient explicitly asks the non-

inclusion in the system; and a second category of data which could be collected in a

reserved section, to which access is regulated directly by the patient (perhaps by giving his

smart card to the professional to which he could grant access).

Another important point is to limit access by the qualified actors to only essential

information. This means that, at least in theory, access to data should be driven by real and

tangible requirements to a patients visualization and treatment: the access should be

granted only to information related to the disease being treated8.

5. Consent

The consent to this additional health data processing plays a pivotal role9. It must

necessarily be characterized by the following elements. Although it can be shown together

with the consent provided for the data processing for care purpose, it must be

autonomous, collected ad hoc, and specific to the EHR treatment. This is a general consent

to EHR at the entrance of data, that does not exclude, but rather lets live, a number of

specific consents to legitimize the EHR consultation by individual data controllers (thisfeature must be duly incorporated within the platform).

The problem linked to the opportunity to specify what is established by art. 82

Italian Privacy Code remains to be evaluated. In cases of absolute necessity, dictated by the

urgency of saving a person from an immediate threat to life, access must be granted to a

designated person (identified by the system, which belongs to a class of charge to which a

8A possible criticism to this point could be that proper diagnosis of a particular symptom/disease requires

consideration of the entire person, not just the locally affected area of the body.

9 See for instance art. 81 Italian Privacy Code.

8/8/2019 SSRN-id1528461

8/20

8

person who has not yet expressed a willingness to permit access to his personal data) to

break the glass and allow access to the necessary data. The system must be set to record

all relevant data to ensure that the data subject will be able to know that the access

occurred, and to verifyex postthe legitimacy of the treatment.

6. Access to EHR system, Data Controllers and Data Processors

The data controller of this new health data processing is the HO or the GP where

data has been generated, as suggested by the Italian Privacy Authority.

The data controller is responsible for organizing the entire aspect of processing: for

this reason it appears to be the main recipient of responsibility and the penalties prescribed

by law on the processing of personal data. The person who fills the role of the data

controller must be the one who faces choices about the material treatment of the data andthe type of data to be collected and recorded, the amount of data to be acquired, the time

of conservation of themselves in relation to the purpose, the sources from which to draw,

updates, etc. Article 28 of the Italian Privacy Code has clarified that: Whenever processing

operations are carried out by a legal person, a public administrative agency or any other body, association or

organisation, the data controller shall be either the entity as a whole or the department or peripheral unit

having fully autonomous decision-making powers in respect of purposes and mechanisms of said processing

operations as also related to security matters. Thus, the main characteristic is represented by the

autonomous power of decision-making in relation to the purposes of treatment, theoperating choices, tools to use, etc10.

We have the particular case of co-data controllers on the same treatment (co-

titolarit), when the choices on purpose, method, tools and security measures for the

treatment are related to multiple subjects. The Italian Privacy Code recognizes this

possibility despite the European Directive indicating the choice of a sole data controller.

This issue may represent a crucial point in building up digital infrastructure fit to manage

health data.

The concept of co-data controllership in the EHR should be considered in parallel with the concept of data processor (responsabile del trattamento), which identifies an

optional figure in the data processing, which is detected by the data controller in the light

of organizational considerations among entities that can appropriately ensure, on account of their

experience, capabilities and reliability, thorough compliance with the provisions in force applying to

processing as also related to security matters (art. 29, co. 2, Italian Privacy Code). Its tasks are

10 See F. GARRI,I soggetti che effettuano il trattamento: il titolare, il responsabile e lincaricato , in G. SANTANIELLO

(ed.),La protezione dei dati personali, in G.SANTANIELLO (a cura di), Trattato di diritto amministrativo, vol. XXXVI,Padova, 2005, 131 166; C. DI COCCO, Soggetti che effettuano il trattamento (Parte I Titolo IV) , in J.MONDUCCI,

G.SARTOR(eds.), Il codice in materia di protezione dei dati personali, Padova, 2004, 119 156.

8/8/2019 SSRN-id1528461

9/20

9

specified in detail by the data controller (art. 29, co. 4, Italian Privacy Code).

The relationship between data controller and data processor has two phases. The

first of these, the deployment phase, concerns the selection of the entity to be designated

as responsible. This decision falls within the discretion of the data controller. If, however,the delegation includes the performance of some functions, it is certainly tied to other

criteria such as experience, capability and reliability which the nominating person must

have (see art. 29 Privacy Code). The second phase concerns the fact that the data controller

is also obliged to supervise the data processor. Remember that the obligations of

supervision and control are also functional to the identification of potential liability with

respect to the processing.

The legal structure should reflect the technical and organizational system which

characterizes the EHR. According to the Working Document, there are different methodsof conservation and management of data:

a. c.d. Decentralized storage: medical files are kept by health professionals, whoare obliged to record information about the care of patients; within this

complex structure it could be necessary to identify a central body responsible

for managing and controlling the whole system and for ensuring its

compatibility with data protection regulation;

b. c.d. Centralized storage: medical staff transfers records to a central system ofEHR; this system ensures a greater level of safety and availability: there is only

one person responsible for the whole system.

c. storage under the control of the data subject: allows the patient to manage his medicalrecords, providing the ability to store his health data as part of a special on-line

service directly under his control (see the system developed in France); it

represents a better solution in terms of self-determination, but presents some

problems with respect to the accuracy and completeness of the documentation,

if there is no corrective action of the medical staff.

The traditional approach to patient EHR management is not generally characterized

by the deployment of a common database: each entity remains data controller of the

treatment that performs (in the collection), while communicating a large part of these data

to other controllers within the network. Each of them is an autonomous institution of the

treatment.

Otherwise, the hypothesis to identify a single data processor appointed to manage

the EHR by the various data controllers involved is a solution that, while being an easy side

access to data and the system by the patient, presents significant weaknesses in terms of

effectiveness of the fiduciary relationship between the individual and all the responsible

controllers of the EHR. The latter should arrange for a standardized appointment, thus

8/8/2019 SSRN-id1528461

10/20

10

depleting the regulation contained in Privacy regulation.

7. Data Communication to data subject: art. 84 Italian Privacy Code

The idea of an EHR considering the evidence regarding the patient to whom he can

have access via computer reflects a feature already present at the level of implementation in

many regional experiences. With the emergence of the Internet, several HOs have begun

providing this new service to its citizens.

From the point of view of the data subject, access to the EHR should be allowed

under the cautions established by art. 84 Italian Privacy Code, which includes the provision

of a filter in the communication of health data between the patient and the data itself

represented by a physician or an health care professional. The issue deserves a further

study.On this matter we find some interesting suggestions at Community level. The

Recommendation of 2 July 2008 on cross-border interoperability of electronic health

record systems in Whereas n. 3 states: Electronic health record systems have the potential to

achieve greater quality and security in health information than the traditional forms of health records.

Interoperability of electronic health record systems should make access easier, and enhance the quality and

safety of patient care throughout the Community by providing patients and health professionals with relevant

and up-to-date information while ensuring the highest standards of protection of personal data and

confidentiality. Below there is another statement at point 14, lett. h): [this legal framework isdesigned in particular to:] ensure that patients are fully informed on the nature of the data and the

structure of the electronic health record containing them. Patients should have alternative (conventional)

means to access personal data concerning health related to him or her. In this context it is important to

ensure that information provided to data subjects uses language and a layout that is easy to understand and

is given in an appropriate manner to persons with special needs (e.g. children or elderly persons).

The pivotal point of the system must be respect for self-determination the

decision of a patient on how and when to use data concerning him should play a key role

as an important guarantee.Lets start the analysis with the positive data in the Italian legal system: the art. 84

Privacy Code - entitled Data Communication to data subject - states: Personal data

disclosing health may be communicated by health care professionals and health care bodies either to the data

subject or to the entities referred to in Section 82(2), letter a), only by the agency of a physician who must

have been designated either by the data subject or by the data controller. This paragraph shall not apply to

the personal data that had been provided previously by said data subject. 2. The data controller or processor

may authorise, in writing, health care professionals other than physicians who, to fulfil their respective

duties, have direct contacts with patients and are in charge of processing personal data disclosing health, to

8/8/2019 SSRN-id1528461

11/20

11

communicate said data either to data subjects or to the entities referred to in Section 82(2), letter a). The

instrument by which said task is conferred shall set out adequate arrangements and precautions having

regard to the context within which the data are to be processed.

There must, therefore, be an intermediary between data and data subject, in order tosatisfy, on the one hand, the need to facilitate the understanding of clinical data by the

patient, and on the other hand, to filter the information obtained in order that it be

communicated in a form compliant with the principles governing the therapeutic

relationship between physician and patient.

Art. 84, read in close connection with articles 1 and 2, co. 1, Privacy Code (which

proves the existence of a new subjective position in relation to the processing of personal

data), gives a particular qualification to the information arising from the relationship of

care, recognizing to the physician a sort of therapeutic privilege. Under this principle, thelatter would have the right not to reveal certain aspects of patient diagnosis or prognostic

character capable of undermining the purpose of treatment.

From the perspective of building up an architecture that focuses its attention on the

access to health data by the patient, this kind of regulation raises many kinds of application

problems, including the introduction of an additional obstacle in designing a platform that

would bring the citizen closer to the health service.

The physician cannot serve as a mere vehicle for the mechanical transmission of data:

the rationale of the provision is that the patient is given an explanation, although synthetic,

profiled on his psycho-physical conditions. The principle is satisfied only if the person is

able to easily understand the meaning of the data.

This requirement does not appear to be an insuperable implementation obstacle.

First of all, the communication between physician and data subject should not necessarily

be direct, it being already possible to delegate to a friend or a relative the power to confer

with the physician or read the notices. This observation allows us to discard the hypothesis

that the rule necessary requires to provide, for example, a computer tool that could attest

that the physician is on-line at the same time as the patient accesses the data.

We could then think of a platform that makes health data accessible to the patient

only when the record was attached to the communication on the interpretation of health

data that the physician-filter has given. Indeed we can expect to require the prior viewing

of this text, before access to medical information is granted.

As an alternative to the solution proposed, and responding to possible resistance

from the medical staff (especially on the part of the GP, which could refuse to be burdened

with additional tasks), we can assume the implementation of an information structure that

as soon as the patient tries to access the contents of the first communication, creates an

automatic alert (pop-up of sorts), which makes the patient aware of the necessity to go to

8/8/2019 SSRN-id1528461

12/20

12

his GP in order to receive additional information on the raw data (it happens the same

today when a paper envelope is delivered to the data subject, bearing the word doctor,

containing the results of laboratory tests a patient has undergone). This display of

warning, which could be followed by a screen of acceptance in which the patientdeclares to have understood the warning about the need to obtain an interpretation of data

relating to him by his doctor, has a dual maieutic purpose: first, the patient would be

informed that he is not able to analyze and understand the meaning of (raw) health data

relating to him; on the other hand, it would promote the activity of explanations of clinical

events, which is in practice unfortunately not always so accurate.

Within the EHR, we could circumscribe data which really needs this filter, separating

them from those which the user can access directly, because he is already known (the

rationale of the provision is expressed only on the first cognitive access by the patient todata that concerned to him) or because he directly provided (i.e.) information collected and

reported by the professional in the EHR11.

9. Security Measures

The sensitivity of personal data processed by EHR requires the adoption of specific

technical measures to ensure appropriate levels of security (art. 31 Italian Privacy Code), in

addition to the minimum measures that each data controller must take under Code (articles

33 ff. Privacy Code). Given the quality of data that an EHR system processes, it is clearthat security aspects are crucial, especially in order to create the right level of confidence in

the operators and users of the platform.

By reading the regulatory framework and the LG of Italian Privacy Authority, the

EHR should ensure: a) a suitable authentication and authorization system of the persons in

charge depending on the roles and requirements for access and processing; b) procedures

for periodic review of the quality and consistency of authentication credentials and

authorization profiles assigned to the persons in charge; c) identification of criteria for

encryption or separation of the data suited to reveal the state of health and sex life fromother personal data; d) traceability of access and the operations carried out; e) audit logs

systems in order to monitor access to the database and to detect any abnormalities.

The adoption of a safe authentication system represents a crucial point in the

future of EHR. The Working Document, cited below, deals with Identification and

authentication of patients and health care professionals and stresses that reliable identification of

patients in EHR systems is of crucialimportance. If health data were used which relate to the wrong person

11 On 25 June 2009 Italian Privacy Authority enacted a General Provision on on-line communication inorder to partially regulate this problematic matter: Provvedimento a carattere generale 25 giugno 2009: Linee guidain tema di referti on-line 25 giugno 2009.

8/8/2019 SSRN-id1528461

13/20

13

as a result of incorrect identification of a patient the consequences would in many cases be detrimental; and

further forward again, the special sensitivity of health data requires that no access is possible for

unauthorized persons. Reliable access control depends on reliable identification and authentication. This

makes it necessary to uniquely identify and also properly authenticate users.The solution proposed by Working Document is represented by the use of smart

cards that provide a high level of reliability and security: Health cards on smart card basis could

contribute significantly to a proper electronic identification of patients and also to their authentication if they

want to access their own EHR data.

Information systems include the use of devices for verifying the digital identity of

users (authentication) before authorizing access to resources in various domains that make

up the system. In our case it would therefore be helpful to deliver to citizens, in addition to

login and password, a smart card. In the Italian context this could be represented by therepeatedly promised but never fully implemented Electronic Identity Card (Carta dIdentit

Elettronica - CIE), which consists of a card with a microchip with the same characteristics

of the real, and visible, identification document and physical security requirements

(optical bandwidth, holograms, photos of the holder); by the National Service Card (Carta

Nazionale dei Servizi - CNS), which consists of a card with a chip that does not have the

physical security requirements of the CIE but with similar features; and finally by Regional

Services Card (Carta Regionale dei Servizi - CRS).

10. A comparative interlude

E-health is an important innovation that can improve access to healthcare and

boost the quality and effectiveness of the services offered.

The European Community has promoted research programs in support of e-Health

for fifteen years. Many results of these efforts have been tested and put into practice;

Europe is therefore in a dominant position in the use of electronic health records for

health care.

A trend pushing the role of the citizen-patient is becoming increasingly important.As noted in the White Paper Together for health: A strategic approach for the period

2008-2013 - Brussels, 23 October 2007, the participation of citizens is a fundamental

value. Health care is increasingly oriented toward the patient, who is becoming an active

player rather than a mere object of care. He must be able to participate in decision-making

and influence at that level, and acquire the necessary skills (the so-called health literacy).

Even the Italian National Health Plan 2006-08 stresses the importance to promote the

various forms of citizen participation, particularly through the involvement of patients and family

8/8/2019 SSRN-id1528461

14/20

14

associations. The citizen is, therefore, recognized as having an increasingly active role in the

management of their health and processes of care.

The EHR aims to foster coordination, quality and continuity of care with better

information and communication among physicians and among physicians and patients. The Action Plan for a European e-Health (attempts/intends) to agree on

uniform standards between the Member States for the identification of patients and to

define standards for interoperability of national systems in order to facilitate the exchange

of electronic health files.

In order to establish a comparative analysis for pointing out useful principles for

the development of an EHR system, we must reference the implementation of other

projects inside the European Community, and in particular in two important instances: the

French and English experiences.

10.1 The French model: Dossier Mdical Personnel

France has a highly centralized system: the majority of political and administrative

authorities are located in Paris. Since 1982, however, a trend toward decentralization began,

which led to the delegation of powers to the regions. The population of France is

approximately 62 million inhabitants. The health care system is pluralistic: private and

public bodies co-exist. Patients choose their GPs and have free access to different types of

hospitals12

.The e-Health projects are developed by different actors, both regionally and locally.

At the national level a mapping of all of these initiatives has been carried out. Among

these, the following are of significant interest:

SESAM-Vitale: it was introduced at the end of the nineties andinterconnects more than 223,000 healthcare professionals in the National

Health System for the benefit of more than 48 million assisted. The system

is based on three elements:

oCarte Vitale, a chip-card that contains simple administrative-natureinformation (note the insured health insurance and any recipients),

recently replaced by the new Vitale 2;

12 As references for this part, see EHRIMPLEMENT, WP5 National reports of EHR implementation France,

28 May 2009, available at: ; E-HEALTH ERA, Fact sheet France,March 2007, available at: ;EUSER, eHealth Country Brief: France, 2005, available at: ; PEIGNV., Iltrattamento dei dati sanitari in Italia e Francia tra convergenze e divergenze, in Diritto dellInternet, 2008, 296; M.GAGNEUX, Pour un dossier Patient virtule et partag et une stregie nationale des systmes dinformation de sant, 23 april

2008, available at: .

8/8/2019 SSRN-id1528461

15/20

15

o Carte de Professionnel de Sant(CPS), a microprocessor smart card usedby GPs, created in 1993 (later expanded through the Ordonnances

Juppof April 1996 to organize a secure infrastructure for electronic

health information systems); the features included are:identification, authentication and electronic signature of health

personnel;

o Rseau sant social (RSS), the health network capable of distributingdata streams and to encourage communication between health

professionals and health insurance funds.

Health Web-site (www.sante.fr), developed under the direction of theDirectorate General of the Ministry of Health, which has as its principal

objective the promotion of information from the public agencies withregard to issues of public health;

Different applications and platforms in the field of telemedicine are alreadyused in some regional experiences; at a national level we find the Dossier

Mdical Personnel (DMP), which will be analyzed much more in details.

The DMP is an ambitious project started in 2004 with Law No 2004-810 of 13

August 2004 on Assurance maladie (the DMP is stated in art. L. 161-36-1 of the Code de la

Scurit sociale)13. The reform has not respected the deadline (July 1, 2004) due to the size of

the project that affects 60 million patients, and also because of not yet widespread

computerization to health professionals. The project to date is not yet fully completed.

The purpose of data processing carried out by the DMP consists in ensuring better

coordination, quality and continuity of health service. Another purpose, more of a political

nature, is obviously to reduce healthcare expenditures.

The DMP consists of a storage system of health data for each beneficiary of the

compulsory health insurance system. It is under the direct control of the patient. It

contains:

data that allows the identification of the patient (name, surname, date ofbirth, login to the opening and operation of the files) and information

identifying the professional;

data of general practitioners (previous medical history of specialistconsultations, allergy, allergies, vaccinations, etc.);

data on the treatment (results of examinations, records of preventive andtherapeutic measures, ongoing illnesses, treatments in progress, etc.);

data on prevention (risk factors individually, reports quotes, etc.);13 See the Web-site: .

8/8/2019 SSRN-id1528461

16/20

16

data on clinical findings (radiography, scanner).The inclusion of new data, their amendment or deletion is subject to the consent of

the patient. Health care workers have access to the system through the simultaneous use of

two smart-cards: the CPS and the Vitale-2. For personal use, patients can access the DMP via Internet through the national portal: the access is managed by the use of login and

password. The information is entered into the system only by authorized health care

professionals. Each piece of information is dated and signed, and its author identified.

There is also a special section devoted to information that the patient can add about his

health (all documents are marked using the IHE-XDS standard).

Data retention is supervised by the patient who must choose a special service

provider called hrbegeur which may be a natural person or legal entity approved in

advance through a process led by a special committee (of which there are currently six).The link between patient and hrbegeuris regulated by a hbergementcontract (the hbergeument

has an obligation to ensure the security and confidentiality of data in compliance with the

provisions of the Act and is bound by professional secrecy).

The French legislature has provided a system of economic incentives for the

creation and use of the DMP: repayment of the acts and medical services by the national

system of social security (requires?) the patient to access and complete the DMP (this

forced freedom is subject to criticisms and doubts at the constitutional level).

The patient who directly controls the DMP benefits from free access to all data via

Internet, even without the intervention of a health care professional. He also has access to

the system log files in order to know exactly who has accessed his data, which data has

been accessed, and when.

The patients consent is required for accessing and administrating the DMP (self-

determination principle). We must however take into consideration that, in cases of

emergency, a special procedure is provided, called Brise de glace (breaking of the glass),

which allows access to the DMP when it is impossible for the patient to give consent. This

represents an ex-post control, since the patient knows exactly who has accessed, when and

why.

The patient does not have the capability to modify the content of medical DMP

(rectius, entered and signed by health professionals data).

The patient has the right to masquage: this is the right to withhold, even temporarily, access

to information. This right is adjusted to the reality of the doctor-patient relationship and

takes into account the fact that the patient reveals the information in a manner

proportional to the degree of this confidence: the more confidence, more detailed

information. This possibility has raised many criticisms. Health care professionals claim

that they could not be held responsible for the fact that it was not the correct procedure or

8/8/2019 SSRN-id1528461

17/20

8/8/2019 SSRN-id1528461

18/20

18

NHS Care Record Service(NHS CRS): an electronic medical file, which wouldimprove the exchange of patient data within the NHS and give patients access

to their health data16;

Choose and Book: a national service that, for the first time, provides theopportunity to make reservations, choose the structure, the date and time of an

appointment in a hospital facility (first outpatient appointments). It

revolutionises the current booking system. Various studies in this area have

shown that patients want to be more involved in decision making and to be

able to chose their processes of care. The majority of patients who have been

offered this new option have reacted positively. Since summer 2004, the

Choose and Book service has been introduced across England. From January

2006, all patients requiring the booking of an appointment have a choice of atleast four service providers;

Electronic Prescription Service: a system for electronic transmission of prescriptionsthat provides the possibility to generate, transmit and receive electronic

prescriptions. The requirements are sent electronically from the writer of the

prescription to the provider (pharmacist), and finally to the State for payment

reasons. Since 2007, all GPs and pharmacists have access to the system;

N3: the NHS National Network, which ensures a safe and reliable networkinfrastructure to connect all organizations belonging to the English NHS. This

high-speed network obviously strengthens all the other services offered by the

NHS;

Picture Archiving and Communications System: a service that allows one toelectronically store and display radiographic images on the screen. As planned,

it has been available since 31 March 2007.

The NHS CRS will be gradually introduced step by step across England. The

process started in 2007 and it will take several years. When the system is running at full

capacity, it will allow the HO to store medical information on an interconnected digital

infrastructure. This will allow medical staff faster access to information in a secure manner.

The patients themselves will have access to their essential health information. The NHS

CRS will be able to connect more than 30 thousand medical professionals and 270

generally trusted structures of the health service through a single, secure national system.

The infrastructure consists of two elements: the detailed data (collected and stored locally),

and the Summary Care Record (maintained at the national level).

16 This project will be analyzed more in details below. See the Web-site:

.

8/8/2019 SSRN-id1528461

19/20

8/8/2019 SSRN-id1528461

20/20

capabilities allowed for by digital technologies, in the health field the user-patient is

encouraged to acquire a kind of computer literacy and to become a leading actor of the

processes of care and curative options regarding to him. The big challenge for these EHR

systems is represented in being able to give expression to this need by coordinating andincorporating within the infrastructure those legal principles that guarantee the integrity

and the freedom of individuals.

There is rarely a serious understanding of the significance of the epochal change in all

its facets. One of the crucial aspects of this innovation is never fully addressed: the weight

and value that health professionals will give to the data entered in the system, by virtue of a

legal infrastructure to be built. Interpersonal relations are increasingly driven by electronic

infrastructures, even in healthcare. Dealing with this issue with maturity and vision means

facing up to all its possible facets and ensuring a technical-organizational-legal systemintended for its perfect development.

The advent of a specific regulation aimed to establish a reinforced protection for

health data processed through the EHR systems marks a turning point in the arduous

process of developing e-Health. This is a moment of crucial importance, since the legal

definition of EHR will shape the scope of a series of tasks and measures through which the

rights of the citizen-patient-data subject will be protected.

The definition of EHR, however it ends up, will surely have a big impact on the

development of e-Health. It inevitably assumes the adoption of a conceptual model

through which, for the sole purpose of improving the care of the patient, it considers the

relationship between information, the person with whom this information is concerned,

and the people who treat this information for the purpose just mentioned. This suggests

the need for great caution in making this delicate and defining transition.