Data protection enforcement in the healthcare: What can we learn from it?
In recent years, since the GDPR (Regulation (EU) 2016/679) was fully implemented and inspections focused on enforcement of the new rules began, the Italian Data Protection Authority (“Garante”) has focused on breaches of the rules applicable to processing health data in the context of the Electronic Health Record (“EHR”), the Health File (“EF”), and online medical reports.
Technological developments in the public and private sectors, spurred by the COVID-19 pandemic emergency, also fed into this. Increased use of advanced technologies recently led the Garante to look at processing of health data carried out through algorithms and other means.
All the cases examined demonstrated that technical measures must be implemented to avoid incidents. In addition, staff awareness must be raised and organizational measures must be put in place to ensure the security of healthcare treatment.
I. SECURITY BREACHES
In many cases, data security breaches were detected that led to health data being shared with unauthorized third parties. Meaningful examples of such cases involved an ASL (local health authority) and a polyclinic and occurred in July 2020. These ended with admonitions by the Garante. The breaches were brought to the attention of the Garante by the facilities themselves, which duly notified the Garante of the personal data breaches that occurred to the detriment of some of their patients, as required by the GDPR.
In the case reported by the ASL (Decision of July 2, 2020, No. 123, web doc. No. 9440096), a patient who had requested a paper copy of their own medical record had instead been given a copy of a different patient’s medical record due to human error.
The Garante determined that the incident had been caused when a medical record was accidentally inserted into an envelope labeled with the name of a different patient. However, considering that, as the ASL noted, the documentation had been returned to the clinic immediately, the Garante qualified the case as a “minor infringement” under the GDPR and issued an admonition rather than a sanction. The Garante also took into consideration that the incident was unique and isolated and determined by human error, as well as that as soon as the ASL became aware of the incident it took corrective measures regarding its procedure for the preparation and delivery of medical records to avoid recurrence (at the time of document delivery, the documents are now double-checked).
In the second case, the one involving a polyclinic (Decision of July 9, 2020, No. 141, web doc. No. 9440117), a patient medical report was entered into the wrong patient’s EHR.
The confidentiality provisions concerning the disclosure of personal health data to third parties were breached also in this case. However, after examining the circumstances of the specific incident, the Garante qualified the infringement as “minor” and deemed it sufficient to issue an admonition against the polyclinic. This unique and isolated episode had also been caused by unintentional human error. In addition to informing the data subject involved in the incident, the healthcare facility adopted organizational measures and training initiatives to make staff aware of the need to comply with data protection provisions and procedures for correct identification of patients.
Adequate protection of personal data
Another case in 2020 also concerned an ASL. This case involved unlawful access to data contained in EFs of employees of the clinic who were treated there (Decision No. 18 of January 23, 2020, web doc. No. 9269629).
On three separate occasions, employees of the clinic unlawfully accessed other employees’ EFs lacking any connection with the provision of healthcare services. The same ASL notified the Garante of these breaches of personal data. In one case, access had been carried out using the credentials of a doctor who left their workstation unattended. In the other two cases, an intern and a radiology technician accessed the EFs of their colleagues.
In all three cases above, the facility admitted that access had been carried out not to provide medical services, but for exclusively personal reasons, described by the facility as “mere curiosity.” The Garante’s investigations showed that the technical and organizational measures adopted to protect EFs were not adequate to safeguard patients’ personal data and protect them from unauthorized processing, thus leading to unlawful data processing. Therefore, the Garante fined the clinic EUR 30,000 for failing to prevent employees from peeking at their colleagues’ EFs.
Still about EFs, several reports have been received by the Garante concerning data breaches due to the inclusion in EFs of health data of persons other than the patients they regard. In some cases, this mixing of data contained in EFs is due to technical malfunctions of the systems used to manage the EFs. For example, medical records were incorporated into health documents relating to other patients when a bug in a system for printing the records went unnoticed by the institution until a data subject reported it (Decision No. 250 of June 24, 2021, web doc. No. 9689566).
In other cases, human error led to unrelated data being entered into patients’ EFs (Order No. 421 of December 2, 2021, web doc. No. 9732497). An example is a case where the confusion was caused by patients having the same name. Moreover, in that case, the violation occurred despite the fact that the hospital, as data controller, had implemented appropriate corrective measures following a previous sanctioning measure from the Garante for a similar violation (Decision No. 18, January 23, 2020, web doc. No. 9269629).
On a different note, in a case dating to 2021, a general practitioner used clothespins to hang prescriptions at the window of their office. The office was located on the ground floor on a public street, so the names of the patients and their prescriptions were visible to passersby (Decision No. 392 of October 28, 2021, web doc. No. 9716887). The doctor was sanctioned for this conduct, which ran contrary to data protection legislation.
As is well known, the law does not merely require the data controller to ensure that the rights, fundamental freedoms, and dignity of individuals are respected, also when organizing the provision of the services; but it also dictates that the health information not be disseminated, since it may only be disclosed to third parties on suitable legal basis or at the patient’s instruction by means of a written authorization.
That said, the Garante’s 2021 Annual Report provides an in-depth look at the latest developments in the Garante’s oversight of data breaches in the health sector. Unlike the previous year’s report, the 2021 report includes a section devoted entirely to data breaches in health care (underlining how central and widespread the phenomenon has become).
II. THE USE OF ALGORITHMS IN HEALTHCARE
More recently, the Garante sanctioned three Friuli Venezia Giulia ASLs (Decisions No. 415, web doc. No. 9844989; No. 416, web doc. No. 9845156; No. 417, web doc. 9845312) for using algorithms to classify patients by their risk of complications from a COVID-19 infection. The ASLs processed the data in their databases to arrange appropriate initial medical interventions for the patients and identify suitable diagnostic and therapeutic paths in a timely manner.
In the course of the investigation, initiated by the Garante following a report by a doctor, it emerged that patient data had been processed without appropriate legal basis, and the data subjects were not provided all the necessary information (on processing means and purposes) and the impact assessment required by the GDPR had not been performed.
The Garante reiterated that the user of a health service, whether regional or national, may only be profiled with an appropriate legal basis, in compliance with specific requirements, and with adequate guarantees for the rights and freedoms of the data subjects, since this profiling activity entails automated processing of personal data aimed at analyzing and predicting the evolution of the individual’s health status and the possible correlation with elements of clinical risk. These prerequisites were lacking in this case. The Garante verified the violations and determined that in this case the activities involving the use of algorithms concerned the health data of a large number of patients. The Garante ordered each of the three ASLs to pay a fine of EUR 55,000 and to proceed to delete the processed data.
III. DATA ACCURACY AND FAIRNESS OF THE PROCESSING
In 2022, the Garante fined the Italian Region Lazio EUR 100,000 for failing to update the personal data on a platform used by an ASL to invite patients to schedule cancer screenings (Decision No. 409 of December 1, 2022, web doc. No. 9833530). In this case, the invitation to undergo screening was addressed to the complainant’s deceased daughter.
The Garante reprimanded the Region Lazio for not ensuring that the data processed through the platform were accurate and correct and reiterated that the Region Lazio, as data controller, must ensure that data are accurate and up-to-date and must take all reasonable steps to delete or correct the information it uses in a timely manner.
IV. GARANTE ENFORCEMENT IN HEALTHCARE: FOOD FOR THOUGHT
This roundup of cases in the healthcare sector shows that the Garante is increasingly focusing on the processing of personal data relating to health and interceding to various degrees, depending on the seriousness and circumstances of each case.
The above security incidents are limited in scope, but while the first two (involving human error that resulted in a party’s data being shared with unauthorized third parties) were handled with admonitions only, in the third case a fine was imposed because the unauthorized access was determined by curiosity.
However, in all cases, it is clear not only that appropriate technical measures must be taken to avoid these types of incidents, but also that staff awareness must be raised, and appropriate organizational measures must be provided to ensure the security of processing.
Furthermore, the EF data breach sanctioned by the December 2021 Decision provides food for thought on the need for the data controller basically to stress-test the measures implemented to verify also that they are understood and implemented by the personnel in charge. Indeed, this violation occurred due to human error, in spite of the previous implementation of measures designed to prevent just such occurrences and despite previous sanctions by the Garante about similar occurrences.
Another fundamental element that emerges from these cases is the need to ensure that only healthcare personnel involved in a patient’s treatment receive access to patient’s health records. Thus, particular attention must be paid to identifying authorized roles and training authorized personnel.
Moreover, not disseminating health data and processing such data only if they are correct and accurate are two fundamental principles enforced by the Garante in some of the cases mentioned above. In this context, too, there is a need to raise awareness among doctors handling health data and facilities using platforms that process patients’ health data. General practitioners must be aware of their obligations as data controllers, and healthcare facilities must ensure that the data processed is always up-to-date.
Even when a healthcare facility uses advanced technologies that make early diagnosis and predictive healthcare analytics possible, it must take action to ensure compliance with data protection legislation. The pursuit of important goals for the community does not justify disregarding compliance with privacy legislation.
The Garante is doing important work to raise awareness among healthcare professionals through multiple initiatives that range from the organization of events and meetings to the dissemination of news about sanctions and inspection activities made public on its website.
The Data Protection Officers of the facilities are also heavily involved in planning and implementing the actions needed to achieve these goals.
That said, it is also worth considering involving private entities in this training and awareness-raising work. In recent years they have been offering services to healthcare professionals and public and private healthcare companies. These entities offer technological services for booking appointments and collecting patient reviews and opinions. Involving private entities in this awareness-raising work and ensuring public-private cooperation on these issues could be an additional useful solution to curb data protection violations in healthcare sector.