Italian Data Protection Authority publishes rules for platforms (websites or apps) connecting patients and healthcare professionals

In recent years, technology has revolutionized many sectors, including healthcare. Online platforms and apps that connect patients with healthcare professionals have made medical care more accessible, especially in settings where physical presence is limited or not possible. This evolution has also raised important issues concerning privacy and the protection of personal data.

The Italian Data Protection Authority (Garante per la protezione dei dati personali, hereinafter the “Garante”) has kept a close watch on the healthcare sector and issued numerous measures concerning healthcare companies, medical apps (in February 2024, an app for diabetics), management platforms for doctors and patients (in November 2022, the Doctolib platform), and initiatives in the medical field (in June 2023, the THIN project using real-world data). Medical and telemedicine platforms remain high on the list of inspection activities scheduled by the Garante in its twice yearly inspection plans.

Now the Garante has released a compendium on the processing of personal data by platforms that connect patients and healthcare professionals via web or app. The compendium identifies data protection aspects that data controllers must consider when managing these platforms, in accordance with the accountability principle and the general principles applicable under the GDPR.

The compendium provides guidance on various aspects, including:

• Establishing roles and liabilities of all those involved with the various types of data processed (health data, common data, patients’ data, healthcare professionals’ data) and the purposes of the various processing operations, with a specific legal basis provided for each type of processing;
• The content of the information provided to users (patients and healthcare professionals);
• Specifics on security measures;
• A reminder of the legislation on online medical reports.

To identify purposes of processing and in relation to the data of patients using the platforms, the compendium distinguishes between common data (i.e., for account creation) and health data (i.e., relating to a specific healthcare service).

For the former, the legal basis is the need to execute a contract (for use of the platform) to which the user is party and the data controller is the platform that makes its services available to users.

For health data, there are two scenarios. For data concerning choice of a specific healthcare service or a specific healthcare professional, the legal basis for processing is the explicit consent of the data subject and the data controller is the platform providing the booking service to the user. For health data strictly necessary for treatment purposes, which are generated by a patient’s interaction with a healthcare professional, no consent is required.

Indeed, the latter scenario falls within the scope of Article 9(2)(h) and (3) GDPR, which provides justification for healthcare professionals subject to professional secrecy to process healthcare data for purposes of care. The compendium clarifies that if a platform carries out technical processing, such as managing a healthcare professional’s appointment book or storing the medical records of their patients, it will only act as a data processor on behalf of the healthcare professional (and will not be able to process users’ health data for purposes of care independently).

In other words, the compendium makes it clear that the same platform can act as both data controller and data processor for the various  processing operations. From a practical point of view, the two scenarios need to be technically and organizationally distinct.

If a platform decides to use data for further purposes that are not compatible with the purpose of collection (e.g., for commercial communications from the platform), specific consent must be obtained for each such purpose. Still, such platforms may not use data collected and stored by doctors for their own purposes.

Data relating to healthcare professionals and processed by these platforms must be processed only to the extent strictly necessary to execute the service contract between the parties, and the data controller is the platform itself.

With reference to transparency profiles, the compendium provides guidance on the content of information provided to users. The complex framework of governance, purposes, and legal bases that we have described above in relation to users’ health and non-health data must be accurately reported in the information to be provided to patients in accordance with Article 13 GDPR.

The Garante goes a step further and identifies information in addition to the information listed in Article 13 GDPR. In the case of cross-border transfers, a lead authority must be identified for the data of users who register on the platform. For personal data of healthcare professionals, the criteria according to which the list of professionals is viewed by the user and the possible use of artificial intelligence systems or algorithms for this purpose must be indicated.

The compendium also covers the security of data processed through these platforms. On the one hand, the Garante points to the need for data controllers to comply with the principle of privacy by design (data protection by design), and hence the need to ensure a proper level of data protection from the design phase of a service, product, or process and throughout its life cycle. The Garante emphasizes that the producers of tools, and applications, acting as data processors on behalf of healthcare professionals using them, play a key role in ensuring that data controllers comply with this principle. Although these operators are not subject to this obligation, they must be aware of this principle and enable their customers (data controllers) to comply.

In terms of specific security measures, the compendium states that encryption is one of the measures most commonly adopted to protect the personal data of users of an online service, and that security measures that must be –implemented include verification of the professional title of a healthcare professional, verification of users, contact data, and multi-factor authentication.

Digital health tools must also be coordinated with the regulations in effect in the sector and specifically the regulations on the Electronic Health Record. (the most recent legislation on the subject requires general practitioners and primary care pediatricians to fill in part of the Electronic Health Record and access the documents contained therein.) Additionally, the Garante points to online medical reporting regulations, which will have to be considered with regard to delivery of medical reports to patients.

The Garante’s compendium provides a detailed framework for processing personal data on platforms that connect patients and healthcare professionals. In some cases, the compendium clarifies a set of applicable rules and sets out the solutions that the Garante considers to represent compliance with those regulations. In other cases, it introduces new rules (e.g., on transparency and the content of information) in addition to existing ones. Web- and app-accessible medical platforms must adopt these recommendations to ensure a safe, ethical, and privacy-compliant environment for online medical care.