April 23, 2024

Italian Data Protection Authority publishes rules for platforms (websites or apps) connecting patients and healthcare professionals

The Italian version of this article has been published on April 24, 2024 on AboutPharma.com, within our bi-monthly column “Digital impact in Life Sciences: Legal Corner”.

In recent years, technology has revolutionized many sectors, including healthcare. Online platforms and apps that connect patients with healthcare professionals have made medical care more accessible, especially in settings where physical presence is limited or not possible. This evolution has also raised important issues concerning privacy and the protection of personal data.

The Italian Data Protection Authority (Garante per la protezione dei dati personali, hereinafter the “Garante”) has kept a close watch on the healthcare sector and issued numerous measures concerning healthcare companies, medical apps (in February 2024, an app for diabetics), management platforms for doctors and patients (in November 2022, the Doctolib platform), and initiatives in the medical field (in June 2023, the THIN project using real-world data). Medical and telemedicine platforms remain high on the list of inspection activities scheduled by the Garante in its twice yearly inspection plans.

Now the Garante has released a compendium on the processing of personal data by platforms that connect patients and healthcare professionals via web or app. The compendium identifies data protection aspects that data controllers must consider when managing these platforms, in accordance with the accountability principle and the general principles applicable under the GDPR.

The compendium provides guidance on various aspects, including:

  • Establishing roles and liabilities of all those involved with the various types of data processed (health data, common data, patients’ data, healthcare professionals’ data) and the purposes of the various processing operations, with a specific legal basis provided for each type of processing;
  • The content of the information provided to users (patients and healthcare professionals);
  • Specifics on security measures;
  • A reminder of the legislation on online medical reports.

To identify purposes of processing and in relation to the data of patients using the platforms, the compendium distinguishes between common data (i.e., for account creation) and health data (i.e., relating to a specific healthcare service).

For the former, the legal basis is the need to execute a contract (for use of the platform) to which the user is party and the data controller is the platform that makes its services available to users.

For health data, there are two scenarios. For data concerning choice of a specific healthcare service or a specific healthcare professional, the legal basis for processing is the explicit consent of the data subject and the data controller is the platform providing the booking service to the user. For health data strictly necessary for treatment purposes, which are generated by a patient’s interaction with a healthcare professional, no consent is required.

Indeed, the latter scenario falls within the scope of Article 9(2)(h) and (3) GDPR, which provides justification for healthcare professionals subject to professional secrecy to process healthcare data for purposes of care. The compendium clarifies that if a platform carries out technical processing, such as managing a healthcare professional’s appointment book or storing the medical records of their patients, it will only act as a data processor on behalf of the healthcare professional (and will not be able to process users’ health data for purposes of care independently).

In other words, the compendium makes it clear that the same platform can act as both data controller and data processor for the various  processing operations. From a practical point of view, the two scenarios need to be technically and organizationally distinct.

If a platform decides to use data for further purposes that are not compatible with the purpose of collection (e.g., for commercial communications from the platform), specific consent must be obtained for each such purpose. Still, such platforms may not use data collected and stored by doctors for their own purposes.

Data relating to healthcare professionals and processed by these platforms must be processed only to the extent strictly necessary to execute the service contract between the parties, and the data controller is the platform itself.

With reference to transparency profiles, the compendium provides guidance on the content of information provided to users. The complex framework of governance, purposes, and legal bases that we have described above in relation to users’ health and non-health data must be accurately reported in the information to be provided to patients in accordance with Article 13 GDPR.

The Garante goes a step further and identifies information in addition to the information listed in Article 13 GDPR. In the case of cross-border transfers, a lead authority must be identified for the data of users who register on the platform. For personal data of healthcare professionals, the criteria according to which the list of professionals is viewed by the user and the possible use of artificial intelligence systems or algorithms for this purpose must be indicated.

The compendium also covers the security of data processed through these platforms. On the one hand, the Garante points to the need for data controllers to comply with the principle of privacy by design (data protection by design), and hence the need to ensure a proper level of data protection from the design phase of a service, product, or process and throughout its life cycle. The Garante emphasizes that the producers of tools, and applications, acting as data processors on behalf of healthcare professionals using them, play a key role in ensuring that data controllers comply with this principle. Although these operators are not subject to this obligation, they must be aware of this principle and enable their customers (data controllers) to comply.

In terms of specific security measures, the compendium states that encryption is one of the measures most commonly adopted to protect the personal data of users of an online service, and that security measures that must be –implemented include verification of the professional title of a healthcare professional, verification of users, contact data, and multi-factor authentication.

Digital health tools must also be coordinated with the regulations in effect in the sector and specifically the regulations on the Electronic Health Record. (the most recent legislation on the subject requires general practitioners and primary care pediatricians to fill in part of the Electronic Health Record and access the documents contained therein.) Additionally, the Garante points to online medical reporting regulations, which will have to be considered with regard to delivery of medical reports to patients.

The Garante’s compendium provides a detailed framework for processing personal data on platforms that connect patients and healthcare professionals. In some cases, the compendium clarifies a set of applicable rules and sets out the solutions that the Garante considers to represent compliance with those regulations. In other cases, it introduces new rules (e.g., on transparency and the content of information) in addition to existing ones. Web- and app-accessible medical platforms must adopt these recommendations to ensure a safe, ethical, and privacy-compliant environment for online medical care.

< Back to blog
Welcome to the Portolano Cavallo Life Sciences blog focusing on legal development and key legal issues affecting the life sciences and healthcare industry.
Read more
Our highly-ranked team of professionals will provide news, insights and multidisciplinary commentary on the hottest and most recent regulatory, transactional and contentious aspects of the pharmaceutical, bio-tech, med-tech, food supplement and healthcare world with an eye on its digital transformation and technological developments.

This blog will be a place for focusing on digital health, telemedicine and artificial intelligence, as well as more traditional topics: from the protection of intellectual properties to performance of clinical trials, from the market access to advertising and competition issues, from internal and criminal investigations to M&A and venture capital transactions.

October 6, 2023
CBD products: the Administrative Court suspended until October 24 the recent Decree of the Italian Ministry of Health listing cannabidiol for oral use among narcotic drugs, due to the lack o...
October 4, 2023
The Guidelines for regulating contractual relations between universities and research institutes and private sponsors were adopted by the relevant Italian Ministries following the amendment ...
September 21, 2023
CBS products: from September 20th, compositions for oral administration of cannabidiol obtained from Cannabis sativa extracts shall be considered as narcotic drugs in Italy, as they have bee...
July 27, 2023
Payback on medical devices: Italian government announces extension of payment deadline to October 30, 2023
July 21, 2023
On July 21, 2023, the Italian Ministry of Health published new guidelines on health advertising of self-medication drugs (OTC) and non-prescription drugs (SOP), including advertising on new ...
Search by...
Follow us on
Follow us on