Toward the digital transformation in healthcare: The Garante’s FAQs on electronic health record and online reports
1. FAQ on Electronic Health Record: Consent, information to be provided, and access
A. Electronic Health Record
The EHR, introduced by Article 12.1 of Law Decree No. 179/2012, is a set of health and social-health data and digital documents generated by private and public healthcare structures concerning the present and past clinical events of a patient.
Moreover, the EHR pursues the purposes of care, research, and governance. Therefore, implementation of the EHR is extremely relevant in several respects. Firstly, it lays the groundwork for better management of the different phases of the relationship between doctor and the patient (prevention, diagnosis, treatment, and rehabilitation). Secondly, the EHR has significant impact on studies and scientific research in the medical, biomedical, and epidemiological context. Lastly, management of health planning at a national level, as well as quality of care verification and evaluation, can benefit from the EHR.
B. Patient’s consent, information to be provided, and feeding data into the EHR
On a one-off basis the data subject shall express his/her consent to having the record consulted by healthcare professionals, and at any time the patient can withdraw consent. In any case, even if the patient does not provide consent, the provision of healthcare services is guaranteed.
Clearly, before such consent is given, the data subject must be provided with a privacy policy drafted in clear language and complying with the requirements set out in Article 13 of the General Regulation on Data Protection (Regulation (EU) No. 2016/679, ”GDPR”). The Garante clarifies that this policy must specify (a) that the data included in the EHR are related to the current and possibly past health status of the data subject; and (b) that the data subject has the right to know about every instance when his/her EHR has been accessed.
In addition, the EHR is automatically fed information by healthcare facilities that generate digital data and documents as a result of related services, regardless of their location, so that the patient can easily consult this content, even if it was produced by facilities outside his or her own region.
C. Access to the EHR and redaction
The patient is free to consult his/her own EHR and have access to clinical and administrative documents (e.g., prescriptions, illness certificates), as well as to enter additional personal information and documents relating to the course of treatment in the “patient’s personal notebook” section.
Once the patient provides consent, as described above, all public and private healthcare personnel who are treating him/her can access the EHR. More specifically, a patient’s general practitioner or chosen pediatrician is tasked with drawing up and updating the “patient summary” (profilo sanitario sintetico), an electronic socio-medical document summarizing the patient’s clinical history, so that continuity of care can be facilitated by means of a concise and rapid overview of the patient’s general health status.
Regardless of the patient’s consent, healthcare governance bodies have access to pseudonymized EHR data to perform their institutional functions (e.g., care planning, management of health emergencies).
In addition, on the assumption that unauthorized third parties are not allowed to access the EHR, the Garante has expressly listed specific subjects who cannot access the EHR, even if they operate in the health sector: experts, insurance companies, employers, scientific associations, and administrative bodies.
Lastly, the data subject has the right to request that health and social-health data and documents be redacted so that only the patient and the party who generated them can consult them. Such redaction (a) may be requested either before or after the information is fed into the EHR; (b) may be revoked by the patient at any time; and (c) must ensure that other subjects accessing the EHR are not automatically aware that certain data have been redacted.
2. FAQ on online reports: Consent, delivery methods, and security
A. The online medical report
The medical report consists of a written report issued by the doctor on the clinical status of the patient following clinical or instrumental examination. The patient may access this document by digital means, such as the EHR, a website, ordinary or certified email, and by electronic means in general. In this case, it is referred to as an online medical report, and both the Garante and the legislator have acted to regulate the methods of delivery and the necessary safeguards.
More specifically, following the Guidelines on online reports published by the Garante (Decision No. 36 of November 19, 2009, doc. web No. 1679033, “Guidelines”), the Prime Minister Decree of August 8, 2013 (“DPCM,” issued pursuant to Article 6.2.d, numbers 1 and 2 of Law Decree No. 70/2011, converted, with amendments, into Law No. 106/2011) also regulates the procedures for the delivery of medical reports by healthcare authorities via web, certified email, and other digital methods. The text of the draft DPCM was the subject of a favorable opinion from the Garante, albeit with specific observations (Decision No. 382 of December 6, 2012, doc. web No. 2223206). It is the legal framework in which the Garante’s FAQ on online reports, updated last October, is set out.
B. Patient consent and information to be provided
The Garante, while noting that a data subject’s consent is no longer required for treatments necessary for the provision of the healthcare services (Decision No. 55 of March 7, 2019, doc. web No. 9091942), expressly referenced the DPCM, which requires that a patient’s explicit, free, specific, and informed consent be required in order for the patient to take advantage of the digital reporting service (Article 5 of the DPCM). As in the case of the EHR, the lack of consent must not have any effect on access to medical services themselves, which in any case remain guaranteed.
Giving consent once does not bind the patient in relation to future medical examinations; indeed, s/he can always express a contrary intention and choose not to use the online reporting service. In any case, even if consent has been given, the data subject has the right to obtain a hard copy of the report delivered digitally at home.
Furthermore, the data controller must provide the data subject with a privacy policy in compliance with Articles 13 and 14 of the GDPR that clearly and comprehensively describes the characteristics of the online reporting service. That policy must be distinct from the one covering the processing of personal data for care purposes.
C. Delivery methods
In relation to the digital methods of delivery for the report, the FAQ focuses on websites and email. A report available on the healthcare facility’s website must:
- utilize secure communication protocols (https) and strong authentication systems;
- be made available online on the website for a maximum of 45 days;
- provide the user the opportunity to delete reports concerning him/her from the consultation system, either all at once or on an individual basis.
A report delivered by email must:
- be sent as an attachment to the email message (not as text in the body of the message); and
- be contained in a file that is protected, for example, by means of a password.
As an additional service, the patient may ask to be notified of the availability of the report by means of a text message, including solely notice that it is available, without any other information on the type of report or the outcome of the exams, nor on the authentication credentials assigned. The patient may also request that the report to be delivered digitally to his or her general practitioner.
Finally, the Garante notes that digital reporting is not permitted in the case of medical examinations relating to genetic investigations or HIV.
D. Security measures
The use of technological methods for the delivery of medical reports incurs the need to implement security measures appropriate to the risks associated with the means used for delivery and the heightened sensitivity of the data being processed. To this end, both the Guidelines and the DPCM provide specific precautions and technical measures to be implemented to safeguard the security of the processing.
In general, the FAQ refers to (a) the adoption of authentication and authorization systems for authorized subjects, depending on their roles and purposes of the processing; (b) the implementation of different levels of protection, depending on the means of delivery used (web services, email, or electronic support); and (c) the appropriate training of anyone who has access to, or processes in any way, online report data.
Nevertheless, it is not easy to manage the identification and implementation of such measures, as evidenced by a recent report to the Garante, followed by an Authority’s investigation, in relation to the “One-click Swab” (Tampone in un Click) service set up by the Lombardy region for the online reporting of COVID-19 test results. Specifically, the authentication system for access to the online reporting through the dedicated web page only appears to be multifactorial. In fact, although the user is asked to enter two different elements, i.e., the data reported on a healthcare card and the telephone number to be sent a message containing the code to access the online report, these are not previously associated. In other words, the message with the access code could be sent to the telephone number of a person other than the patient (i.e., any person who, for whatever reason, knows the patient’s healthcare card data).
E. Fulfillment related to data breach
In addition to implementing adequate security measures, the controller must establish a special procedure for handling any personal data breaches (“Data Breach”) so that prompt action can be taken and the security of the data processed can be monitored.
The Garante seems to be particularly attentive to the Data Breach and its handling. Indeed, on the one hand, the Data Breach is one of the aspects of general interest covered by the inspection activity carried out by the Garante’s office for the six-month period July–December 2020 (Decision No. 171 of October 1, 2020 doc. web No. 9468750). On the other hand, in relation to the specific case of online reporting, the Garante recently sanctioned a polyclinic 20,000 euros for violating the confidentiality of online reports available to patients through a dedicated web page and the related mobile application. (In the case at issue, the breach involved approximately 39 users who, due to human error during configuration of the application, were able to view personal data contained in the reports of other users, Decision No. 174 of October 1, 2020, doc. web No. 9469345).
F. Further fulfillment
In addition to the requirements described in the previous paragraphs, for online reporting the controller must always comply with the additional provisions of the GDPR. In this regard, the FAQ expressly mentions maintaining a record of processing activities pursuant to Article 30 of the GDPR, in which the specific features and security measures implemented for online reporting must be included.
Moreover, the FAQ specifies that the controller should carry out a data protection impact assessment, as required by the GDPR, if s/he intends to implement new technologies by offering new digital reporting services on a large scale.