Guidelines on Online Examination Records.doc
[doc. web n. 1634292]
Guidelines on Online Examination Records
Document adopted on 25 June 2009 and submitted to public consultation as per the Notice published in Italy´s Official Journal no. 162 dated 15 July 2009
THE ITALIAN DATA PROTECTION AUTHORITY
The Italian DPA considers it appropriate to provide guidance on the use of personal data in connection with various initiatives undertaken with a view to modernizing the provision of health care by both public and private bodies; such initiatives have brought about the increased development of networks and the widespread electronic processing of documents, records and procedures.
One of the initiatives that have been found to be quite frequently undertaken by several health care bodies, especially in the private sector, consists in the provision of free-of-charge services that can be termed generally "online access to examination records" – whereby the patient is enabled to access an examination record online; here, examination record means the written record drawn up by a physician on the patient´s clinical status following clinical examination and/or test results. Patients are also afforded the opportunity to decide – either from time to time or once and for all – whether to receive the said records directly via their own medical specialist and/or general practitioner/paediatrician.
Access to examination records usually takes place via either
a. delivery of the examination record to the data subject´s email account; or
b. downloading of the examination record from the Internet website of the health care body where the clinical examination was carried out.
In the latter case, which appears to be the one occurring most frequently, the patient is usually provided with a UserID and a password when booking and/or undergoing the given examination.
In some cases it is also allowed to download the "findings", i.e. the results of the clinical examination and/or test performed on the patient such as an X-ray, an echographic record and/or blood tests, along with the written examination record drawn up by the physician.
Patients may be notified of the possibility to view their examination records as described above via SMS-messages that are sent to the mobile phone number(s) they had provided to the health care body at the time of signing up to the service.
In the light of the information gathered so far, there appears to be no legislation applying to the foregoing methods for the delivery of examination records; the sector-specific legislation only regulates the legal value of paper-based examination records. This is without prejudice to the specific regulations on computerised records and digital signature, where applicable, with particular regard to computerised authentication mechanisms (see legislative decree no. 82 dated 7 March 2005).
Additionally, it has been found that the online availability of examination records usually does not substitute for standard delivery procedures applying to such records, which are further available on paper at the premises of the individual health care provider(s) – under the terms and for the purposes of the relevant laws. Patients are usually enabled to collect the original examination records. As a rule, the online services in question are not aimed at replacing the provision of paper-based records, but rather at bringing forward the provision of such information by allowing the examination records to be viewed and printed out immediately they become available at the health care provider.
2. Optional Nature of the Online Access to Examination Records
Under the "Code of Digital Administration", it must be ensured that information is available, handled, accessed, transmitted, stored and used in digital format by relying on Information and Communication Technologies and complying with the relevant data protection legislation – in particular, the provisions set forth in the personal data protection Code (see section 2 of legislative decree no. 82 dated 7 March 2005).
It has already been pointed out that specific legislation is missing on the said mechanisms for the delivery of examination records; accordingly, the services in question should be regarded as an option the data subject is free to resort to. Alternatively, these services should be offered in such a manner as to enable the data subject to opt in any case for the collection of a paper-based examination record. Thus, data subjects should be permitted to freely decide whether to access the online examination records service and enabled in all cases to continue collecting such examination records on paper at the individual health care provider(s).
The individual health care providers should also afford data subjects full discretion in deciding – based on a specific information notice and after obtaining ad-hoc consent for the processing of personal data related to the service in question – whether to sign up to the online access to examination records, whereby no prejudicial effects should arise from the given decision as for access to the medical care requested by data subjects.
Where a data subject decides to sign up to the services at issue, he or she should be allowed to object to implementation of the services with regard to the clinical examinations he or she may undergo from time to time – that is, the data subject should be permitted to object to making available a given examination record via the online access service he had previously signed up to.
If the examination records are delivered to the email address provided by the data subject, the latter should be enabled nevertheless to confirm the email delivery address on the occasion of each subsequent examination. This is without prejudice to operation of the system to be implemented in pursuance of the Prime Minister´s Decree dated 6 May 2009, concerning allocation and use of certified e-mail for citizens.
As for the possibility afforded to data subjects to give their consent in order to have test results notified to their medical specialists and/or general practitioners/paediatricians, such consent should be given on a case by case basis. Accordingly, data subjects should be afforded the right not to have all clinical test findings and/or examination records notified systematically to their medical specialists / general practitioners, as they should rather be enabled to decide, from time to time, which examination records should be made available. This prerequisite should be fulfilled both if the data subject authorises delivery of examination records to the specialist´s / practitioner´s email address – which is most often the case – and if the data subject authorises the health care provider to forward his/her authentication credentials directly to the specialist/practitioner in order for the latter to download the relevant examination record(s).
Regarding use of the SMS-based service alerting to availability of examination records in accordance with the mechanisms described above, the SMS-message sent to the data subject should only refer to availability of the examination record without specifying the type of examination at issue, the respective findings and/or the authentication credentials allocated to the data subject (see point 6 below).
3. Information and Consent
To allow data subjects to make informed decisions on the processing of their personal data, the data controller must provide them beforehand with appropriate information on the features of the service enabling them to access examination records online (sections 13, 79 and 80 of the DP Code). The information in question might also be provided jointly with that concerning processing of personal data for medical purposes, though as a separate item; it should be worded simply and include all the pieces of information mentioned in section 13 of the Code. In particular, it should be clarified that signing up to the service is optional and that the service is intended to expedite knowledge by data subjects of the findings related to the individual clinical examinations.
The information should also refer to the mechanisms data subjects can rely on when applying to the data controller to exercise the rights set forth in section 7 et seq. of the Code.
To ensure that the information provided is fully understandable, the data controller should train the staff in charge in the relevant data protection issues – partly in order to facilitate their relationships with data subjects.
Having provided the said information, the data controller must obtain the data subject´s specific, ad-hoc consent to process the data subject´s personal data, including medical information, via the foregoing online access mechanisms.
4. Archiving of Examination Records
In some of the existing online access services data subjects are also offered – usually free of charge – the possibility to store, at a given health care body, all the examination records based on the clinical examinations/ tests performed therein. The resulting archive can be usually accessed online by the data subject, who can also download the individual records.
Where the data controller plans to offer this archiving service to the data subject, a specific information notice will have to be provided and the data subject´s ad-hoc consent obtained.
The archives in question fall under the scope of the definition of health record pursuant to this DPA´s decision dated 5 March 2009 ("Guidelines on the Electronic Health Record (EHR) and the Health File (HF)"), since they include all the examination records applying to the data subject over a given time span and are set up at a health care body (e.g. an analysis lab, a private hospital, etc.) that is the sole data controller. Accordingly, any data controller planning to enable data subjects to archive their examination records in the manner described above will have to take account of the safeguards set forth under the said decision – also concerning security measures – in respect of health records.
5. Communicating the Information to Data Subjects
Under section 84 of the DP Code, any personal data related to health must be disclosed to the data subject by the agency of a physician to be appointed by either the data subject or the data controller. Paragraph 2 of section 84 provides that the data controller (or the data processor) may authorise, in writing, health care practitioners other than physicians to disclose the information in question to the data subject where such health care practitioners have direct relationships with patients as part of their official duties and are in charge of processing personal data suitable for disclosing health.
Accordingly, data subjects should be enabled to access examination records online in compliance with the sectoral safeguards applying to the disclosure of such records on paper, which had already been highlighted by the Italian DPA in its general decision of 2005. In particular, the need for intermediation might be met by providing the examination records along with a medical written opinion and highlighting the physician´s availability to provide additional information upon the data subject´s request.
In this context, data controllers should take account of sector-specific provisions that require specific advisory services to be made available by health care personnel – e.g. as for clinical tests aimed directly and/or indirectly at detecting HIV-related infection – when communicating examination records and explaining their relevance to diagnosis. Additionally, since appropriate genetic counselling is required when performing genetic tests (including prenatal tests), it can be reasonably ruled out that the online services in question may be provided to patients that undergo those tests.
6. Security Measures and Data Retention Period
The highly sensitive nature of the personal data that are processed in connection with the online access to examination records requires specific technical arrangements to be made to ensure the appropriate security level as per section 31 of the Code; this is without prejudice to the minimum measures that every data controller is required to take in pursuance of the Code (see section 33 et seq.) with particular regard to those set forth in Rule 24 of the Technical Specifications applying to minimum security measures (Annex B to the Code) – whereby the transfer of data suitable for disclosing an individual´s genetic identity is only permitted in encrypted format.
Regarding delivery of the findings of clinical examinations and medical tests, the two scenarios described above are currently to be considered; each of them entails specific data protection issues, which should be tackled differently.
Scenario 1 – Online consultation of examination records via web-based services on the Internet
Where the service to be provided consists in enabling a data subject to access the website of the health care body that has performed the relevant examination in order to download and/or view the respective record(s), specific precautions should be implemented such as the following:
1. Secure communication protocols based on encryption standards for electronic data transfers, including digital certification of the systems delivering network-based services (https SSL protocols);
2. Suitable arrangements to prevent acquisition of the information contained in the electronic file if the latter is stored in local and/or centralised caching systems after being consulted online;
3. Suitable authentication systems based either on standard credentials or, preferably, on strong authentication procedures;
4. Short-term (maximum 30-day) availability of the online examination record;
5. Possibility for the user to prevent online viewing of the relevant examination records and/or delete such records, in whole or in part, from the online access system.
Scenario 2 – Emailing of the examination record(s)
If the data controller plans to send a copy of the examination record(s) to the data subject´s email address based on a specific request by the latter, the following precautions will have to be implemented as regards digital records:
1. The examination record(s) will have to be sent as an attachment to the email message rather than as text embedded in the body part of the message;
2. The file containing the examination record(s) will have to be protected so as to prevent unlawful and/or unwanted acquisition of the information by entities other than the relevant addressee(s). To that end, the file may be password-protected, or else an encryption key may be applied and notified to data subjects via different communication channels (see Rule 24 of the Technical Specifications – Annex B to the Code). This requirement may fail to be met if the data subject expressly requests to do so, after being duly informed, since the sending of examination records to the email address specified by the data subject does not give rise to a transfer of medical data between two data controllers and consists actually in the communication of data between the health care provider and the data subject at the latter´s request;
3. The email addresses will have to be validated by means of an ad-hoc online checking procedure to prevent sending electronic documents – albeit protected by encryption – to addressees other than the specific user that has requested them.
The following measures will have to be implemented in all cases with a view to processing data to provide such online services to users:
1. Suitable authentication and authorisation systems will have to be deployed in respect of the persons in charge for the processing as a function of their roles and access/processing requirements – e.g. by considering whether they may browse, modify and/or supplement the information; biometrics-based strong authentication will have to be implemented if the processed data are suitable for disclosing an individual´s genetic identity;
2. The data suitable for disclosing health and sex life will have to be kept physically and logically separated from any other personal data that is processed for administrative and/or accounting purposes.
Furthermore, the data controller should envisage ad-hoc procedures to immediately disable the online consultation and/or terminate the emailing of examination records related to a data subject that has notified the theft and/or loss of his/her own authentication credentials, or else any other circumstances that may endanger the confidentiality of the respective personal data.
In any case, all the security measures required to comply with the ban on dissemination of medical data set forth in the Code should be implemented (see sections 22(8) and 26(5) of the Code).