- Consultancy Report

Transcription

1 Hospital Health Information System EU HIS Contract No. IPA/2012/ Towards the Launch of Electronic Health Records in Serbia: Legal Gap Analysis - Consultancy Report Author: Aleksandar Zavišić Final version February 2013 Visibility: Public Target Audience: EU-IHIS Stakeholders This document has been produced with the financial assistance of the European Union. The views expressed herein can in no way be taken to reflect the official opinion of the European Union. This project is funded by Republic of Serbia Implemented by the the European Union Ministry of Health WHO and UNOPS

2 Abbreviations used in this report have the following meaning: LHC Law on Health Care LPDP Law on Personal Data Protection LHI Law on Health Insurance LPH Law on Public Health LCD Law on Classified Data LHR Law on Health Records LPPCD Law on Protection of Population from Contagious Diseases LOT Law on Organ Transplantation LTCT Law on Transplantation of Cells and Tissues RHIF Republic Health Insurance fund EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

3 Executive Summary The concept of the Electronic Health Records (EHR) was designed with the principal idea to collect all important health related data about a specific person, relevant for his long-term state of health, in one centralized place, so that for the purpose of future treatment comprehensive and relevant information is available to attending health professionals thus patients have a better chance of successful treatment. 1 In the context of Electronic Health Record (EHR), the right to health care and the right to privacy (can) have an opposing logic. The Strategy for the Prevention and Control of Chronic Non- Communicable Diseases of Serbia 2 provides that in order to control chronic diseases, the strengthening of information and knowledge includes, among other things, the development of a national health information system and the adoption of legislation in order to ensure privacy, confidentiality and security of information. One of the main conclusions of this analysis is that the right to privacy, or the institution of personal data protection, cannot and should not hinder the affirmation and furthering of one basic human right that to health care. On the other hand, the realization of this right, accompanied by the use of modern technologies, should not offer the opportunity to malicious, negligent, or profit oriented individuals, to realize forbidden goals that could compromise the new system, and with that violate the right to privacy as one of the indicators of the progress of a society. From this starting point, the suggested legal, organizational and technical solutions for EHR aim to address all of these concerns. Most importantly, the existing legal framework and strategic direction conveyed in Government documents offer sufficient leeway for the introduction of EHR within the Serbian health system through the drafting and modification of a number of (by-) laws. There are two possible approaches that can be taken in order for this to happen, that have different weight and transmit a different message. The first approach is more comprehensive and envisions the introduction and defining of EHR, apart from the new Law on Health Records, and also in the systemic Law on Health Care. This way, the entire health care community and health care beneficiaries would realize that EHR presents a fundamental reform effort, which leans on information technology and puts the patient and his relationship with his/her physician in the centre of attention. The second approach would be for EHR to be introduced through small doors (only) by adopting the new Law on Health Records (and, in both cases, the introduction of the related Rulebook). This is the easier, but unsystematic approach. The recommendation of this gap analysis is for the first approach to be taken, that is that the term of EHRs, their purpose, aim and authorized Administrator get defined and determined in the Law on Health Care (LHC). That is for at least three reasons. The first is the need for the set of rules regarding the protection of personal data to be taken under serious consideration, a position regarding them taken, and with that criticism and/or misunderstandings regarding this aspect avoided ahead of time. The second is the (possibly) limited scope of the new Law on Health Records, already prescribed in 1 The EU s Working Document on the processing of personal data relating to health in electronic health records (EHR), dating February 15, 2007, page 5. 2 Official Gazzette of the RS, n. 22/2009 EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

4 Article 73 of the LHC. And the third is the need for the role and significance of EHR to be potentiated from the highest level, from a legal perspective. Apart from the already mentioned, differences in interpretation among institutions and health professionals included in the functioning of EHR would be avoided, which often occurs as part of major reform efforts. If this is not possible, it remains for all aspects important for the functioning of EHR to be defined in detail (only) by the new Law on Health Records, such as their definition, set of data that is to be recorded and taken from already existing data-bases relevant for EHR, the authority responsible for administering the system, the circle of health professionals authorized to access the EHR system in concrete situations, the way how authorizations are to be issued and levels of access, the necessity for a patient s consent to be given for one s access to his health data, the rights of patients in regard to the stored data, etc. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

5 Contents I. Introduction... 5 II. Preliminary Clarifications... 6 II. 1. Difference between identity and personal data... 6 II. 2. Relation between the Law on Health Care (LHC) and the Law on Personal Data Protection (LPDP) 6 II. 3. Collection of Data, Controller, User and Processor of health information within the health care system... 7 II. 4. The criminal aspect of the protection of personal data from medical records II. 5. Application of ICT solutions to the EHR system III. Overview of legal provisions relevant for EHR with a Gap Analysis III. 1. Law on Personal Data Protection Protection measures Patients Rights in regard to Processing III. 2. The Law on Health Care (LHC) The Open Issue of the Designation of an Attending Health Professional III. 3. Law on Health Insurance (LHI) Relationship between the RHIF s Central Record and the EHR III. 4. The Law on the Protection of the Population from Contagious Diseases (LPPCD) III. 5. Law on Public Health (LPH) IV. New Law on Health Records IV. 1. Discrepancy between the Existing Law on Health Records with the Rest of the Health Legislation IV. 2. Suggestion of Key Provisions for the new Law on Health Records i) Definition of medical documentation and records ii) Definition of EHR iii) Definition of the Attending Health Professional iv) Patient Consent and the Right to Access of Health Professionals v) Patient s Right to Access vi) The Establishment of Electronic Health Records vii) Content of Information being Retrieved into the EHR V. Main recommendations, conclusions and proposals EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

6 I. Introduction Health protection is a sector that increasingly puts the patient in the centre of attention. A recent survey conducted by the British National Health Service shows that a large amount of medical documentation in paper form gets lost or misplaced. It is estimated that about 1.2 million British patients get treated by a physician without adequate supporting documentation on an annual basis. It is not necessary to go into details about the severe consequences that the lack of adequate (historical) medical information can have on the medical treatment of a patient. It is widely known that in many health systems, including Serbia, there is a gap between medical benefits and rights guaranteed by law and the financial means for them to be realized in practice. In an environment with a constant lack of resources, a reform effort which through the use of information technologies facilitates a more efficient use of available resources, and helps physicians to offer better and more all-embracing health services, becomes a necessity. In this context, the design and implementation of the EHR system does not serve the purpose of better administering health services. It is above all an effort aimed at delivering higher quality health services to patients. The EHR system saves the health professional s time and energy since it allows him to channel his attention on the patient, and not on gathering information about him/her. Also, EHR is principally also helping the patient, enabling him to (fulfil an obligation) wholly brief the attending health professional about all facts regarding his/her health condition (Article 43, paragraph 1 LHC), hence helping the health professional to provide better health services. And not only does it allow him to fulfil his obligation, it practically also removes the legal possibility for the practicing physician to refuse further health care services to a patient should he not comply with his obligation (Article 43, paragraph 2 LHC). The intent of this document is to help decision-makers and drafters of health regulations to more completely and analytically review the corps of rules in which the EHR system will be placed and to point towards the remaining challenges on the road to its lawful existence and structure. At the end of each headline, based on an analysis of obstacles and uncertainties (gap analysis), are specific recommendations for their removal, as well as a summarized overview of what needs to be regulated and on what an emphasis should be put on in the coming period. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

7 II. Preliminary Clarifications An overview of issues that can cause certain concerns and contradictions is to follow. Their clarification is desirable in order for lawmakers and other interested participants to better understand each other during the process of conceptualizing regulations regarding the EHR. II. 1. Difference between identity and personal data Given that lawyers are the ones who primarily deal with laws, it is necessary to clarify the meaning of certain terms that are used in the relevant legislation. Identity data (lični podaci) primarily relate to general data ( generalije ) data which distinguish one individual from all others in legal proceedings and generally in life. Identity data are data about one s identity, and such definition is also used by the Law on Personal Data Protection (LPDP), which in one place 3 explains that they refer to the name and surname, name of one parent, date and place of birth and personal ID number. Moreover, the Law on Identity Card spells out in Article 7 that personal data are the: 1) surname; 2) name; 3) sex; 4) day, month, and year of birth; 5) place, municipality and country of birth; 6) unique personal identification number therefore, the same as in the LPDP. It can be concluded that identity data in fact present a subset of personal data. Personal data (podaci o ličnosti) is any information concerning a natural person, regardless of the form in which it is expressed and the data format (paper, tape, film, electronic medium and the like), under whose mandate, in whose name or for whose account the information is stored, the date when information originated, the place where the information is stored, the mode of learning the information (directly, by listening, watching and the like, or indirectly, by insight into documents containing the information and the like), and regardless of other characteristics of the information. However, in ordinary speech, but also in laws that relate to heath care, the term personal data is used in places where it should not be used for example in articles 138 and 150 of the Law on Health Insurance, which regulates how data from the Central Record of the Republic Health Insurance Fund are used; in Article 5, item 10) of the Law on Official Statistics; or in the earlier valid Article 37 of the Law on Health Care, which regulated the status of data from medical documentation. Therefore, the term personal data is used both as a subset of the broad term identity data and, in other places, as its synonym. Terminology needs to be used uniformly. Attention to these needs to be paid especially during the process of interpreting and drafting regulations. II. 2. Relation between the Law on Health Care (LHC) and the Law on Personal Data Protection (LPDP) The LHC is a framework law in the area of health care, thus all other laws that relate to health care need to be in line (harmonized) with this law. The LPDP is the principal law in the area of personal data protection, i.e. serves as the structure for finding solutions for the LHC and the Law on Health Insurance (LHI), but also for the new Law on Health Records and all other regulations within the health care sector. Consequently, the LHC and all other health care legislation needs to adhere to the 3 Article 24, paragraph 2 of the LPDP EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

8 solutions defined in the LPDP, in the part that refers to the processing and protection of a patient s medical/ health data. In all other respects, the LHC is of greater significance than all other laws governing the health sector. Accordingly, the LPDP needs to be carefully worded and in line with best international and European standards, able to identify any exceptions in parts that refer to the gathering and processing of health data, should they exist. A Law on the Protection of Patients rights is in the drafting stage at the Ministry of Health, which at this point foresees the transfer of a set of regulations regarding patients rights and obligations into this new law. To an extent possible, this analysis also takes into account suggested legal solutions from the outline of this document. II. 3. Collection of Data, Controller, User and Processor of health information within the health care system Article 3 of the LPDP, as the principal law for personal data protection, provides a definition of the above. Personal Data is a set of data kept in automated or un-automated manner, available according to personal, subject-matter related or other criteria, regardless of the manner and place of their storage. The Controller is a natural or legal person or authority who processes personal data. It is, therefore, each health facility (primary, secondary and tertiary sectors) which collects, records, copies, reproduces, multiplies, classifies, stores, changes, uses, etc. health information concerning a person. In reference to the above, there is a tendency of other laws and the jurisprudence for the term use to be used independently of the term processing, which is not the case in the LPDP. Use is just one of many activities that fall under processing. With that, the legal construction from the LPDP may be in conflict with the notion of language, so that the Criminal Code and the Law on Organ Transplantation 4, but also the Serbian Constitution in Article 42, use the terms processing and use as two independent terms. Likewise, the Constitutional Court in its recent decision, dating back to July 2012, references use as a term that is independent of the term processing. 5 A recommendation which is not of key significance, but would nevertheless potentially advance the LPDP is that it should be considered to separate the term use of data from the term of processing of data, and/or that they should at least be defined in the LPDP. At a minimum, in the third line of Article 3 of the LPDP the word use should be deleted. The Processor is a natural or legal person, or authority, to whom the Controller confers tasks related to data processing in accordance with the law or a contract. These are, hence, natural or legal persons to whom the data Controller outsources certain functions for different purposes. In other words, all those who based on a/more authorizations, delegated by the Controller, have access to data health care professionals (above all, selected physician), administrative staff, companies that are working on data processing in place of the Controller, who are safeguarding computer resources, 4 See Article 146 of the Criminal Code and Article 34 of the LTO. 5 For more details see page 16, part which quotes the decision of the Constitutional Court. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

9 are delivering administrative or other services, software developers, analysts, IT maintenance personnel, and others. The User of Data is a physical or legal person, or government body, which is authorized to use the data based on law or consent. According to the law, this would be public health institutes, in case they were given/hold access to health data that are supplemented by personal data, or data which by logical reasoning point towards the identity of a concrete individual. If that is not the case, i.e. in case they do not receive identity data, they are not the users of personal data, since the information they possess is not to be considered as personal data. At this point, a separate issue that emerges is whether or not it is essential for public health institutes, which are performing activities in the area of public health, to have access to personal data. 6 A user would e.g. be a physician from a private clinic to whom the patient willingly allows access to his medical data in EHR. It is irrelevant whether this is through direct access to the IT system or by hand delivering his/her entire medical record, previously obtained based on exercising his/her right to obtaining a copy. This could, hypothetically speaking, also be a pharmacological company to which the patient allows access to a part or his entire medical documentation for certain (pharmacological) needs, or an academic institution for research purposes, etc. Most importantly, the user is also the physician from a state medical facility, who is not the selected physician, but is viewing data about the patient in order to perform an intervention. If, he/she after the performed intervention (has the right to) modifies or updates existing data, he/she becomes a data processor (the processor in fact consumes the term user). The user would hence be only a silent observer of the stored (saved) data, while the processor apart from this, also modifies data. If the user creates a new collection of personal data, be it for scientific, statistical or other purposes, he practically becomes a Controller and assumes the obligations which Controllers are obliged to fulfil. In that regard, see quoted Article 37, paragraph 12, in the section of this report dealing with the LHC, and Article 138, paragraph 3 of the LHI, in the section of this report dealing with the LHI. The recommendation regarding this is that a consensus needs to be reached among all parties in the discussion about the role e.g. status of different health entities (Controller, Processor, User) according to the LPDP. This dialogue also needs to include the Commissioner for Information of Public Importance and Personal Data Protection. This is important in order to clearly establish the rights and obligations of the parties according to the LPDP and make possible adjustments in other legislation. The following chart shows the flow of medical information on individuals in the new EHR system and the determination of the status of the listed entities according to the LPDP. 6 More details can be found towards the end of the report in the section about the Law on Public Health. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

10 IPH EHR RHIF Primary HC center Hospital Data base of insurees Health prof. ICT firms adm. staff Health prof. ICT firms adm. staff Legend: - (personal) data base - controller - processor - user It is planned that in a later stage of the existence and functioning of the EHRs system, other forms of health care facilities and health services such as pharmacies, private practices, military health facilities, social welfare centres, health units within the Institute for the Execution of Criminal Sanctions, and medical schools that perform certain medical services, should also become part of the EHR system. Also, if the data from the EHR's can be used for planning and statistical analysis within the area of responsibility of the Republic Health Insurance Fund, the sharing of depersonalized data with this institution should be enabled. One of the major obstacles and pitfalls on the way towards the full affirmation of the idea of the EHR is that, at least for now, the involvement of private practices is not anticipated within the EHR. For something like this there is a mounting need. According to a recent estimate 7, in private practices, in which 3400 doctors are employed, excluding consultants, which is almost ten times less than in state health services, currently provide between 30 and 40 percent of all health services. So, if this finding is even partially true, the idea of EHR's, or the credibility of the new system may remain limited in reach if it does not (soon) integrate private practices under its umbrella. The importance of medication records in the set of relevant data that are in the patient's EHR-is quite clear. At this point, the role that the EHR would have in the fight against corruption should be mentioned, given that examples of corruption in the health sector include the uncontrolled prescription of drugs and sanitation materials,..., acceptance of bribes for the provision of medicines, medical supplies. This kind of abuse is frequently a consequence of a conflict of interest, 7 See more about this at: EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

11 i.e. a specific relationship between doctors, pharmacists and drug manufacturers. 8 In an indirect way, the integration of pharmacies in the EHR system would give its contribution to the prevention and control of corruption in this area. II. 4. The criminal aspect of the protection of personal data from medical records The use of personal data for purposes other than for which they were collected is prohibited and punishable according to Article 42, paragraph 3 of the Constitution of Serbia. The violation of professional obligation, that to obeying to professional secrecy regarding medical data is regulated by penalty provisions of health legislation as a violation. 9 This is the first level of the protection of obligations imposed on health care professionals and other duty bearers. 10 On the other hand, the criminal protection of personal data has its place in the Serbian Criminal Code. In the group of crimes against the rights and freedoms of individuals and citizens a separate offense is envisioned the unauthorized collection of personal data: Unauthorized Collection of Personal Data Article 146 (1) Whoever without authorization obtains, communicates to another or otherwise uses information that is collected, processed and used in accordance with law, for purposes other than those for which they are intended, shall be punished with a fine or imprisonment up to one year. (2) The penalty specified in paragraph 1 of this Article shall also be imposed on whomever contrary to law collects personal data on citizens and uses data so collected. (3) If the offence specified in paragraph 1 of this Article is committed by an official in discharge of duty, such person shall be punished with imprisonment up to three years. Recommendation: In the future, when introducing health professionals to their rights and obligations arising from the (newly established) system of electronic records, their attention needs to be drawn to criminal liability. As an additional (positive) pressure, a written statement should be signed by each health worker declaring that he he/she is aware of these rights and obligations. This statement should be archived in their respective personal files. According to the LHC, the attending medical professional commits an offense if he shares a patient s personal data, that he learned during the course of providing health care i.e. was given by the patient, with anyone else. Similarly, unauthorized access to data from the EHR by an attending medical professional should also be foreseen as a misdemeanour. Access is unauthorized if there no time and causal connection with the exercise of health care for a particular patient. In Article 259 of the LHC, which begins with the words "An offence of a health professional will be 8 More about this in the text "Corruption in the health care system and how to combat it", Dr. Nevena Karanovic and Dr. Snezana Manic, Independent of the context of personal data protection, certain illegal actions are considered as an criminal offense. See Law on transplantation of Cells and Tissues and the Law on Organ Transplantation 10 See the last paragraph Article 37 of the Law on Health Care, quoted later. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

12 fined with 30,000 to 50,000 dinars in the case of", add the new line: Unauthorized access to patient data from electronic health records. Should the LHC not be the framework law for the EHR, this provision should be included into the law that regulates it. II. 5. Application of ICT solutions to the EHR system The strategic goal of Serbia to move towards the implementation of information and communication technologies, and thus towards the introduction of EHR in the health information system is reflected in the Strategy for Information Society Development in the Republic of Serbia until 2020 and the Government decree about the Program of work, development and organization of an integrated health information system - "e-health". The principles that the application of information and communication technologies in health care has to meet are as follows: 1. Assurance of privacy and confidentiality of personal health information; 2. Effectiveness and usefulness of the health information system; 3. Promotion the optimal use of health data; 4. High quality of health information. These four principles from the aforementioned Strategy for the development of Information Society and the Government "e-health" Regulation, serve professionals and regulators as a lead for conceptualizing solutions based on them in practice. In other words, these are the principles that the EHR system must meet. Recommendation: In light of these principles, conceive new solutions, primarily in the new Law on Health Records, but also in other regulations. A number of specific recommendations are given later in this analysis. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

13 III. Overview of legal provisions relevant for EHR with a Gap Analysis Before presenting any details, in order to comprehend the significance of certain legal acts and provisions in the context of EHR and the Electronic Health Information System (IHIS), it is necessary to put them in relation to each other. The following chart lists the provisions of the law that provide the basis for action and determine the content of future solutions. III. 1. Law on Personal Data Protection Health information is also used for scientific research purposes, as suggested by some laws and the mandate of the Institute for Public Health and the Ministry of Health. 11 Thus, Article 6 of the LPDP authorizes for the use of (medical) personal data for other purposes than those they were normally intended for, but only for historical, statistical or scientific research purposes, provided that they do not serve for the decision-making or taking measures against a particular person by providing the necessary safeguards. It must be added that measures for protecting data stored solely for historical, statistical or scientific research purposes are determined by special regulations. The Law on Public Health suggests that public health institutes are users of this data, but this law does not prescribe measures for the protection of data obtained from medical institutions. 12 In 11 Concretely, the Ministry of Health, as a public authority is not required to obtain consent for the processing of data "if the processing is necessary for the performance of activities within its powers established by law with the goal to preserve... the protection of health or moral... "In other cases, a written consent of the individual (Article 13 of the LPDP) would be needed. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

14 addition, the question arises whether or not there is a need for institutes and departments of public health to be receiving personalized information. 13 The recommendation is to modify (supplement) the Law on Public Health and to determine the use of protective measures for obtained personal data in order for it to be aligned with the LPDP. However, if medical data are defined as particularly sensitive data, this would be regulated by a Government decree. Article 8 specifies that processing is not allowed if an individual has not given his/her consent for the processing, or if the processing is done without legal authorization. On the other hand, Article 12 states that processing without consent is allowed to attain or protect the vital interests of the person or another person, such as life, health and physical integrity. Also, processing without consent is not required for the execution of duties as specified by law. The activity of health workers in most part is realized in the sphere of the protection of vital interests of individuals, their lives and health. In addition, the LHC established a legal obligation of the state, local communities and, in particular, health care workers to care for the health of the population. 14 These responsibilities are carried out in the system of mandatory health insurance/ care that exists in Serbia. In this regard, the need for patient consent for the processing of medical data and the level of (non) access to his medical information must be cautiously questioned. 15 More specifically, potential problems associated with the (possible) specifying of different access rights for (unelected) physicians can be caused by the provisions of Article 8 of the LPDP which states that if the data being processed is unnecessary or unsuitable to achieve the purpose of processing, or the amount and type of data to be processed is disproportionate to the purpose of processing, processing is also not allowed. Potentially each or the vast majority of medical data may have its practical value, especially when it comes to the treatment of complex cases, which are also the ones that often lead to unintended consequences and raise the issue of accountability. Due to the higher responsibility of holders of secondary and tertiary health care, narrowing their access rights i.e. the level of access to only certain medical information can lead to undesirable consequences in practice. In the entire complexity of life and hospital practice, the question of what (medical) data is necessary and serves a purpose, or is unnecessary or unsuitable for processing, is difficult to determine ahead of time. This problem may (perhaps) be bridged by providing a sort of linear access authorization to medical data to physicians who assume responsibility for the patient (whenever and whatever the occasion), and according to the LHC this is the attending physician. Again, a stand needs yet to be taken whether 12 The protection of confidential information is also a obligation according to the Law on Official Statistics (Article 46). If the act does not determine the appropriate measures and procedures to ensure the protection of data, the responsible producer of official statistics may be punished for an offense - a fine in the amount of (only) 50,000 to 100,000 dinars. 13 More about this later in the section about the Law on Public Health. 14 See Chapter of the Law on Health Care entitled II Social care for the health of the population. 15 A study of the Development of an Health Information System for Basic Health and Pharmaceutical Services project from july 2007 uses Slovakia as an example:... explicit consent of the patient is not necessary in collecting health care related information, as all citizens of Slovakia are obliged to have a health insurance, which automatically implies the necessity of a Health Care Record. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

15 access should be given to absolutely all data or certain data should be withheld from usage, depending on the circumstances of a concrete case. The recommendation is to be very cautious in regard to the determination of different levels of access to medical information, should they at all exist. In relation to this recommendation, the detection of abuse of authority given to health professionals (and other authorized persons) for access to data and adequate penalty can be assisted by the audit trail software function. In this regard, given the lack of such software application, it is necessary to amend the Rulebook on the Content of Technological and Functional Requirements for Establishing the Integrated Health Information System. In part 2.3. General functional requirements of the Rulebook on the Content of Technological and Functional Requirements for Establishing the Integrated Health Information System, enter a request that would state: The system takes into account the time and place of access when authorizing access to medical data. To implement this requirement, if necessary, a certain (long enough) period could be allocated. Article 16 of the LPDP defines that the data relating to health conditions (as well as to sexual life, which to some extent has to do with the health of the individual) as particularly sensitive data, which results in that the data may be processed only based on the free consent of an individual. For the definition of medical data from the LHC, see above, section about the LHC. The same article in paragraph 2 provides the key to resolving the dilemma of whether the patient's consent is required to access the data from the EHR, stipulating that data related to one s health condition can be processed without consent only if this is prescribed by law. Accordingly, the possibility of automatic access of authorized persons would achieve the meaning and purpose of the EHR system, and that is to provide to the treating physicians (and a small circle of performing professionals) fast, complete and reliable information about the state of his patient and predispositions. The recommendation is to define data related to the health condition or data from medical records as "particularly sensitive information." This will also strengthen the argument for high levels of data protection on the level of health workers accessing them and technical solutions. The recommendation is to allow unconditioned access to data to health workers in charge, without seeking / giving consent of the patient, along with the parallel monitoring of the necessity of accessing. In this regard, provide adequate sanctions for unauthorized access to data from EHR's. Protection measures The determination of data relating to health as particularly sensitive data also has implications for the regulation of security measures. The previously cited Article 16 of the LPDP, in the last paragraph, provides that "the way for archiving (health) data and protection measures, with the prior opinion from the Commissioner, is regulated by the Government." Unfortunately, the regulation that governs it has still has not been adopted, even though the deadline for its adoption was May More troubling is that according to the recently adopted Action Plan for the implementation of recommendations of the European Commission related to the European integration process, the government is not planning any serious activities related to the protection of personal data before EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

16 the third quarter of the This state of affairs is a negative environment for the introduction of an important area of the EHR. It should be noted that the data on one s health condition, i.e. data from medical records are currently designated as classified data, and not as should be under Article 16 of the LPDP - as particularly sensitive data. There are two Government of Serbia decrees for the protection of classified information that were adopted in 2011 the Decree on Special Measures for the Protection of Classified Data in Information and Telecommunication systems 16 and the Decree on Special Physical and Technical Measures for the Protection of Classified Information. 17 Since it is clear that information about the health condition of a patient cannot be considered as classified (more on this in the section about Article 37 of the LHC), there is a need to prescribe safeguard measures for the delivery and exchange of information from the EHR. Hence, one of the major unknowns, i.e. gaps is the lack of regulation that determines the extent of protection and archiving method for particularly sensitive data. The recent announcement of the Commissioner points towards that. 18 On the other hand, Article 47 of the LPDP states that data must be adequately protected from abuse, destruction, loss, alteration or unauthorized access. The Controller and the Processor are required to take technical, personnel and organizational data protection measures, in accordance with established standards and procedures, which are needed to protect data from loss, destruction, unauthorized access, alteration, disclosure and any other abuse, and to determine the liability of persons who are employed in the processing, to protect the confidentiality of data. In the absence of the said Regulation, Article 47 provides an outline of (standard) solutions, which should be met in practice. Accelerate the adoption of a (Government) Decree on the basis of Article 16 Paragraph 5 of the LPDP in order to establish a legal regime for archiving and protection measures for particularly sensitive data, i.e. data from the EHR. With that a legal framework would be completed that would allow the lawful and legitimate functioning of the EHR system. If this does not happen in due course, protection measures should be (also) prescribed by the new Law on Health Records. Patients Rights in regard to Processing Article 42 of the Serbian Constitution guarantees everyone the right to be notified about data collected about him/her. Hereafter, is an overview of rights of individuals whose data are being processed, guaranteed by the LPDP, and their possible implications for the EHR. Article 19 of the LPDP determines the entitlement to receive a notification about processing, stating that an individual has the right to request that the Controller accurately and fully informs him/her about all facts related to the processing. Through the media, leaflets and web portal, citizens- 16 "Official Gazzette of the RS", n. 53/ "Official Gazzette of the RS", n. 97/ See more at: EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

17 patients should be thoroughly informed about all aspects of the introduction of the new System of Records, including all 15 listed facts stated in Article 19 of the LPDP. It is recommended to introduce the population to the purpose of this right (and obligations according to the LPDP) through an awareness campaign to be launched at the time of the launch of the EHR system. The right to Information 19 from the LHC and right of access from the LPDP derive one from another, since the purpose of the right of access is the obtaining of information, The LPDP in Article 20 elaborates on the right of access to one s own (medical) information, which is also in accordance with the practices in most European countries. More specifically, one of the general objectives of the "e-health" Regulation is to facilitate the smooth and sound functioning of all parts of the health system through the active participation of citizens in their own health care, especially in terms of being fully informed, having a certain freedom of choice, the level of decision-making and influence in their own treatment, and participation in prevention. Therefore, full access to one s medical data from the EHRs system must be allowed, and the main task that remains is to provide access to data via the Internet in the foreseeable future. This is necessary from the point of exercising ones rights in relation to insight, guaranteed by the LPDP - to correct, amend, update, and delete data, the temporary termination and suspension of processing, but also with the aim to stimulate one s proactive and mindful care about one s own health. After all, everyone has the right to test other complementary and alternative methods of treatment, and the EHR can serve as a starting point for that. The right to access includes also the making of notes, free of charge, as outlined in Section 27 of the LPDP, which also states that the Controller may not condition the right of access to the data with the payment of fees, and that the right of access will be realized in the language in which the application was submitted. Conclusion: The right of access to the entire medical record may not be charged, and in areas where national minorities live, the data from the EHR must be made available in their native languages. However, one must take into account the limited financial resources available for such a project. Article 21 elaborates about the right to access raising it to a higher level, predicting the right to obtain a copy of data concerning one (medical records). At the same time, Article 23 states that the right to information, insight, and a copy may be limited due to nine listed reasons. Article 24 of the LPDP foresees a more difficult way for obtaining a copy through a sort of administrative and legal procedure, in contrast to the automaticity of the Rulebook of the Republic Health Insurance Fund about the way and procedure for the implementation of compulsory health insurance. Article 33 of the Rulebook affirms this right, stating that, at the request of the insured, the medical institution shall issue a copy of the medical record (as basic medical documentation). Unlike 19 The European Charter of Patients ' Rights provides for Right to Information, as one of the 14 primary patients' rights. The LHC in Article 27 affirms the right to information, but also the draft Law on the Protection of Patients' Rights under Article 8 does this in the same way. It would be more correct to call this law "right to being informed", since information does not relate only to one s own health, but also to information about health services and how to use the health services. The latter is not information in the true sense of the word, but more an explanation. All information combined would actually lead to more completely informed patients. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

18 the LPDP, the Rulebook does not specify who bears the cost of making copies, as well as deadlines for obtaining copies of medical records. In contrast to the LHC, it is encouraging that the Draft Law on the Protection of Patients Rights provides for the right to obtain a copy of one s medical documentation (Article 20 of the draft law). Although the security of personal data that one has in his/her possession are the responsibility of the patient, data printed on paper tend to get lost, confiscated, displaced, which can lead to unwanted situations. In addition, data collected over the years tends to become extensive. Therefore, in practice, insight should be primarily encouraged, while the printing 20 and delivery of documents should be used as a second option only. Some aspects in regard to obtaining a copy of the data from the EHR can be regulated by the new Law on Health Records or, possibly, a rule adopted pursuant to that law. Article 24 also provides that a request for information, insight, and a copy of the data is to be submitted to the Controller in writing, while the Controller can also accept an oral request, for reasons of efficiency and economy. It is clear that the request for medical records will in most frequently be sent to the primary Controller - the health facility. However, the realization of these rights in the context of EHRs can be problematic, especially for individuals outside of Belgrade (presumed seat of the manager of the centralized body which administers the EHR. In that sense the request for receiving an notification, insight, or an copy of the EHR would have to be directly submitted to the responsible entity (either by mail, or directly). Clarify in the debate, in case that requests for information, insight, and a copy of the entire medical data from the EHR are submitted directly, where they are submitted to (the same applies for the realization of rights upon completion of insight correction, amendment, update, deletion of data, and the temporary termination and suspension of processing). If the answer is that this is one central (summary) Controller - the recommendation would be to find a way for realizing the right to insight and obtaining a copy of an EHR through the health care facility where the patient achieves its primary right to health care. The new Law on Health Records should clarify this important question. Article 22 of the LPDP provides that, after the received permission for data processing, an individual has the right to request from the Controller, in writing only, a correction, amendment, update or deletion 21 of data, as well as the termination or temporary suspension of processing. 20 The technical solution for obtaining a copy of the electronic medical records dictates that the maximum available surface for printing should be used, reducing the print out copy of medical records (EHR) to the smallest possible number of pages. For example, a rule could be for all printing to be done two-sided with wide margins, without the loss of clarity and readability of data (especially given the assumption that older patients and those with weaker eyesight can use printed information). The system should also assure that the computer from which one accesses medical records within health care facilities is connected to a printer. The copy fee should correspond to the actual cost of utilized paper for printing and the depreciation of printers and toners (a rough guess is that the cost of a copy should not exceed, at most, a few dozen dinars). 21 Reasons for deletion are specified as follows: 1) the purpose of processing is not clearly defined; 2) the purpose of processing has changed and the conditions for processing under the changed circumstances have not been met; 3) the purpose of processing has been realized, i.e. the data is no longer needed for accomplishing a purpose; 4 ) the processing method is not allowed; 5) the data belongs to the number and type EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

19 The termination and temporary suspension of data processing should be considered separately as it raises concerns, because this right is not recognized in many countries in the mandatory health insurance. Namely, the person has the right to terminate and suspend processing if he/she wants to challenge the accuracy, completeness and rightness of data, and the right for the information to be marked as disputed, until the opposite is proved. From the above it can be concluded that the legal presumption is that what the patient-processing entity claims is correct and not what is in the collection of data - the EHR, for example. Any processing can be terminated or suspended until the moment of determining the accuracy, completeness and rightness of it, based on a patient s request. This leads to a period of vacuum from the moment the exactness of data is questioned, and the request for the suspension and termination of processing is submitted, to the resolution of the complaint, which may lead to undesirable situations in practice... The recommendation is to resolve the question of the vacuum, either in the LPDP 22 in regard to health records, or in the new Law on Health Records which should specify what happens when the patient challenges the accuracy of data and requires the termination or suspension of processing. It is also unclear what the practical difference is between the withdrawal of the consent to processing (Article 18 read in conjunction with Article 11 of the LPDP) and the termination of processing (Article 22 of the LPDP). Specifically, what are the consequences in relation to the data already collected in the event of the interruption of processing or abrogation by the subject. It seems that the LPDP should take a stand in this regard. 23 Potentially, the consequences of the withdrawal of the consent to processing and the termination of processing could for the purpose of EHR be regulated by the new Law on Health Records. Article 27 of the LPDP which elaborates on the realization of the right to access can lead to undesirable situations in practice. An obligation is imposed on the Controller to make the (medical) information available "in an understandable form". However, it is highly subjective whether a piece of information is understandable to someone or not. Therefore, the data to be entered and the manner in which they are expressed in the EHR should be conceptualized in a manner that they are comprehensible and organized. In particular, the printed copy of the medical records should, to the extent possible, meet the criterion of intelligibility. Recommendation: Examine the practice of the Commissioner in connection with information intelligibility, should one exist. Use as much as possible comprehensible terms in classifications and the presentation of data. The new Law on Health Records could clarify that the information from EHR should be provided in of data, the processing of which is disproportionate to the purpose; 6) the data is incorrect and can by way of a correction not be replaced with correct data; 7) the data is being processed without consent or authorization based on the law, and in other cases when processing cannot be carried out in accordance with the provisions of this law. 22 Article 12 of the LPDP could/should be applied in some (not all) situations, since it prescribes that processing without consent is permitted in order to achieve or protect vital interests of an individual, in particular life, health and physical integrity. 23 Undoubtedly, the revocation of consent would not apply to the use of depersonalized data for scientific and research purposes and the protection of the population against contagious diseases. This is mentioned in the already quoted article 12 of the LPDP but also most other health care related laws. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43

20 the original form, and that it is the obligation of physicians to make data intelligible, if requested by the patient. Article 48 of the LPDP imposes an obligation on the Controller - health institution to establish and keep track of records on data processing. On the basis of its legal authority, the Government of Serbia adopted the Decree on the Form of Recording and Keeping Records on the processing of personal data. 24 Article 4 of the decree provides that records on processing need to include information about the date of the previous notice sent in regard to the establishment of the Collection of personal data, the date of the first records entry, and the date of a records update or amendment. The Law and Decree indirectly impose obligations that need to be fulfilled with respect to the functional requirements of software solutions for the EHR and records in health care institutions. It is unknown whether health care facilities, as Data Controllers, are (at all) maintaining any records on processing. The assumption is that they are not, hence, it should be checked why this is the case. Consequently, the obstacles towards this goal need to be established and a solution conceptualized accordingly. Recommendation: The EHR and health institutions should provide the information that is contained in the Government s Form on keeping record of processing. If applicable, enter any adjustments in the inventory of functional requirements into the Integrated Health Information System in order to ensure compliance with the LPDP (Article 48) and the Decree. Article 49 of the LPDP provides for the obligation to submit to the Commissioner a notice about the intention to establish a Data Collection prior to the initiation of processing, i.e. the establishment of a Data Collection, no later than 15 days prior to the establishment of a data collection. However, the obligation of notification does not apply to the commencement of processing, or the establishment of a Data Collection, in the case that the purpose of processing, the type of data to be processed, the types of users to whom data will be available, and the time for which the data will be archived, are prescribed through a special regulation. The recommendation is to pay attention to Article 49 of the LPDP and to explicitly define four items as follows in the new Law on Records, that is - the purpose of the EHR, types of data to be processed, Users to whom data will be available, as well as the time for which data will be archived. At the final stage of the preparation of the legal framework, it is essential to establish a good communication with the Commissioner. III. 2. The Law on Health Care (LHC) The LHC was adopted in 2005 and since then has been revised several times, most recently in mid Article 18 prescribes that the conceptualizing and development of an Integrated Health Information System is in public interest and expresses the commitment of the State to move towards the integration of the health system. 24 Official gazzette of the RS, n. 50/2009. EU-IHIS Šumatovačka 78-80, Beograd, Serbia /43