Support USers To Access INformation and Services (Grant Agreement No )

Transcription

1 Support USers To Access INformation and Services (Grant Agreement No ) Deliverable D5.4 Recommendations on security and privacy issues version 3 Version 1.0 Work Package: WP5 Version & Date: v1.0 / 20 th January 2015 Deliverable type: Distribution Status: Author: Reviewed by: Approved by: Filename: Abstract Report Public Lorraine Acheson, Damian O Connor John Oates Marco d Angelantonio D5.4 v1.0 SUSTAINS Recommendations on security and privacy version 3 This report provides a set of recommendations pertaining to security and privacy issues in relation to providing citizens with access to their Electronic Health Records. Key Word List Security, privacy, Electronic Health Records, data protection, recommendations The information in this document is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.

2 Executive Summary At a national and regional level, Member States have their own legislation and practice regarding data protection, privacy and security. Patient consent, patients access to data and their (in)ability to modify health records are all areas of importance when considering increasing patient engagement with their Electronic Healthcare Record (EHR). This report develops a set of recommendations for regions implementing SUSTAINS type services, based on the review of literature and partner survey included in previous iterations of this report, and a supplementary review of literature included in this report. Four areas of recommendation are put forward: Informed consent. Access to data. Data accuracy. Harmonisation of legislation. These are underpinned by the principles of giving consideration to both ethical and usability issues when implementing SUSTAINS type services. Public Page 2 of 16 v1.0 / 20th January 2015

3 Change History Version History th December th January th January 2015 Version Changes 0.1 Initial draft 0.2 Updates following internal review 1.0 Version for issue Outstanding Issues None Public Page 3 of 16 v1.0 / 20th January 2015

4 Table of Contents EXECUTIVE SUMMARY 2 CHANGE HISTORY 3 TABLE OF CONTENTS 4 1. INTRODUCTION Purpose of this document Structure of the document Glossary 5 2. METHODOLOGY Overview 6 3. SUPPLEMENTARY LITERATURE REVIEW Background Findings of relevance to SUSTAINS Recommendations of relevance to SUSTAINS 9 4. KEY CONSIDERATIONS FOR RECOMMENDATIONS Informed consent Access to data Data accuracy Harmonisation of legislation Consideration of ethical issues Security RECOMMENDATIONS Principles Recommendations 15 Public Page 4 of 16 v1.0 / 20th January 2015

5 1. Introduction 1.1 Purpose of this document This report is the final output from Work Package 5 (WP5) security, privacy and ethical issues. The objective of WP5 is to analyse the regulations, laws and practices with regards to the security, privacy and ethical issues relating to access by patients to their Electronic Health Record (EHR), and the other SUSTAINS services. This report provides the final iteration of a set of recommendations on security, privacy and ethical issues in relation to SUSTAINS and the implementation of the EHR. The recommendations aim to offer guidance to other regions seeking to implement SUSTAINS type services. 1.2 Structure of the document Chapter 2 sets out the methodology adopted. Chapter 3 includes a supplementary review of literature. Chapter 4 discusses the key considerations for the development of a set of recommendations. Chapter 5 sets out the final set of recommendations. 1.3 Glossary EC EHR EU HCP European Commission Electronic Healthcare Record European Union Healthcare Professional Public Page 5 of 16 v1.0 / 20th January 2015

6 2. Methodology 2.1 Overview The methodology adopted for developing the recommendations included in the report is set out in detail in D5.2 Recommendations on Security and Privacy. At a high level this involved a two pronged approach: A review of the literature including: - European legislation relating to safety and privacy of electronic healthcare records. - Ethical issues concerned with patients accessing their own electronic healthcare records. A survey of regulation and practice relating to safety and privacy of electronic healthcare records in partner regions. Findings from both the literature review and the survey were presented in D5.2. Two additional considerations have been taken into account for the final iteration of this report: Consideration of findings from a recently published EC commission study on national health laws on electronic health records. Findings from the SUSTAINS patient empowerment study. Public Page 6 of 16 v1.0 / 20th January 2015

7 3. Supplementary literature review Since the completion of the last report, the EC has published a commissioned study by Milieu Ltd 1, which provides an overview of the current national laws on electronic health records (EHRs) in the EU Member States and their interaction with the provision of cross-border ehealth services mentioned in Directive 2011/24/EU on patients' rights in cross-border healthcare. A number of findings from this study are pertinent to SUSTAINS, and have been drawn out below for consideration in relation to the SUSTAINS recommendations. 3.1 Background The study examined the national laws of the 28 Member States and Norway and identified legal barriers for cross-border transfer of data from electronic health records and for the provision of cross-border ehealth services. It then made a set of recommendations to the ehealth Network on how the national laws and the European framework must evolve to support cross-border ehealth services. 3.2 Findings of relevance to SUSTAINS The findings that are of relevance to SUSTAINS cover four areas: Different approaches to EHRs systems and laws. Security aspects of EHRs. Patient consent. Access. Different approaches to EHRs systems and laws Disparities between countries in their approaches to regulate EHRs were recognised by the study. Specifically, it was identified that some countries have set explicit rules for EHRs, including SUSTAINS partner countries Estonia, Finland, Spain and Sweden, whilst others rely on general health records and data protection legislation 2. This finding was also echoed in the survey of SUSTAINS partner regions. Security aspects of EHRs Despite the sensitive nature of health data and the vulnerability of electronically available data, the study found that half of the countries covered did not have a set specific rules for institutions hosting and managing EHRs, including SUSTAINS partner countries Denmark, Italy and Slovenia. Instead, general rules setting security requirements for all types of data controllers were used. In addition, the study highlighted that almost all the countries covered have not gone beyond Directive 95/46/EC on Data Protection with regards to authorisation requirements. 1 Milieu Ltd time.lex Brussels Overview of the national laws on electronic health records in the EU Member States and their interaction with the provision of cross-border ehealth services, July Ibid, p22. Public Page 7 of 16 v1.0 / 20th January 2015

8 The study found that authorisation procedures to host and process EHRs are, in the vast majority of countries, the same as to host and process other data 3. Patient consent The study identified that in relation to patient consent for the creation and/or sharing of EHRs, most of the countries reviewed could be divided into three groups: 1. Some countries require explicit consent for the creation of an EHR; this consent is for both data to be included in an EHR sharing system and for access to the data in the EHR by healthcare professionals other than the one who collected the data. 2. Some countries do not require explicit consent for the creation of an EHR, but do require explicit consent for the inclusion of (data extracted from) this EHR into an EHR sharing system. 3. Finally, a number of countries do not require explicit consent neither for the creation of an EHR nor for the inclusion of (data extracted from) this EHR into a sharing system; but patient consent is needed for access to the data in the EHR by healthcare professionals other than the one who collected the data. In each of these cases, the form of the explicit consent varies considerably. The study identifies that in the third group of countries for example, the patient consent needed for access to the data in the EHR by healthcare professionals other than the one who collected the data is deduced from the fact that the patient visits the professional to receive healthcare, and hands over, for example, his/her health insurance card so that the EHR system of the professional reads data from this card 4. Access to EHR The study highlights that Article 6(1)(c) of Directive 95/46/EC requires that the data processed must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed, which suggests that access should be role-based and limited to persons needing access. Nevertheless, the study found that in a small number of countries, the same access rights are granted to all health professionals, e.g. in Estonia, despite the fact that this would not appear to be in line with the Directive. Half of the countries, however, do provide different categories of access to EHRs for different health professionals, including SUSTAINS partner countries Spain, Finland, Italy, Sweden and the UK; this approach was found to be undertaken in a variety of ways 5. Patients rights over the data Directive 95/46/EC grants data subjects a series of rights over their data. These include the right to access data, the right to erase and correct data, and the right to know who has accessed their data. The studies identified that these are, however, not absolute rights. There are a series of exemptions listed under Article 13 of Directive 95/46/EC which, if applied by Member States, reduce the scope of the various patients rights. In addition, the right to erase and correct data relates only to data the processing of which does not comply with the provisions of the Directive, in Ibid, p8 Ibid p8/9 Ibid p38 Public Page 8 of 16 v1.0 / 20th January 2015

9 particular because of the incomplete or inaccurate nature of the data. It is, in any case, for the Member States to define what specific measures must be put in place. The study found that patients are entitled to all of these rights in all countries covered, but that only in some countries does the national legislation go beyond the minimum requirements of Directive 95/46/EC. In all countries covered, patients are entitled to access their EHRs, and in half of them this right covers all data contained in EHRs. Another right directly connected with the right to access is the right to download data; although only one third of the countries covered by the study allow the patient to download all or at least some of his/her EHR, in the other countries the patient is entitled to other similar rights 6. With regards to the right to erase and correct data, the study shows that in most countries patients do not have the right to directly erase or modify their data, and that no country allows patients to directly modify data that has not been input by the patient. Erasure of data not input by the patients is only allowed by two countries, including SUSTAINS partner country Italy, although two others allow patients to hide some data. The study highlighted that stakeholders from these countries have expressed their concern in this respect, indicating their distrust of a system which does not guarantee completeness of information. The study also revealed that in the countries which have set specific provisions on the right to know who accessed EHRs, patients usually have access to this information directly online. This is also the case in some countries which do not have specific rules in this respect. The study highlights that patients right to know who accessed their EHRs is in principle guaranteed by the general rules of data protection law transposing Article 12(a) of Directive 95/46/EC. It found that about one third of countries have enacted specific provisions granting such a right in relation to EHRs, and where this is the case this is usually available online Recommendations of relevance to SUSTAINS The study identifies the following recommendations 8 which are of relevance to SUSTAINS: at national and EU levels, Security aspects of EHRs Recommendation at national level: It should be left to the Member States themselves to choose the security measures which are most appropriate in the context of their specific situation, possibilities and context. Regarding the use of cloud services for hosting EHRs, Member States should refrain from introducing particular legal rules or even guidelines, codes of conduct or model service level agreements (SLAs) without taking into account the European perspective. Unilateral initiatives in this field are moreover not in line with Directive 98/48/EC on the provision of information in the field of technical standards. Recommendation at the EU level: A binding European legal framework on basic user and access management that should also include operational rules on other security aspects such as end-to-end encryption (currently not possible because of the lack of a common encryption standard) and audit trails (who will be in charge of Ibid p10 Ibid 43 Ibid p.7-10 Public Page 9 of 16 v1.0 / 20th January 2015

10 recovering data events in case of an incident) should be adopted. Agreement is also recommended on a model service level agreement for cloud services with regard to EHRs. The ehealth Network should closely follow up the progress made in this context and stimulate the development of European model provisions for cloud SLAs dedicated for ehealth services and EHRs in particular. Patient consent Recommendation at national level: A three stage approach is recommended: When a patient visits a healthcare professional in order to receive care, this professional has the duty to keep a record of at least a minimum set of data related to the identity of this patient and to the care provided; no additional implicit or explicit consent of the patient or even an opt-out possibility is thus needed at this stage. When, on the basis of national or regional law, public authorities decide to make available EHRs for exchange among healthcare professionals (e.g. in order to avoid unnecessary public healthcare costs), such EHR sharing systems can be established and include available individual EHRs without additional explicit consent of the patients. Member States are however free to introduce opt-out possibilities for this stage. This viewpoint corresponds to the one expressed by the Working Party in its opinion of When a patient visits a healthcare professional who wishes to receive or access health data collected from this patient by other healthcare providers (by means of the EHR sharing system), such access will require prior explicit consent of the patient concerned. This consent constitutes, at the same time, proof that this patient has engaged into a therapeutic relationship with the healthcare professional. Recommendation at the EU level: An agreement should be reached by the ehealth Network on the three-stage model described in the previous recommendation, promoting this model as a European guideline for all Member States. Recommendation at the EU level: An agreement on a list of the categories of healthcare professionals having access to patient summaries (and subsequently for the other priority use cases mentioned before) or a common definition of healthcare professional will most probably not be possible in a short term. An alternative could therefore be to leave it to each Member State to decide who should be considered as a health professional in the context of intra-european EHR exchange. Patients rights over the data Recommendation at national level: Member States should set specific rules allowing the data from EHRs, to which the patient already has access, to be downloaded, as well as providing for the availability online of the information about who has accessed EHRs. Where countries wish to grant patients the right to erase or hide data that has not been input by them, health professionals are at least notified that some data is missing, allowing them to try to convince the patients to disclose such data. It is also recommended that Member States take the necessary measures to implement any guidelines on access to EHRs that may be adopted at EU level. Public Page 10 of 16 v1.0 / 20th January 2015

11 Recommendation at the EU level: Agreement is recommended on a set of guidelines, e.g. on the possibility for patients to add, modify or erase data from EHRs. Information harmful to the patient should not be directly available to him/her, allowing health professionals to decide to hide certain EHR information from the patient for up to six months so that they can personally communicate delicate diagnoses to the patient. The possibility for patients to modify data from EHRs that that has not been input by them should be expressly prohibited so as to allow health professionals from other countries to rely on the information available. Different categories of access to EHRs Recommendation at national level: Member States should, despite the significant financial cost involved, establish certainty on the categories of healthcare professionals who can have access to patient summaries, and trustworthy official registers of these categories of professionals which can be used for authentication purposes, and that need to be accessible on-line. Recommendation at the EU level: An agreement on a list of the categories of healthcare professionals having access to patient summaries (and subsequently for the other priority use cases mentioned before) or on a common definition of healthcare professional will most probably not be possible in a short term. An alternative could therefore be to leave it to each Member State to decide who should be considered as a healthcare professional in the context of intra-european EHR exchange. Public Page 11 of 16 v1.0 / 20th January 2015

12 4. Key considerations for recommendations The draft set of recommendations developed in D5.2 were based on five key areas that were identified from the review of literature and the partner survey. In addition, pertinent recommendations from Renewing Health 9 were also considered. The five areas are: Informed consent. Access to data. Data accuracy. Harmonisation. Consideration of ethical issues. Considerations relating to each of these areas are discussed below and include findings from the supplementary literature review. 4.1 Informed consent The Data Protection Directive includes that explicit written consent is required to share citizen s data. The survey results highlight that this is not always the practice across partner countries and regions; this finding is also highlighted in the study by Milieu Ltd. Discussion amongst the SUSTAINS partners highlighted that to expect regions to gain explicit written consent from patients would be challenging practically, and was not generally built in to EHRs at development stage. The study by Milieu Ltd makes recommendations on explicit informed consent according to the context, using a tiered three stage approach, making the need for explicit consent more practical. This recommendation is endorsed. Firstly, the study recommends that when a patient visits a healthcare professional in order to receive care, this professional has a duty to keep a record of at least a minimum set of data related to the identity of this patient and to the care provided; thus no additional implicit or explicit consent of the patient, or even an opt-out possibility, is needed at this stage. Secondly, when EHRs are made available for exchange among healthcare professionals, these can include available individual EHRs without additional explicit consent of the patients. However, it recommends that Member States are free to introduce opt-out possibilities for this stage. Thirdly, when a patient visits a healthcare professional who wishes to receive or access health data collected from this patient by other healthcare providers (by means of the EHR sharing system), such access will require prior explicit consent of the patient concerned. This consent constitutes, at the same time, proof that this patient has engaged into a therapeutic relationship with the healthcare professional. 9 Region of Europe working together for Health Deliverable 7.2 Security and Privacy Recommendations Public Page 12 of 16 v1.0 / 20th January 2015

13 4.2 Access to data SUSTAINS provides citizens with electronic access to their healthcare records. There is variation in the level of access to these records across the partner countries and regions. Legislation allows citizens full access to their own information based on freedom of information, but this access can be paper based. The study by Milieu Ltd recommends that Member States set specific rules allowing the data from EHRs, to which the patient already has access electronically, to be downloaded, as well as providing for the availability online of the information about who has accessed EHRs. The study further recommends that agreement should be reached on a set of guidelines, e.g. on the possibility for patients to add, modify or erase data from EHRs. These recommendations are supported. In addition, the study recommends that information harmful to the patient should not be directly available to him/her, allowing health professionals to decide to hide certain EHR information from the patient for up to six months so that they can personally communicate delicate diagnoses to the patient. This part of the recommendation is not supported by our report. Patients ability to access information about their diagnoses, including difficult news, brings with it ethical issues, not least of which is the question of whether a citizen s right to access information about him/herself outweighs the right of a healthcare professionals to withhold or delay access to this information for fear of causing harm? Interestingly, the DOME Project 10 (Deployment of OnlineMedical records and E-health services), funded by VINNOVA, the Swedish Governmental Agency for Innovation Systems, found that cancer patients who accessed sensitive diagnostic results online prior to communication with an HCP, reported that they felt better prepared to ask questions when attending the follow up appointment, rather than being shocked after hearing sensitive news in an appointment and being unable to think or ask questions. The term Harmful in itself is very subjective, and is not supported in this report as a basis for a recommendation. In practice, of course, those patients who only want to hear information from their HCP will probably not access their EHR anyway. Masking data The SUSTAINS basket of services provides citizens with the ability to mask certain data if they wish. The principle underpinning data masking that is supported by SUSTAINS is that the action of masking should itself be masked, i.e. HCPs should not know that specific information has been hidden. For masking to work effectively, it must not be traceable. Conversely the study by Milieu Ltd recommends that where countries wish to grant patients the right to erase or hide data that has not been input by them, health professionals are at least notified that some data is missing, allowing them to try to convince the patients to disclose such data. The recommendation to notify HCPs where data has been masked is not supported, as it is undermines the principle of masking. The necessity to notify HCPs of potential masking should be considered against the reality that in practice data masking has taken place throughout history without HCPs knowledge, when a patient withholds information when visiting another HCP Public Page 13 of 16 v1.0 / 20th January 2015

14 4.3 Data accuracy The Data Protection Directive includes the right for citizens to rectify or erase data, in particular incomplete or inaccurate data. For citizens to be able to correct information held within their record, they have to have access to all of the information held about them. The study by Milieu Ltd recommends that agreement is required on a set of guidelines, e.g. on the possibility for patients to add, modify or erase data from EHRs. Whilst the need to develop guidelines regarding modification would be supported, the possibility of erasing patient data entirely from the EHR brings with it concerns regarding the subsequent impact if clinical decisions are taken on the basis of information that is subsequently erased. A distinction between masking and erasing is therefore recommended. 4.4 Harmonisation of legislation The survey results provided by SUSTAINS partners highlight variations in legislation and practice across the regions / countries. Similarly, the Renewing Health report highlighted inconsistencies in the application of the European Directive on Data Protection, recommending harmonisation of policies and approaches to security and privacy across member states. The study by Milieu Ltd recommends a number of areas where agreement should be reached at an EU level, and promotion of these as European guidelines for all Member States. 4.5 Consideration of ethical issues While on face value the successful implementation of an EHR and the provision of SUSTAINS type services relies primarily on technical and practical considerations, in practice equal consideration needs to be given to the ethical issues. Fulfilment of citizens rights to privacy and adherence to legislation can be done more effectively when ethical and technological issues are addressed in tandem. 4.6 Security Findings from the patient empowerment study within SUSTAINS identified that patients believed that EHR services have been found to have an adequate level of security. However, while the sensitivity of the data available on-line was recognised, feedback from the study found that too high security might ultimately discourage citizens / patients from actually using the SUSTAINS services and/or hinder the uptake of the services. This issue was particularly highlighted during the discussions about involving and encouraging elderly people to use the services. A need to strike a balance between security and usability and accessibility was, therefore, noted. Public Page 14 of 16 v1.0 / 20th January 2015

15 5. Recommendations The chapter puts forward a final set of recommendations in relation to security and privacy issues, based on the above discussion. The recommendations aim to offer guidance to other regions seeking to implement SUSTAINS type services. 5.1 Principles The recommendations are underpinned by the following two principles: Fulfilment of citizens rights to privacy, and adherence to legislation can be done more effectively when ethical and technological issues are addressed in tandem. Security processes must keep sight the need for services to be accessible and usable by citizens. 5.2 Recommendations Informed Consent In line with the recommendation on patient consent from the study by Milieu Ltd, a three stage approach is recommended: a. When a patient visits a healthcare professional in order to receive care, this professional has the duty to keep a record of at least a minimum set of data related to the identity of this patient and related to the care provided; no additional implicit or explicit consent of the patient, or even an opt-out possibility, is thus needed at this stage. b. When, on the basis of national or regional law, public authorities decide to make available EHRs for exchange among healthcare professionals (e.g. in order to avoid unnecessary public healthcare costs), such EHR sharing systems can be established and include available individual EHRs without additional explicit consent of the patients. Member States are however free to introduce opt-out possibilities for this stage. This viewpoint corresponds to the one expressed by the Working Party in its opinion of c. When a patient visits a healthcare professional who wishes to receive or access health data collected from this patient by other healthcare providers (by means of the EHR sharing system), such access will require prior explicit consent of the patient concerned. This consent constitutes, at the same time, proof that this patient has engaged into a therapeutic relationship with the healthcare professional. An agreement should be reached by the ehealth Network on the three-stage model described in the previous recommendation, promoting this model as a European guideline for all Member States. Access to data Where data has been masked based on a citizen s wishes, the action of masking must not be traceable. Public Page 15 of 16 v1.0 / 20th January 2015

16 Citizens should have full access to information held about them within their EHR. - Optionally, citizens could choose for access to be withheld for (say) 14 days. Member States should set specific rules allowing the data from EHRs, to which the patient already has access, to be downloaded, as well as providing for the availability online of the information about who accessed EHRs. Data accuracy Agreement is required on a set of guidelines, e.g. on the possibility for patients to add or modify data in EHRs. Data should not be totally erased, even if incorrect, as HCPs may have used it to make clinical decisions. The distinction between data masking and erasure should be made within the guidelines. Harmonisation of legislation Harmonisation of legislation should be facilitated by Member States through adoption of guidelines regarding the EHR that may be adopted at an EU level. Public Page 16 of 16 v1.0 / 20th January 2015