In Italy, general principles on government contracts mandate that the provision of services to public administrations must be preceded by the issuing of a public tender allowing various companies to transparently compete for the job. This blog has recently discussed a couple of court decisions that in fact confirmed and further strengthened such principle.
However, a recent decision by the Consiglio di Stato, the higher court which is competent for administrative matters, seems to go in the opposite direction in a case regarding services linked to digital health.
The facts of the case relate to the Lecce health center, located in Puglia, Italy, which assigned to a certain firm the tasks of providing maintenance IT services in the fields of RIS (Radiology Information System) and PACS (Picture Archiving and Communication System). The same firm had previously provided IT maintenance in the RIS-PACS field, was the exclusive authorized reseller of the concerned systems and was in charge of the integration of other IT systems already in place the health center. Given such qualifications, the health center refrained from issuing a public tender and instead used the tool of the “negotiated process” with such IT firm only, which is allowed when, due to technical reasons, the supply contract can be assigned only to a single firm. The petitioner of the case, on the contrary, argued that any other qualified IT company was able to integrate and maintain the IT systems.
What is interesting to note is that the Court gives weight to the “special complexity” of the services constituted by the shift to a digital imaging system: under such view, e-Health is viewed as a field fraught with risks (on data, and ultimately on patients), thus allowing to recur to the exception constituted by the “negotiated process” rather than to rely on the rule of open tenders.
On June 4, 2015, the Italian Data Protection Authority issued new guidelines governing the collection and processing of personal and sensitive data through the Electronic Medical Record.
- What is an Electronic Medical Record?
A record, kept by a hospital or a healthcare center, containing patients’ clinical history at that specific hospital or healthcare center.
The guidelines set forth several rights to which patients treated at any hospital or healthcare center are entitled:
- Patients are entitled to decide whether the hospital or the healthcare center may store their data through an Electronic Medical Record. If a patient denies his/her consent, physicians will be able to rely only on information gathered during examination and treatment, as well as on information previously conveyed by the patient, if any. Denial of consent will not affect the possibility of being treated at the hospital/healthcare center.
- Specific consent is needed for the collection of certain categories of sensitive date, such as HIV infections, abortions, data relating to sexual assault. With respect to such data, patients will have the right to limit access to specific individuals/professionals.
- In addition to all rights granted by the Data Protection Code (such as the right to receive confirmation on the existence of personal/sensitive data, to know the origin of the data, the purpose and means of processing, as well as the logic applied to the processing) patients will also be entitled to receive information on each access to their Electronic Medical Record.
- Hospitals and healthcare centers’ obligations
Hospitals and healthcare centers are required to provide patients with a thorough privacy notice concerning the processing of data through the Electronic Medical Record. Upon patients’ request, hospitals and healthcare centers shall also provide information concerning stored data and access logs to the Electronic Medical Record (including the professional accessing the data, date and time of access) within 15 days of the request. Patients will also be entitled to redact data or healthcare documentation that they do not wish to be included in their Electronic Medical Record.
The Data Protection Authority’s guidelines also address important technical aspects and provide that patients’ healthcare information contained in the Electronic Medical Record shall be segregated from other administrative data. Sensitive data will need to be encrypted. Furthermore, access to the record will be granted only to medical staff involved in the patient’s treatment and any access and processing will be recorded on log files to be kept by the hospital or healthcare center for at least 24 months.
Lastly, the guidelines set forth strict data breach requirements for hospitals and healthcare center, by providing that any data breach or unauthorized access shall be reported to the Data Protection Authority within 48 hours of knowledge of the breach. Failure to report will lead to the application of penalties.
See the Data Protection Authority’s presentation of the new guidelines
A new Agreement on Digital Health (“Patto sanità digitale”) prepared by the Ministry of Health has been submitted to the State and Region Conference in June 2015. The proposed agreement between regions and national government aims at setting forth a precise timetable for the implementation of e-health in Italy and envisages a steering committee in charge of monitoring the status of implementation of the plan.
Among the priorities of the new proposal, the Ministry of Health has indicated the adoption of effective solutions for patient workflow management and patient relationship management, to be achieved through the widespread use of electronic clinical records, telemedicine services and mobile health. According to the plan presented by the government, e-health solutions are key to a deeper overhaul of the national healthcare service in order to increase care outside of hospitals and find more efficient ways of bringing healthcare to patients.
Telemedicine solutions, including remote monitoring and diagnosis, would allow the national health service to bring services to patients in a more efficient way. While a specific piece of legislation addressed to telemedicine services has not yet been enacted, on February 20, 2014 the Italian Ministry of Health issued a set of official national guidelines on telemedicine, which set forth a useful regulatory and technical framework for healthcare authorities and private operators active in the provision of telemedicine services.
Unlike previous guidelines, however, the latest digital health plan also aims at restructuring the use of financial resources devoted to the development of telemedicine solutions, in order to convey funds only to more effective projects capable of fostering the widespread adoption of e-health instruments by other healthcare providers. The government also plans to increase the involvement of private actors in these development projects, through project financing and performance based service contracts.
While it is expected that patients will ultimately benefit from a more efficient model for the supply of healthcare, the government also hopes to rein in spending through a more efficient use of resources and a closer monitoring of test prescriptions and drug consumption, which the new e-health solutions will enable.