Electronic medical records and patients: a love and hate relationship.

Legal news, ,

What’s the status of e-health in Italy?

A fairly reliable benchmark may be represented by the implementation of the Electronic Medical File (Fascicolo Sanitario Elettronico) (“EMF”). The EMF was first introduced by Law Decree nr. 179 of 2012, as converted into law no. 221 of 2012; it was then implemented by way of Ministerial Decree dated September 3, 2015. The purpose of the EMF is to provide a tool to patients and healthcare professionals by collecting and providing web access to health-related data like hospitalizations, medical checks, drug administration, home assistance, and access to emergency rooms. In other words, the EMF promises to make all data relating to patients’ health readily available and accessible from any place in the world at an unparalleled speed.

Despite the intents, the new comprehensive tool is far from reaching the expected success.

Why that?

A legal-related reason may lie in the privacy concerns that the creation, population and maintenance of EMFs bring about. EMFs are in fact populated with data collected by healthcare professionals in the course of patients’ lives. The fear that data may be inadequately protected on the internet, and thus inappropriately divulged, may in fact push patients to deny their consent to the creation and population of EMFs. After all, although data are supposed to be processed in accordance with the provisions of the Code for the Digital Administration, and appropriate measures must be taken in order to ensure access authentication and authorization, suspicion may still populate patients’ mind as to the safety of the data processing.

Quite interestingly, a more common reason seems however to prevail. Italians just do not know about the EMF! According to a survey carried out by the Observatory for Digital Innovation in Health on a sample of 1,000 citizens, 83% of them has never heard about the EMF before, 88% ignores if such service is currently active in their Region, and 95% has never sought information about it[1]. Also, EMF seems not to be the most appealing item in blog discussions: out of 400,000 comments on e-health on the web, only 11% relates to the EMF[2]. Such a low impact seems to go hand in hand with quite a low use of other e-health services provided by hospitals and other health-care centers. Only a few patients seem in fact to have taken advantages of services like on-line booking of medical checks, testing records, and payments[3].

If, as mentioned, psychology plays a major role in the implementation of the EMF, so do the efforts thus far made by Regions and healthcare professionals. An inquiry into the implementation of the EMF in the Emilia Romagna Region reveals that not all services set forth in the law are currently included in the available EMF, and the availability of the services may depend on where the interested patient resides[4]. Also, hospitals and healthcare professionals seem to be responsible for having passively accepted the EMF, without truly understanding its potential[5]. Health-care professionals are reported to oftentimes look at the EMF as a burden rather than a revolutionary tool[6]. Lastly, many hospitals and healthcare centers keep on maintaining their independent presence on the web in parallel; as a consequence, patients rely on their website to use services that would be available on the EMF[7].

What can be done?

Perhaps the EMF would be more popular if patients were able to enjoy it through a mobile app, provided that security concerns are adequately addressed. Patients may thus access the EMF more easily, monitor the processing of the collected data and promptly report any inaccuracy or errors. However, if this suggestion may represent an improvement, it would in any case require further education and promotion through healthcare professionals and healthcare centers.

[1] Il Sole 24 Ore Sanità, September 29 – October 5, 2015, page 10.

[2] Ibidem.

[3] Ibidem.

[4] Il Sole 24 Ore Sanità, October 20 – October 26, 2015, page 8.

 

[5] Il Sole 24 Ore Sanità, October 20 – October 26, 2015, page 8.

[6] Ibidem.

[7] Ibidem.

Why E-Prescription is an Important Step Towards E-Health

Legal news, , , ,

Italian Regions are racing towards the goal of de-materialization of prescriptions of medicines. While the national average percentage of electronic prescriptions has not yet reached 50%, certain Regions are recording percentages above 80% (Veneto, Sicily, Campania, and Aosta Valley), according to the latest data published by Il Sole 24 Ore Sanità on the September 8-14 issue. The goal of 90% of de-materialized prescriptions, which has been postponed to 2016 by Law no. 11 of 2015, is getting closer. E-prescriptions will also have an interesting feature that may prove helpful for certain patients: the validity of e-prescriptions would no longer be limited to a single Region, but would spread to the national level.

What are the advantages of e-prescribing and why is it considered a crucial step towards E-Health? Saving on the cost of paper, as cited by certain commentators, is definitely not the point. E-Health requires costly investments in the field of Information Technology, which will not be easily set-off by money saved on paper!

E-prescriptions actually promise much more substantial benefits:

  • Increase of patients’ safety and error reduction: an electronic system can lead to less mistakes due, for example, to the selection of incorrect or unavailable drug dosages, the duplication of therapies or the misinterpretation of the content of the prescription, the avoidance of mistakes linked to the omission of certain information (e.g., allergies).
  • Better monitoring of appropriateness and control of the cost of therapies: e-prescriptions can be a formidable tool to gather data and keep track of health costs in real time, which may lead to a more efficient control on expenditures at every level. As an example, think about what an automatic alert suggesting more cost effective therapies or an optimization of the current therapy may do for a single patient and for the health system in general.

Let’s keep on counting electronic prescriptions (21 million out of 48 million last June!): they will not be the panacea for the national health system, but they can be a great step forward.

The Safe Harbor Decision (And What Is Wrong With It)

Legal news, , , , , ,

As most people and businesses on either side of the Atlantic are now aware, on October 6, 2015 the European Court of Justice invalidated the Commission’s Safe Harbor decision and made the transfer of personal data to the United States slightly more difficult for businesses.

The Court decision is based on two fundamental findings: first, the Commission’s Safe Harbor decision did not find – as it was required to do according to the Court – that the United States ensures a level of protection of fundamental rights essentially equivalent to that guaranteed within the European Union. Second, and equally important, the Court held that the Commission had no authority to restrict the powers of national data protection authorities to examine complaints of their citizens and assess whether the transfer of data to the United States affords an adequate level of protection.

Until the recent Court decision, the Safe Harbor program has provided a framework for the transfer of personal data from the European Union to the United States. Safe Harbor, however, is neither the only way to transfer personal data to the United States, nor the most commonly used. United States undertakings have consistently used – and will be able to continue to use even after the Court’s decision – model clauses and binding corporate rules.

As European and US undertakings have a wide variety of tools available to transfer data to the United States, the most troubling finding of the Court’s decision is not the invalidation of the Safe Harbor per se, but rather the recognition of much broader powers to member states’ data protection authorities. While the Safe Harbor scheme provided a single and simplified framework that was easily understood by United States’ businesses, the new decision leaves uncertainty as to the approach that each member state’s data protection authorities will take in connection with the export of their citizens’ data. As a consequence, in spite of the current efforts by European authorities to adopt a single data protection regulation ensuring a more uniform legislation throughout the continent, the Court decision is likely to lead – for at least some time – to a more fragmented and less clear legal framework among different member states.

Last, but not least, it is worth noting that one of the main reasons that led the Court to invalidate the Safe Harbor Commission’s decision has been the discovery of mass surveillance programs by US national security intelligence agencies and their rights to access personal data of European citizens. The concern of the European Court of Justice is well grounded and all of us, as individuals, are likely to share that same concern. However, why is the Court not equally worried about the surveillance programs and data retention policies adopted by several member states over the last few years?

Many have pointed out (see for instance here and here) that the Court decision is the result of different sensitivities between US and European people when it comes to the protection of their privacy, being the Europeans more keen to consider the protection of their personal data as a fundamental human right (or, rather, very keen on teaching data protection lessons to the United States). However, the failure of the European Court of Justice to acknowledge that such fundamental right is as much at risk within the borders of Europe as it is outside leaves us wondering whether the Court is really protecting the substance of our privacy as European citizens.

Another September, Another Spending Review.

Legal news, , , , ,

This is almost becoming a tradition for the national healthcare service in Italy. Comes September… and a new spending review hits the pharmaceutical and medical device industry.

On August 4, 2015 a law decree has been approved by lawmakers, which introduces a number of new mechanisms for monitoring and reining in public spending in the healthcare sector. In particular, the new legislation has introduced several measures:

  • Negotiations with current suppliers of the national healthcare service in order to achieve a 5% reduction in current spending for general supplies;
  • Negotiations with current suppliers of medical devices in order to comply with the spending thresholds agreed upon between the central government and regional authorities;
  • Centralized negotiations with pharmaceutical companies in order to decrease the reimbursement price of products currently reimbursed by the national healthcare service.

While measures aimed at cutting spending in connection with general supplies and medical devices have been entrusted in principle to local authorities and healthcare providers, the national pharmaceutical agency (“AIFA”) plays a central role in the envisaged mechanism to achieve savings for pharmaceutical products. In accordance with the provisions of the new decree, AIFA has indeed conducted negotiations throughout the month of September 2015, with the aim of decreasing overall spending. The new legislation provides the grouping of products in several “clusters” that include therapeutically similar products, regardless of their active principles. The lowest price in each cluster is then used as the reference price for direct negotiations between AIFA and manufacturers.

The new measures also provide that, in case of failure to reach an agreement, reimbursement by the national healthcare service may be withdrawn. However, it is also expressly provided that generic products are not admitted to reimbursement until any patents and supplementary protection certificates of branded products are definitely expired, thus providing the industry with assurances in connection with their protected drugs.

The reiterated attempts by public authorities to renegotiate prices with suppliers appear to clash not only with basic contractual principles (“pacta sunt servanda”), but also with fundamental rules of public procurement legislation. As the government (in fact, almost yearly) demands discounts on existing contracts, reliance on such contracts is affected, along with transparency and open competition in public procurement procedures. The truth is that the need to cut public expenditures is increasingly overriding basic tenets of contracts and public procurement law.

Med Tech and Pharma industry associations have voiced their concerns, while suggesting that efficiency and savings may be obtained by the national healthcare service through internal reorganization processes rather than by demanding additional discounts to suppliers. In fact, if we step aside from the conflicting commercial interests of suppliers (who want to maximize their revenues) and purchasers (who need to minimize their costs), we cannot but note that, again, the government appears to use cost cutting tools that focus on quantity rather than quality. On the contrary, we would expect that more emphasis should be given to Health Technology Assessment and innovation. We surely need to spend less money, but also to spend it more wisely.

Drones and Privacy: Risks and Recommendations.

Uncategorized, , , , , , , ,

Drones Are Increasingly Used in the Civil Field. The civil use of drones is increasing, as also witnessed by the DRONITALY event that will be hosted near the Milan Expo in late September. And attorneys who are contributors to this blog find it certainly exciting when new technologies become widespread and thus present legal challenges!

When a new technology starts to become mainstream, the lack of adequate legal provisions is often deplored. In truth, the interpreter needs to take a deep breath and (i) identify the applicable laws, as well as (ii) understand the unique risks entailed by such novel technology, while comparing them with previous technologies. In the case of unmanned vehicle systems, commonly referred to as drones, it does not look like the applicable rules are lacking, but they are simply difficult to apply.

EU Data Protection Authorities Scratch Their Heads Together. The data protection authorities of the European Union, who work together within the “Article 29 Data Protection Working Party”, have recently tackled the issue of drones. The June 16, 2015 opinion by the “Article 29 Data Protection Working Party” (“Opinion”) is especially interesting because of its solid logic approach, which starts with a careful analysis of potential data protection risks linked to the increased use of drones, goes on to finding specific issues that are unique to drones, and ends with a number of recommendations to operators, manufacturers, regulators and law enforcement officials.

Unique Challenges to Personal Data. Drones are aerial vehicles that can be used for a host of activities (including – as pointed out by the Opinion – dull, dirty or dangerous operations, also known as “3D”). The Opinion is careful in pointing out that the use of drones per se is not problematic: it is the possibility to equip drones with recorders of audio and video data that poses challenges to privacy. Additionally, drones overcome obstacles such as walls or fences, and small drones may even enter buildings. Subjects whose data are recorded are often unaware of the processing of their data and, if they are or suspect that they might be, this may trigger a “chilling effect” on their conduct. In short, the principles of purpose limitation, data minimization and proportionality are at risk. Therefore, the Opinion strongly encourages a data protection impact assessment to check how, given the circumstances, the processing of data by a drone may impact the privacy of interested subjects. The assessment must start early on, and the rule of data protection by design must be respected by manufacturers and users. Such assessment must take into account:

  • The Applicability (or Inapplicability) of Exceptions. When personal data is processed by sensors installed on the drone, there is no doubt that data protection legislation applies. The exception for personal data processed in the course of a personal or household activity is never compatible with the sharing of such data on the internet. Law enforcement may also be found as a legal basis for processing, but it must be lawful, necessary and proportionate: indiscriminate surveillance is not acceptable.
  • Informed Consent. Freely given, specific and informed consent is difficult to achieve when it comes to drones. The Opinion suggests to try anything that may work (they, more elegantly, talk about a “multi-channel approach”): from signposts to symbols, signals, lights, registration marks or the publication on the internet of information on drone activities, so that a specific drone can not only be detected by interested subjects, but also linked to a certain data controller. Other grounds for lawful data processing may be found depending on the circumstances, such as performance of a contract to which the data subject is a party (e.g., security services offered through drones only recording the data subject’s property), processing to protect the vital interests of the data subject (e.g., rescue of victims of accidents) or for the purposes of a legitimate interest (e.g., wildlife research).
  • Security Measures. Personal data gathered must be safely stored and communicated (encryption is encouraged).
  • Anonymization or Deletion of Data. Data must not be kept for a period that goes beyond what is necessary to fulfill the purpose of the processing. Data must be accessed only on a limited basis and anonymized or deleted as soon as possible.

Many of the legal issues connected with drones are similar to those arising in case of video surveillance, already tackled by the Italian Data Protection Authority in 2010, with the notable exception that providing information to data subjects may prove to be much more challenging in case of aerial vehicles that fly at a distance.

Less Open Tenders in e-Health Government Contracts?

Uncategorized, , , , ,

In Italy, general principles on government contracts mandate that the provision of services to public administrations must be preceded by the issuing of a public tender allowing various companies to transparently compete for the job. This blog has recently discussed a couple of court decisions that in fact confirmed and further strengthened such principle.

However, a recent decision by the Consiglio di Stato, the higher court which is competent for administrative matters, seems to go in the opposite direction in a case regarding services linked to digital health.

The facts of the case relate to the Lecce health center, located in Puglia, Italy, which assigned to a certain firm the tasks of providing maintenance IT services in the fields of RIS (Radiology Information System) and PACS (Picture Archiving and Communication System). The same firm had previously provided IT maintenance in the RIS-PACS field, was the exclusive authorized reseller of the concerned systems and was in charge of the integration of other IT systems already in place the health center. Given such qualifications, the health center refrained from issuing a public tender and instead used the tool of the “negotiated process” with such IT firm only, which is allowed when, due to technical reasons, the supply contract can be assigned only to a single firm. The petitioner of the case, on the contrary, argued that any other qualified IT company was able to integrate and maintain the IT systems.

What is interesting to note is that the Court gives weight to the “special complexity” of the services constituted by the shift to a digital imaging system: under such view, e-Health is viewed as a field fraught with risks (on data, and ultimately on patients), thus allowing to recur to the exception constituted by the “negotiated process” rather than to rely on the rule of open tenders.

Electronic Medical Record: Italian Data Protection Authority Issues New Guidelines

Legal news, , , , , , ,

On June 4, 2015, the Italian Data Protection Authority issued new guidelines governing the collection and processing of personal and sensitive data through the Electronic Medical Record.

  • What is an Electronic Medical Record?

A record, kept by a hospital or a healthcare center, containing patients’ clinical history at that specific hospital or healthcare center.

  • Patients’ rights

The guidelines set forth several rights to which patients treated at any hospital or healthcare center are entitled:

  1. Patients are entitled to decide whether the hospital or the healthcare center may store their data through an Electronic Medical Record. If a patient denies his/her consent, physicians will be able to rely only on information gathered during examination and treatment, as well as on information previously conveyed by the patient, if any. Denial of consent will not affect the possibility of being treated at the hospital/healthcare center.
  2. Specific consent is needed for the collection of certain categories of sensitive date, such as HIV infections, abortions, data relating to sexual assault. With respect to such data, patients will have the right to limit access to specific individuals/professionals.
  3. In addition to all rights granted by the Data Protection Code (such as the right to receive confirmation on the existence of personal/sensitive data, to know the origin of the data, the purpose and means of processing, as well as the logic applied to the processing) patients will also be entitled to receive information on each access to their Electronic Medical Record.
  • Hospitals and healthcare centers’ obligations

Hospitals and healthcare centers are required to provide patients with a thorough privacy notice concerning the processing of data through the Electronic Medical Record. Upon patients’ request, hospitals and healthcare centers shall also provide information concerning stored data and access logs to the Electronic Medical Record (including the professional accessing the data, date and time of access) within 15 days of the request. Patients will also be entitled to redact data or healthcare documentation that they do not wish to be included in their Electronic Medical Record.

The Data Protection Authority’s guidelines also address important technical aspects and provide that patients’ healthcare information contained in the Electronic Medical Record shall be segregated from other administrative data. Sensitive data will need to be encrypted. Furthermore, access to the record will be granted only to medical staff involved in the patient’s treatment and any access and processing will be recorded on log files to be kept by the hospital or healthcare center for at least 24 months.

Lastly, the guidelines set forth strict data breach requirements for hospitals and healthcare center, by providing that any data breach or unauthorized access shall be reported to the Data Protection Authority within 48 hours of knowledge of the breach. Failure to report will lead to the application of penalties.

See the Data Protection Authority’s presentation of the new guidelines

A New e-Health National Plan

Legal news, , , , ,

A new Agreement on Digital Health (“Patto sanità digitale”) prepared by the Ministry of Health has been submitted to the State and Region Conference in June 2015. The proposed agreement between regions and national government aims at setting forth a precise timetable for the implementation of e-health in Italy and envisages a steering committee in charge of monitoring the status of implementation of the plan.

Among the priorities of the new proposal, the Ministry of Health has indicated the adoption of effective solutions for patient workflow management and patient relationship management, to be achieved through the widespread use of electronic clinical records, telemedicine services and mobile health. According to the plan presented by the government, e-health solutions are key to a deeper overhaul of the national healthcare service in order to increase care outside of hospitals and find more efficient ways of bringing healthcare to patients.

Telemedicine solutions, including remote monitoring and diagnosis, would allow the national health service to bring services to patients in a more efficient way. While a specific piece of legislation addressed to telemedicine services has not yet been enacted, on February 20, 2014 the Italian Ministry of Health issued a set of official national guidelines on telemedicine, which set forth a useful regulatory and technical framework for healthcare authorities and private operators active in the provision of telemedicine services.

Unlike previous guidelines, however, the latest digital health plan also aims at restructuring the use of financial resources devoted to the development of telemedicine solutions, in order to convey funds only to more effective projects capable of fostering the widespread adoption of e-health instruments by other healthcare providers. The government also plans to increase the involvement of private actors in these development projects, through project financing and performance based service contracts.

While it is expected that patients will ultimately benefit from a more efficient model for the supply of healthcare, the government also hopes to rein in spending through a more efficient use of resources and a closer monitoring of test prescriptions and drug consumption, which the new e-health solutions will enable.

What’s New in E-Health? Interesting Developments to Consider.

Legal news, , , , , , , , ,

E-Health is a term often used to describe a relationship established between electronic tools and the art of medicine. The European e-Health Action Plan 2012-2020, for example, describes e-Health as a “mean using digital tools and services for health”, which involves an interaction between patients and health-services providers. Within e-Health, the role of telemedicine is considerably growing.

Regulations and guidelines in the field of e-Health are growing in the Italian jurisdiction, too. In particular:

  1. A new Agreement on Digital Health (“Patto per la Sanità Digitale”) prepared by the Ministry of Health has been proposed to the State and Region Conference in June 2015
  2. New guidelines on electronic health records have been issued by the Data Protection Authority on June 4, 2015; and
  3. An interesting administrative court decision issued on July 10, 2015 set forth innovative principles in the field of digital health supplies to the public administration.

Our next blog posts will explore the above developments, which are set to change certain regulatory aspects of e-Health.

Stay tuned, and happy summer!