Tag Archives: electronic medical record

Electronic medical records and patients: a love and hate relationship.

What’s the status of e-health in Italy?

A fairly reliable benchmark may be represented by the implementation of the Electronic Medical File (Fascicolo Sanitario Elettronico) (“EMF”). The EMF was first introduced by Law Decree nr. 179 of 2012, as converted into law no. 221 of 2012; it was then implemented by way of Ministerial Decree dated September 3, 2015. The purpose of the EMF is to provide a tool to patients and healthcare professionals by collecting and providing web access to health-related data like hospitalizations, medical checks, drug administration, home assistance, and access to emergency rooms. In other words, the EMF promises to make all data relating to patients’ health readily available and accessible from any place in the world at an unparalleled speed.

Despite the intents, the new comprehensive tool is far from reaching the expected success.

Why that?

A legal-related reason may lie in the privacy concerns that the creation, population and maintenance of EMFs bring about. EMFs are in fact populated with data collected by healthcare professionals in the course of patients’ lives. The fear that data may be inadequately protected on the internet, and thus inappropriately divulged, may in fact push patients to deny their consent to the creation and population of EMFs. After all, although data are supposed to be processed in accordance with the provisions of the Code for the Digital Administration, and appropriate measures must be taken in order to ensure access authentication and authorization, suspicion may still populate patients’ mind as to the safety of the data processing.

Quite interestingly, a more common reason seems however to prevail. Italians just do not know about the EMF! According to a survey carried out by the Observatory for Digital Innovation in Health on a sample of 1,000 citizens, 83% of them has never heard about the EMF before, 88% ignores if such service is currently active in their Region, and 95% has never sought information about it[1]. Also, EMF seems not to be the most appealing item in blog discussions: out of 400,000 comments on e-health on the web, only 11% relates to the EMF[2]. Such a low impact seems to go hand in hand with quite a low use of other e-health services provided by hospitals and other health-care centers. Only a few patients seem in fact to have taken advantages of services like on-line booking of medical checks, testing records, and payments[3].

If, as mentioned, psychology plays a major role in the implementation of the EMF, so do the efforts thus far made by Regions and healthcare professionals. An inquiry into the implementation of the EMF in the Emilia Romagna Region reveals that not all services set forth in the law are currently included in the available EMF, and the availability of the services may depend on where the interested patient resides[4]. Also, hospitals and healthcare professionals seem to be responsible for having passively accepted the EMF, without truly understanding its potential[5]. Health-care professionals are reported to oftentimes look at the EMF as a burden rather than a revolutionary tool[6]. Lastly, many hospitals and healthcare centers keep on maintaining their independent presence on the web in parallel; as a consequence, patients rely on their website to use services that would be available on the EMF[7].

What can be done?

Perhaps the EMF would be more popular if patients were able to enjoy it through a mobile app, provided that security concerns are adequately addressed. Patients may thus access the EMF more easily, monitor the processing of the collected data and promptly report any inaccuracy or errors. However, if this suggestion may represent an improvement, it would in any case require further education and promotion through healthcare professionals and healthcare centers.

[1] Il Sole 24 Ore Sanità, September 29 – October 5, 2015, page 10.

[2] Ibidem.

[3] Ibidem.

[4] Il Sole 24 Ore Sanità, October 20 – October 26, 2015, page 8.


[5] Il Sole 24 Ore Sanità, October 20 – October 26, 2015, page 8.

[6] Ibidem.

[7] Ibidem.

Electronic Medical Record: Italian Data Protection Authority Issues New Guidelines

On June 4, 2015, the Italian Data Protection Authority issued new guidelines governing the collection and processing of personal and sensitive data through the Electronic Medical Record.

  • What is an Electronic Medical Record?

A record, kept by a hospital or a healthcare center, containing patients’ clinical history at that specific hospital or healthcare center.

  • Patients’ rights

The guidelines set forth several rights to which patients treated at any hospital or healthcare center are entitled:

  1. Patients are entitled to decide whether the hospital or the healthcare center may store their data through an Electronic Medical Record. If a patient denies his/her consent, physicians will be able to rely only on information gathered during examination and treatment, as well as on information previously conveyed by the patient, if any. Denial of consent will not affect the possibility of being treated at the hospital/healthcare center.
  2. Specific consent is needed for the collection of certain categories of sensitive date, such as HIV infections, abortions, data relating to sexual assault. With respect to such data, patients will have the right to limit access to specific individuals/professionals.
  3. In addition to all rights granted by the Data Protection Code (such as the right to receive confirmation on the existence of personal/sensitive data, to know the origin of the data, the purpose and means of processing, as well as the logic applied to the processing) patients will also be entitled to receive information on each access to their Electronic Medical Record.
  • Hospitals and healthcare centers’ obligations

Hospitals and healthcare centers are required to provide patients with a thorough privacy notice concerning the processing of data through the Electronic Medical Record. Upon patients’ request, hospitals and healthcare centers shall also provide information concerning stored data and access logs to the Electronic Medical Record (including the professional accessing the data, date and time of access) within 15 days of the request. Patients will also be entitled to redact data or healthcare documentation that they do not wish to be included in their Electronic Medical Record.

The Data Protection Authority’s guidelines also address important technical aspects and provide that patients’ healthcare information contained in the Electronic Medical Record shall be segregated from other administrative data. Sensitive data will need to be encrypted. Furthermore, access to the record will be granted only to medical staff involved in the patient’s treatment and any access and processing will be recorded on log files to be kept by the hospital or healthcare center for at least 24 months.

Lastly, the guidelines set forth strict data breach requirements for hospitals and healthcare center, by providing that any data breach or unauthorized access shall be reported to the Data Protection Authority within 48 hours of knowledge of the breach. Failure to report will lead to the application of penalties.

See the Data Protection Authority’s presentation of the new guidelines