Digital health has massive potentials, but its implementation requires to comply with standards that are now even more stringent after the issue of new guidelines by the Italian privacy authority.
Digital health has the goal of combining health with wealth in terms of cost saving for the State through electronic systems able to ensure a more efficient management of patients’ data often combining it with patients’ remote monitoring systems and telemedicine devices. But the barriers to the usage of such technologies are becoming considerably higher.
The challenging proceedings from the Italian privacy authority
The Italian privacy authority seems not to trust entities handling large electronic databases of sensitive personal data. And indeed, the Garante recently started challenging proceedings against hospitals implementing a health file system and whole regions that had adopted an electronic health record system considered not to be fully in line with data protection requirements.
The consequence of such challenging proceedings can be
- the impossibility to use personal data unlawfully collected with a consequential complete loss of the performed investment as well as
- the potential issue of fines that will be increased up to 2% of the global turnover with the new EU privacy regulation and
- criminal sanctions should such practice be performed to gain profit.
The new guidelines on digital health
I have already discussed in the past about the privacy and regulatory obligations applicable to digital health technologies as well as telemedicine devices. The Italian privacy authority had already recently approved the decree setting up the Italian electronic health records system. But it now also updated its guidelines on the health file system providing, among others, that
- the level of detail and transparency required in the privacy information notice and the type of consent to be obtained from patients to allow the lawful processing of their data shall ensure their full control of what is performed with their health-related data, with even further obligations applicable in case of processing of highly sensitive data;
- patients shall have very broad rights to control on who can access to their personal data, to distinguish the level of access to their personal data depending on the individals involved and to obtain information on who had accessed to his data. But even if patients’ consent is obtained the Italian privacy authority set forth strict rules on who can get access to patients’ data and with which role, which data can be collected and how data can be used; and
- very stringent security measures shall be adopted to protect access to processed data and notification obligation of data breaches are applicable to data controllers. And indeed the peculiarity of Italian privacy regulations is that they are quite specific on the security measures to be put in place.
The abobe is interesting also for the private sector and in particular medical device companies should they provide hospitals with electronic databases processing patients data since it might be argued that such guidelines have to be considered the benchmark for this type of technologies.
Can digital health be an option in 2015?
An interesting open issue is whether the implementation of a digital health system can be open to patients’ discretion and whether patients can be given the liberty to decide whether or not their personal data should be processed through such technologies and within what limits. The decision by some patients of not being included in a digital health system might indeed lead to additional costs for hospitals and the whole country since
- such data has to be separately handled,
- additional tests might be necessary to spot issues that might have been easily identified aggregating the data from different sources and
- delays in research activities could be caused due to access to smaller databases.
Hopefully Italy will not feel left behind due to the excessive regulatory requirements…, but this is certainly an additional issue to discuss with the Italian privacy authority as part of their consultation on the Internet of Things.