Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

The main legal developments regarding digitisation in the healthcare sector concerned the creation of the Electronic Medical Record (CCE) and the Electronic Health Record (EHR), the dematerialisation of the specialist prescription (digitisation of the prescriptive cycle with the replacement of the paper prescriptions with the equivalent digital document), the possibility of carrying out online reservations of medical services as well as the opportunity to file online the sickness certificates. The Italian government encourages the use of telemedicine, and initiatives in this respect are increasing after the publication of the National Guidelines on Telemedicine by the Ministry of Health.

 Electronic Medical Record

The CCE was introduced for the first time in Italy in 2012 and is one of the health documents that can be created, signed and stored digitally, maintaining the same legal value as the traditional folder.

It is a digital document, created and filed by the healthcare facility treating a patient, to manage all the data related to his or her medical history and to guarantee continuity to his or her course of care. It also allows the management and instant sharing of all information, with the help of the IT system used by hospital companies.

 Electronic Health Record

The EHR was introduced in Italy in 2012 and is defined by article 12 of Law Decree No. 179/2012 as ‘the set of digital health data and documents generated by past and present clinical events concerning the patient’.

The EHR is managed by the Italian regions and can be set up for the purposes of prevention, diagnosis, treatment and rehabilitation; for medical, biomedical and epidemiological scientific research; and for health planning and evaluation of the health care services.

The EHR can be completed and updated exclusively on the basis of the free and informed consent of the patient, who can decide whether to include all or part of his or her health data. In addition, the consultation of the data and documents present in the EHR can be carried out only with the consent of the patient and always in compliance with professional secrecy, except in cases of a health emergency.

As to the content, the EHR consists of a minimum set of documents that must be made available by the system and supplementary documents that allow expansion of its sphere of use. In particular, the minimum set of documents consists of:

  • patient identification and administrative data;
  • hospital reports;
  • first aid reports;
  • letters of discharge;
  • synthetic health profile;
  • pharmaceutical dossier; and
  • consent or denial of organ and tissue donation.

 

Dematerialisation of the specialist prescription (digital prescription)

The dematerialisation of the specialist prescription has been implemented through Decree Law 78/2010, which has attributed legal value to the electronic transmission of prescription data, providing that the electronic transmission replaces the medical prescription in paper format.

The prescription is filled in online by the doctor, who releases to the patient only the identification number of the prescription and a paper memorandum of the prescription. The paper memorandum aims at guaranteeing the service should the computer system be unavailable. The prescription identification number and the Health Card allows the patient to purchase the medicines at pharmacies and to book specialist visits and instrumental diagnostic tests.

 Online reservations

The digitalisation of the healthcare booking process is a tool adopted in Italy with the aim of reducing the use of resources and the time required to access services. The digitalisation was started with the creation of the Unified Booking Centre (CUP), which is the centralised booking system for healthcare services, charged with managing the entire offer of health services.

On 29 April 2010, the CUP System National Guidelines were issued, which regulate the functioning of the CUP system, both in its front-office components – collection of requests, booking of services and collection – as well as back-office, for the planning and ordinary and extraordinary maintenance of preparatory activities upon booking.

 Online sickness certificates

The possibility to send the sickness certificates online concerns employees, both public and private, with the exception of the armed forces and police, firefighters, judges, lawyers and state attorneys, prefectures and diplomats, prison management personnel, professors and university researchers.

In the event of illness resulting in incapacity for work, the law allows doctors to transmit the diagnosis certificate directly to National Social Security Institute by electronic means.

 Telemedicine

Although there is no specific law concerning telemedicine yet, the most important reference is the document ‘National Guidelines for the provision of telemedicine services’ approved following an agreement between the government and the Regions on 17 December 2020. The Guidelines should represent the national unitary reference for the implementation of telemedicine services and the use of such systems within the National Health Service.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

In Italy, the first step for the implementation of digital health services has been the agreement between the government, the regions and the Autonomous Provinces of Trento and Bolzano on the document entitled ‘Telemedicine – National Guidelines’. The guidelines have been updated following the agreement of 17 December 2020 on the document ‘National Guidelines for the provision of telemedicine services’.

Telemedicine is a different way of providing social and health services, not just medical services, and therefore providing telemedicine services falls within the frame of reference that regulates the authorisation process. 

According to the guidelines, Telemedicine services can be divided into four categories:

  • services that can be assimilated to any other traditional diagnostic and/or therapeutic healthcare service, representing an alternative to it;
  • services that, since they cannot replace the traditional healthcare service, support it by making it more accessible or increasing its efficiency.
  • services that complement traditional services by making them more effective in meeting patients' needs;
  • services that can completely replace traditional healthcare services.

 

In the context of telemedicine, the Guidelines identify the following services, which should be traced back to the same regime under which they are provided also in the presence of the patient.

  • Televisiting: this is a medical act in which the professional interacts at a distance in real time with the patient, also with the support of a care-giver. Televisiting is, however, limited to the monitoring of patients whose diagnosis has already been made during an in-person visit. This means that services that do not require palpation, percussion or auscultation can be provided in this way.
  • Teleconsultation: this is a medical act in which the professional interacts at a distance with one or more doctors to discuss, also by means of a video call, the clinical situation of a patient, based primarily on the sharing of all the clinical data, reports, images, audio-video regarding the specific case.
  • Teleconsulting: this is a health activity, not necessarily medical but in any case, specific to the health professions, which takes place at a distance and is performed by two or more persons who have different responsibilities with respect to the specific case. It consists in the performance of clinical activities, followed by a video call in which the requested health professional provides the other with indications for the correct performance of care services for the patient.
  • Telecare by health professions (nurse, physiotherapist, or logopedist): this is a professional act based on remote interaction between the healthcare professional and the patient by means of a video call, to which data, reports or images may be shared if necessary. The telecare professional can also use suitable apps to administer questionnaires, share images or video tutorials on specific activities.
  • Telereferral: is a report issued by the doctor who has examined the patient, whose report is transmitted by means of digital and telecommunication systems.

 

For all healthcare services provided at a distance, the national or regional regulatory framework regulating access to the same services in traditional form applies.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The Italian data protection authority is responsible for compliance with data protection and privacy. The applicable legislation is Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018, the Code on the protection of personal data, as well as the General Data Protection Regulation No. 679/2016.

Article 2-quater of the Code provides that the authority should promote the adoption of deontological rules in relation to the processing of genetic data, biometric data or data concerning health.

To date, the authority issued its Guidelines on the management of Electronic Health Record, providing to regulate both the hypotheses in which the consent of the patient is necessary, and which data is accessible for every doctor who is enrolled in the system, depending on whether or not they concern one of his or her patients.

On 7 March 2019 and 25 March 2019 respectively, the authority issued two documents named ‘Clarifications on the application of the regulation for the processing of health data in the health field’ and ‘Healthcare after the GDPR, the explanations of the authority’ in which it provides indications on which patient data can be processed and when consent is required in light of the GDPR.

The documents, in summary, provide that doctors can process patient data for treatment purposes without having to request their consent, but doctors will still have to provide patients with complete information on the use of the data. A doctor who operates as a private professional is not required to appoint a data protection officer. All operators in the sector are obliged to keep a record of data processing.

Consent is required, or a different legal basis, when certain treatments are not strictly necessary for the purposes of treatment, even when they are performed by health professionals. Examples are the treatment of health data related to the use of a medical app (except for those for telemedicine), those carried out for customer loyalty (such as those practiced by some pharmacies or para-pharmacies), or for promotional, commercial or electoral purposes.

The authority confirms that, based on the current legislation governing the sector, there is still a need to acquire consent for the processing of data relating to the electronic health record, or for consulting online reports.

Lastly, on 29 July 2019, the authority issued ‘Document containing the provisions relating to the processing of special categories of data’, which sets out the rules governing the processing of genetic data.

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

According to the GDPR, the Italian Code on the protection of personal data and the provision issued on 7 March 2019 (No. 9091942) by the Italian data protection authority, ‘Clarifications on the application of the regulation for the processing of health data in the health field’, healthcare providers must carry out an assessment of the impact (data protection impact assessment) of the envisaged processing operations on the protection of personal data.

In addition, healthcare providers must provide the data subject with all of the information listed in article 13 of the GDPR and gain explicit consent for processing if they do not fall under other lawful bases of handling personal and health data provided for in article 9 of the GDPR. In fact, processing is generally permissible for the management of health or social care systems and services, or for public interest.

Furthermore, healthcare providers should maintain a record of processing activities under its responsibility that must be made available to the supervisory authority on request, containing the information provided for in article 30 of the GDPR.

Lastly, according to article 37 paragraph 1 letter (c), the healthcare provider as data controller, or as data processor, must designate a data protection officer a physical or legal person with ‘expert knowledge of data protection law and practices’ responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. However, the doctor who operates as a private professional is not required to appoint a data protection officer.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

The most common data protection and privacy infringement committed by healthcare providers is the failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, considering that the healthcare industry has the highest risk factor when it comes to experiencing a data breach and that healthcare records are considered highly valuable to cyberattackers.

This lack of appropriate measures can have as consequences, inter alia, unauthorised access to personal data, identity theft, insurance fraud and financial fraud, aside from the internal leak of information that may occur when the authorised personnel such as employees, contractors and IT security personnel do not take the proper precautions to manage and protect the data.