Q&A: Data protection, privacy and digital health in Italy

Data protection, privacy and digital health

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation?

The Italian data protection authority is responsible for compliance with data protection and privacy laws. The applicable legislation is Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018, the Code on the protection of personal data, as well as the General Data Protection Regulation (GDPR) No. 679/2016.

Article 2-quater of the Code provides that the authority should promote the adoption of deontological rules in relation to the processing of genetic data, biometric data or data concerning health.

To date, the authority has issued its Guidelines on the management of Electronic Health Record, regulating situations in which the consent of the patient is necessary, and in which data are accessible for every doctor who is enrolled in the system, depending on whether or not the data concern one of his or her patients.

On 7 March 2019 and 25 March 2019 respectively, the authority issued two documents named ‘Clarifications on the application of the regulation for the processing of health data in the health field’ and ‘Healthcare after the GDPR, the explanations of the authority’ that provide indications on which patient data can be processed and when consent is required in light of the GDPR.

The documents, in summary, provide that doctors can process patient data for treatment purposes without having to request their consent, but doctors will still have to provide patients with complete information on the use of the data. A doctor who operates as a private professional is not required to appoint a data protection officer. All operators in the sector are obliged to keep a record of data processing.

Consent is required, or a different legal basis, when certain treatments are not strictly necessary for the purposes of treatment, even when they are performed by health professionals. Examples are the treatment of health data related to the use of a medical app (except for those for telemedicine), those carried out for customer loyalty (such as those practiced by some pharmacies or para-pharmacies), or for promotional, commercial or electoral purposes.

The authority confirms that, based on the current legislation governing the sector, there is still a need to acquire consent for the processing of data relating to the electronic health record, or for consulting online reports.

Lastly, on 29 July 2019, the authority issued ‘Document containing the provisions relating to the processing of special categories of data’, which sets out the rules governing the processing of genetic data.

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

According to the GDPR, the Italian Code on the protection of personal data and the provision issued on 7 March 2019 (No. 9091942) by the Italian data protection authority, ‘Clarifications on the application of the regulation for the processing of health data in the health field’, healthcare providers must carry out an assessment of the impact (data protection impact assessment) of the envisaged processing operations on the protection of personal data.

In addition, healthcare providers must provide the data subject with all of the information listed in article 13 of the GDPR and gain explicit consent for processing if they do not fall under other lawful bases of handling personal and health data provided for in article 9 of the GDPR. In fact, processing is generally permissible for the management of health or social care systems and services, or for public interest.

Furthermore, healthcare providers should maintain a record of processing activities under their responsibility that must be made available to the supervisory authority on request, containing the information provided for in article 30 of the GDPR.

Lastly, according to article 37 paragraph 1 letter (c) of the GDPR, the healthcare provider as data controller, or as data processor, must designate a data protection officer, who is physical or legal person with ‘expert knowledge of data protection law and practices’ responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. However, a doctor who operates as a private professional is not required to appoint a data protection officer.

Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

Ministry of Health Guidelines: The Italian Ministry of Health often issues guidelines and recommendations specific to the healthcare sector. These guidelines can address data protection and privacy concerns in healthcare practices, such as the handling of patient records and medical data.

Healthcare-specific regulations: Italy may have healthcare-specific regulations that touch on data protection and privacy. These regulations might address topics like medical confidentiality, electronic health records, and the sharing of health information among healthcare providers.

Regional regulations: Healthcare regulations can vary by region in Italy, and some regions may have additional rules or guidelines related to data protection and privacy in healthcare. It is important to consider regional variations when operating in the healthcare sector.

Professional Codes of Conduct: Healthcare professionals and organisations may be subject to professional codes of conduct that include provisions on patient data privacy and confidentiality.

Data Protection Authority: The Italian Data Protection Authority provides guidance and interpretations of data protection laws, including how they apply to the healthcare sector.

What are the most common data protection and privacy infringements committed by healthcare providers?

The most common data protection and privacy infringement committed by healthcare providers is the failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, considering that the healthcare industry has the highest risk factor when it comes to experiencing a data breach and that healthcare records are considered highly vulnerable to cyberattacks.

This lack of appropriate measures can lead to, inter alia, unauthorised access to personal data, identity theft, insurance fraud and financial fraud, along with the internal leak of information that may occur when the authorised personnel, such as employees, contractors and IT security personnel, do not take the proper precautions to manage and protect the data.

Which authorities regulate the provision of digital health services and what is the applicable legislation? What basic requirements are placed on healthcare providers when it comes to digital health services?

In Italy, the first step for the implementation of digital health services has been the agreement between the government, the regions and the autonomous provinces of Trento and Bolzano on the document entitled ‘Telemedicine – National Guidelines’. The guidelines have been updated following the agreement of 17 December 2020 regarding the document ‘National Guidelines for the provision of telemedicine services’.

Telemedicine is a different way of providing social and health services, not just medical services, and therefore providing telemedicine services falls within the frame of reference that regulates the authorisation process.

According to the guidelines, telemedicine services can be divided into four categories:

• services that can be assimilated to any other traditional diagnostic or therapeutic healthcare service, representing an alternative to it;
• services that, since they cannot replace the traditional healthcare service, support it by making it more accessible or increasing its efficiency;
• services that complement traditional services by making them more effective in meeting patients’ needs; and
• services that can completely replace traditional healthcare services.

In the context of telemedicine, the Guidelines identify the following services, which should be traced back to the same regime under which they are provided also in the presence of the patient.

• Televisiting: this is a medical act in which the professional interacts at a distance in real time with the patient, also with the support of a caregiver. Televisiting is, however, limited to the monitoring of patients whose diagnosis has already been made during an in-person visit. This means that only services that do not require palpation, percussion or auscultation can be provided in this way.
• Teleconsultation: this is a medical act in which the professional interacts at a distance with one or more doctors to discuss, also by means of a video call, the clinical situation of a patient, based primarily on the sharing of all the clinical data, reports, images, audio and video regarding the specific case.
• Teleconsulting: this is a health activity that is not necessarily medical but in any case specific to the health professions, which takes place at a distance and is performed by two or more persons who have different responsibilities with respect to the specific case. It consists in the performance of clinical activities, followed by a video call in which the requested health professional provides the other with indications for the correct performance of care services for the patient.
• Telecare by health professions (nurse, physiotherapist, logopedist, etc): this is a professional act based on remote interaction between the healthcare professional and the patient by means of a video call, to which data, reports or images may be shared if necessary. The telecare professional can also use suitable apps to administer questionnaires and share images or video tutorials on specific activities.
• Telereferral: this is a report issued by the doctor who has examined the patient, whose report is transmitted by means of digital and telecommunication systems.

For all healthcare services provided at a distance, the national and regional regulatory frameworks regulating access to the same services in its traditional form apply.

As far as digital health services are concerned, in May 2021 Medical Devices Regulation 2017/745 came into effect, ruling DTx digital therapies, which, being software solutions in the healthcare sector, are framed as Medical Devices and are therefore subject to the rules set forth in the EU.

However, in Italy, ad hoc rules for the use of DTx and, generally speaking, software medical devices, are still insufficient. No assessment methods or criteria and organisational models have been defined to make DTx accessible in an adequate, equitable and timely manner in the NHS context, which would ensure their quality and integration along care pathways to enhance care as usual. At the time of writing, the doubt concerning these services is whether they should or should not be traced back to the same regime under which healthcare services are provided to patients by HCPs.