In April 2011 the Senate rejected the legislative proposal to establish a mandatory electronic patient record (EPR) in the Netherlands. Subsequently, the national professional associations for general practitioners, pharmacists and hospitals (ie, the National Family Practice Association, the Practice Posts Association, the Royal Dutch Pharmacists Association and the Dutch Hospital Association) recommenced the initiative in a different (optional) form, using the already developed nationwide infrastructure for the electronic exchange of personal medical data. The Association of General Practitioners (VPH) petitioned the courts to prohibit the new initiative. In December 2017, after the first-instance court and the court of appeal had both rejected the new initiative, the Supreme Court issued a decision in cassation allowing it on the basis of present legislation.(1)
As the General Data Protection Regulation (GDPR) recently took effect, this update examines the judgment with regard to the issue of consent in light of new and future regulations (both general and sector-specific).
One of the VPH's arguments against the new optional EPR infrastructure was that it contravened the GDPR and the Processing of Personal Data in Healthcare (Additional Provisions) Act, as the patient consent required for the exchange of data through the EPR was not specific enough. According to the VPH, the principles of privacy by design and privacy by default require patient consent to be directed towards specified data processing.
The Supreme Court found that the 'specific consent' requirement means that consent for the processing of data must cover certain data that will be processed for one or more particular purposes or provided to certain persons. Thus, the court confirmed that consent is specific enough when the patient consenting knows which data set will be accessible in a given situation by a certain type of healthcare provider.
Under the current EPR infrastructure, patients still have limited options choosing which type of healthcare provider has access to their medical data and can give so-called 'everybody or nobody' consent. The Supreme Court considered this mechanism to be acceptable at present because it is based on a patient's freely given and sufficiently specific consent. At present, the GDPR is no stricter than the applicable national legislation in this regard.
In addition, the Supreme Court acknowledged that the EPR infrastructure must be altered when it is technically possible and practicable for consent to distinguish between certain data and certain healthcare providers. At that time, patients must be given more freedom of choice.
The Supreme Court's decision is consistent with the Processing of Personal Data in Healthcare (Additional Provisions) Act, a national healthcare-specific law which partially entered into force on 1 July 2017. Provision 15a, Paragraph 2 of the act introduces the requirement of 'specified consent', which implies that a patient can distinguish which data can be provided to which healthcare provider or categories of healthcare providers. This was probably the type of consent that the VPH envisaged would apply under the EPR infrastructure.
However, Provision 15a has yet to enter into force. During the parliamentary debate on the law, the legislature delayed the provision's implementation by three years because of its impracticability for healthcare providers. In the case at hand, the EPR infrastructure had to be judged under the law as it currently stands. As such, there was no reason to attach consequences to the new (not yet applicable) requirement of specified consent.
As soon as specified consent is technically possible and practicable, the EPR infrastructure will need to be amended. In the face of Provision 15a, Paragraph 2 of the Processing of Personal Data in Healthcare (Additional Provisions) Act, this technical development must take place before 1 July 2020.
For further information on this topic please contact Martin Hemmer or Willemijn van der Wel at AKD by telephone (+31 88 253 50 00) or email (firstname.lastname@example.org or email@example.com). The AKD website can be accessed at www.akd.nl.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.