eHealth is closer to become a reality in Italy with the approval by the Italian Data Protection of the decree providing the requirements for electronic health records systems.

We had already discussed in this post about the stringent requirements that had been set out by the Italian data protection authority in relation to electronic health records and health file systems in terms of information to be provided to patients, consents to be given and security measures to be adopted.

However, the implementation in Italy of this system required some technical specifications to be issued in a decree of the Council of Ministries to which the Italian data protection authority has now granted its approval. The decree is interesting as among others it distinguishes the electronic health records in subsections according to the purposes of processing of collected data that are:

  1. for the treatment of patients with hospitals acting as data controller;
  2. for research purposes with Regions, Provinces and the Italian Ministry of Health acting as controllers and
  3. for public purposes with the Ministry of Labour acting as controller of data collected to comply with applicable laws.

Also very stringent requirements have been set out in terms of

  • privacy information notice to be provided to patients
  • consent to be given by them for the inclusion in the electrinc health records of very sensitive data concerning them
  • identification of entities that can access to stored data and
  • security measures to be adopted with an express notification obligation on data controllers in case of data breach events.

The above is relevant also for private companies not only since they might contribute to the creation of the electronic health records infrastructure in Italy, but also because it provides interesting instructions on how to set up eHealth and remote patient monitoring systems as well as telemedicine systems privately run by them.