The Italian Data Protection Authority has adopted new guidelines regarding the “Electronic Health File” which require informed consent, the recording of ‘access paths’, immediate communication of data breaches
- greater protection of patient data,
- more transparency
- obligation for health organizations to immediately notify the DP Authority of the so-called data breaches (breaches or cyber incidents, such as attacks, unauthorized access, actions of malware, loss, theft), which may have a significant impact on the data.
The patient will have the opportunity to know who accesses on electronic health file.
The purpose of the Guidelines is to define a frame of reference for the proper treatment of the data collected in the electronic health file, which is already established or will be established in the future, by public or private health organizations.
The electronic health file is the instrument made by a single health facility (a hospital, a health care centre, a nursing home), which collects information on the health of a patient in order to document their clinical history from that single structure and offer better care.
It differs from the electronic health record (in Italian: ‘fascicolo sanitario elettronico’) which contains the entire medical history of a person generated by different health facilities.
The provision of the Italian DP Guarantor, which will be published in the Official Journal, provides that patients should be allowed to choose, in complete freedom, whether or not to be in the patient dossier.
In the absence of consensus the doctor will have only the information that is given at that time by the patient or previous services provided by the same professional.
The absence of consent should not have any influence on the possibility of access to the requested health care.
Specific consent will be required to include particularly sensitive information (ie HIV infections, interventions of abortion, data on sexual violence or child abuse) in the electronic health file.
To allow the patient to make a free and conscious choice, the health structure will have to inform in a clear manner, indicating in particular, who will have access to his data and what kind of operations can be carried-out.
The healthcare facility will also ensure the patient can exercise his rights, recognized by the Privacy Code (ie data access, integration, correction, etc.) and knowledge of the department, the date and time under which the consultation of the dossier was made.
The patient must also be guaranteed the opportunity to ‘obscure’ some data or medical records that he does not intend to include in the dossier.
Given the particular sensitivity of the dossier, the Guarantor has prescribed the adoption of high security measures.
Health data will be separate from other personal data, and criteria will be identified for the encryption of sensitive data.
Access to the file will be allowed only to the healthcare professionals involved in the care.
Every access and each operation, even also the simple consultation, will be tracked and recorded automatically in special log files that the structure will keep for at least 24 months.
Any data breaches or cyber incidents must be reported to the Authority, within forty-eight hours of knowledge of the fact, through a form prepared by the Guarantor at: email@example.com
Annexes (in Italian)
- Deliberazione del 4 luglio 2015
- Allegato A - Linee Guida
- Allegato B - Modello comunicazione data breach
- Allegato C – Definizioni
Italian DPA documents on Health Data (in English):
- Guidelines on processing personal data for dissemination and publication on exclusively health-related web sites - 25 January 2011
- Guidelines on Online Examination Records - 19 November 2009
- Guidelines on Online Examination Records - 25 June 2009
- Guidelines on the Electronic Health Record and the Health File - 16 July 2009
- AICOM, 11th Meeting on Compliance in the public sector (July, 6th 2015)
- Anti-Money Laundering in Italy - 2014 Report, final version (June, 21st 2015)
- FATF: Guidance for a risk-based approach to virtual currencies (June, 26th 2015)
- The Italian Data Protection Authority, 2014 Activity Report - Summary for the Press (23 June 2015)
- USA Treasury Department Publishes National Money Laundering Risk Assessment (June, 25th 2015)
- EU Commission: proposal on new data protection rules (15 June 2015)
- UIF: 2nd AML Notebook, “2014 main regulatory updates” (June 15th, 2015)