The Regulations on Electronic Health Record ( ESF) was issued by Prime Ministerial Decree n. 179 of 29 September 2015 published in the Official Gazette 11 November 2015 n. 263.
The measure was long overdue because now the subject of digital health are taking a considerable importance also as a result of recent legislative and regulatory measures.
In fact, the Italian legislature in recent years, has repeatedly intervened on the subject of digital health.
In particular, we should note the Law Decree no. 158/2012 converted with amendments by Law no. 189/2012, the decree law n. 179/2012 (the “Decree growth 2.0″) converted with amendments by Law no. 221/2012 and – most recently – the decree n. 69/2013 (the “Decree of doing”) converted with amendments by Law no. 98/2013.
Before these contributions lacked legal sources that disciplinassero the theme in question . The only references were contained in the guidelines of the Ministry of Health and in the guidelines of the Authority for the protection of personal data in the field of electronic health records and electronic dossier as well as in the guidelines regarding reports on line respectively dated 16 July 2009 and 19 November 2009 (not to be overlooked is the latest guidelines of the Guarantor relating to health dossier approved by resolution of 4 June 2015).
The decree law 158/2012 originated from the fact the need and urgency to proceed with the reorganization of the health organization, in light of the contraction of the financial resources available. This reorganization also taking its opening words by the lack of economic resources, aims to achieve a higher level of health protection. What, undoubtedly, can be conjoined – fewer resources and better services – only with a profound rethinking of the whole chain of service.
The order in question does not add much more in the area of the ESF, on the other hand the same has the undeniable merit of having opened the sector to an issue of great importance.
The decree law 179/2012, on the contrary, enters strongly in medias res . In fact, Article. 7 regulates the electronic filing of certificates of illness, one of the pillars of the process of the creation of ‘ e-Health . The next section IV is, then, entirely dedicated to the “digital health”. Article. 12 deals with the ESF. Article. 13 faces, however, the issues of prescription and medical records digital. Article. 13 a , then, regulates the prescription.
Finally Decreto Law 69/2013, Article. 17 providing for urgent measures to promote the implementation of the ESF. The same provision, in particular, on Article intervenes. 12 of Decree Law 179/2012 making the same number of important changes.
As a direct result of these measures has been made, then, must the Regulation in question entering into the merits of a more complete and organic rules ESF is a technically and legally.
As you know, the ESF is defined by art. 12 of Decree 179/2012, called the Regulations as “ all the data and digital documents relating to health and social health generated from clinical events present and past, about the assisted .”
In fact should be immediately clear that this is not the only definition of ESF we have, in fact, the Authority for the Protection of Personal Data has defined himself, in his general measure of 2009, as “the file format with reference to health information originating from different data controllers operating more frequently, but not exclusively, in the same geographical area “(eg., healthcare company, a private clinical laboratory operating in the same region or area wide), distinguishing it from the health record that, while still covering the same data is set up at a medical body as the sole owner of the treatment (eg., hospital or private clinic) in which they operate and more professionals.
The establishment of the ESF was originally planned by the Regions by 30 June 2015. In addition, pursuant to and for the purposes set out in paragraph 7 of article. 12 of Decree Law 179/2012, within ninety days of the entry into force of the conversion law (Law no. 221/2012), should be established – with one or more decrees – the content of the ESF; the limits of responsibilities and tasks of the subjects that will contribute to its implementation; systems of encoding data; the safeguards and security measures to be taken in data processing; the procedures and widely varying levels of access to the ESF by authorized individuals; the definition of a unique identification code of the assisted, not allowing direct identification; and, finally, the interoperability criteria of the ESF at regional, national and European level. All of which with a lag have been addressed in the current Regulation.
In particular, the Prime Minister’s Decree n. 179/2015 states that the content of the ESF are represented by a minimum set of data and documents as well as information or documents that allow you to enrich the dossier itself (Art. 2). The same then are specified in detail. It also introduced the concept of health point of synthetic or “patient summary”, which is the document social and health information drawn up and updated by the general practitioner or pediatrician, summarizing the clinical history of the assisted and its current situation known. It states that the purpose of this document is to promote continuity of care, allowing quick classification of the assisted when a contact with the NHS (art. 3).
Another new concept governed by ‘Art. 4 of the Regulations is the personal notebook of the assisted intended as a reserved section of the ESF in which the assisted person is allowed to input data and personal documents relating to their own care, also performed at facilities outside the NHS .
The Regulation then devotes a specific provision (Art. 5) in all the data and documents health and social health that deserve special protection. The same are made visible only with the express consent of the assisted, it provided that, if the patient chooses to have recourse to anonymous, do not allow the power of the ESF by the subjects that effect payments. It is, in particular data and documents governed by regulations to protect people living with HIV, women who undergo a voluntary termination of pregnancy, victims of sexual violence or child abuse, people who use substances narcotics, psychotropic substances and alcohol, women who decide to give birth anonymously, as well as data and documents related to the services offered by family planning clinics.
The provisions of the Regulations Art. 6 art. 9 are concerned, in particular, the respect of the legislation on protection of personal data regulating: the information to be provided to patients, which must contain all the elements of art. 13 of Legislative Decree. N. 196/2003 (Art. 6) where, among other things, it should be clarified that the data that flow into the dossier relate to his current state of health and possibly prior; the consent of the assisted which must be free and informed in accordance with the general principles (Art. 7); the rights of the assisted where, without prejudice to the provisions of article 7 of the Code regarding the protection of personal data in respect of personal data processed in the ESF, the client has the right to request the blackout data and medical records, social and health both before feeding FSE later, ensuring only the assisted consultability and holders that generated them (art. 8); access to the ESF by the assisted clear that the same access to their ESF fit secure and private, through the use of instruments mentioned in Article 64 of the CAD.
The Regulation then distinguishes between three different types of treatments, namely treatments for purposes of treatment, treatments for purposes of research and treatment for purposes of government devising different rules for each of them.
In particular, it is specified that for the treatments for purposes care of the subjects of the NHS and the social and health services that take care of the regional assisted, at which they are drafted data and medical documents that feed the ESF, are data controllers in accordance with Article 28 of the Code on protection of personal data (Art. 10). For the same purposes they are treated all data and documents in the ESF, in line with the principles of indispensability, necessity, relevant and not excessive (art. 11). In addition, Article. 12 of the Regulation clarifies all subjects of the National Health and regional health and social services that in carrying out their professional activities in a process of care fuel the ESF. Article. 13 discipline, in particular, access to information from the ESF for the purpose of calling attention to the provisions of paragraph 5 of Article 12 of the Decree-Law of 18 October 2012, n. 179 then converted by Law no. 221/2012. In particular, this access is allowed only if the patient has given his consent to access to the ESF; the information to be discussed are only those relevant to the care process in place; the persons having access to information belonging to the categories of persons authorized to consult the ESF indicated by the insured and are actually involved in the care process. Different of course is the case of access to emergency in art. 14 of the Regulations which is based on the provisions of article 82 of the Code regarding the protection of personal data by the operators of the National Health Service and the regional health and social services that will proceed after explicit declaration signed by them, by consulting the only information made visible by the insured.
As for treatments for research, the art. 15 of the Regulations specifies that the regions and autonomous provinces and the Ministry of Health, within their respective responsibilities assigned by law, are data controllers in accordance with the legislation on protection of personal data. Article. 16 of the Regulation clarifies that the data processed for research purposes should be stripped of all identifying elements already directed the assisted, in accordance with the principles of indispensability, necessity, relevant and not excessive in relation to that purpose. Access to information ESF for research purposes is permitted by regions, autonomous provinces and the Ministry of Health in accordance with the principles of proportionality, necessity, indispensability, relevant and not excessive and in accordance with Articles 39, 104 and 110 of the Code regarding the protection of personal data and its code of ethics and good conduct for the processing of personal data for statistical and scientific purposes (Art. 17).
Third type of treatment is considered by the Rules for purposes of government and the art. 18 identifies as legitimate holders of such treatment, pursuant to art. 28 of the Code, the regions and autonomous provinces, the Ministry of Health and the Ministry of Labour and Social Policy, within their respective responsibilities assigned by law. Even in this case, the data being processed must be stripped of all identifying elements of the assisted direct, while respecting the principles of indispensability, necessity, relevant and not excessive (art. 19). In addition access to information ESF for purposes of government it is allowed and the regions and autonomous provinces in the manner provided for the activities of planning, management, monitoring and evaluation of health care; the Ministry of Health especially in the areas of assessment and monitoring the delivery of essential levels of care; and the Ministry of Labour and Social Policy in individual form and without any reference that allows direct connection with the assisted (art. 20).
Chapter V of the Regulation in question devotes ample space to technical rules and safety measures, this fundamental aspect whenever we introduce in our legal documents of a computer. Article. 21, in particular, makes clear that the ESF should ensure the alignment of the identification data of the clients with the data nell’Anagrafe National Assisted (ANA) and, pending the establishment of the ANA, in the register regional health, in line with the national register of the population referred to in Article 62 of the CAD.
Article. 22, however, refer to the technical specifications attached to the Regulation on the methods and levels of access to data and documents by authorized persons al’accesso ESF. Same court also found in art. 23 where they are examined, in general, the security measures of the ESF and specifies that the operations on personal data, necessary for the fulfillment of the regulations are executed through electronic instruments with procedures and solutions necessary to ensure confidentiality, integrity and availability of Data, adopted in compliance with the security measures expressly provided for in the decree of 30 June 2003, n. 196.
The same provision makes it clear that the use of storage systems or data storage should be implemented appropriate measures for the protection of recorded data against the risks of unauthorized access, theft or loss of partial or full storage media or computer systems portable or fixed. Do not miss also a specific reference to the need for the adoption of business continuity plan and disaster recovery plan, referred to in Article 50 bis of CAD and to respect the rules of CAD ( Articles. 43 and 44) governing the system of preservation of electronic documents.
Articles. 24 and 25 of Regulation dwell on some technical aspects very important as the adoption of methods of encoding the data and the need to ensure the interoperability of the inter-regional ESF.
Even with the regulation in question, then , the legislature continues the trend of recent technical provisions, enacted in the specific field of digitization, to attach to a decision of a more general technical regulations which, in this case regulates in detail: the data necessary for the correct identification of ‘assisted by the power of the ESF and the administrative data necessary for the proper identification of the administrative position of the assisted towards the NHS, in implementation of the stated in Article 21 of the Order; the means of access to the ESF, access profiles according to the professional roles and how to manage access policies, implementing as indicated in Articles 22 and 23 of the Decree; standard formats for representing information, data encoding systems and their proper use within the Electronic Health Record, in implementation of the provisions of article. 24 of the Decree; criteria for interoperability between electronic health records solutions adopted by the regions or autonomous provinces, in implementation of the 25 indicated in of the decree; the essentials that make up the lab report, referred to in Article 27, paragraph 1, letter d) , the decree; the essentials that make up the health summary, referred to in Article 3 of the decree.
The Regulation closes with an undoubted relief available suggests that the clear intent of the government to want to ensure real operation of the ESF. In fact, under Article. 26 is set up a technical committee to monitor and address, as part of the control room of the NSIS (New Health Information System) with a mandate to monitor the implementation of the provisions relating to the ESF under LD 179/2012 converted by Law no. 221/2012.
Probably only in this way, provided that the same shall become truly operational, and not remain on paper, you can actually get a shared implementation of the ESF throughout the country against a finding in front of ‘yet another technical regulation unnoticed within this sensitive area.
The editors note:
(Lawyer, 26 November 2015. Article Michele Iaselli )
No comments:
Post a Comment