A master patient index (MPI) makes patient data accessible between healthcare providers both within and across sectors. Since the providers are typically stand-alone legal entities, this constitutes a “transfer” as defined by data protection laws. If the MPI data is also subject to medical confidentiality, it constitutes a “disclosure” as defined by the pertinent Professional Code of Conduct for Physicians and by § 203 of the German Criminal Code. In addition to permission given in accordance with data protection laws, a specific authorization is also required for such a disclosure in accordance with the “dualist principle.”
Finding the legal foundations
The transfer of data between two legal entities is always allowed when expressly permitted by law, or, if the person involved has given informed consent for it. If the patient data in question is subject to confidentiality, either the law being applied or the informed consent statement must explicitly relate to patient or health-related information. At present, the ways in which hospitals may transfer and disclose patient information are regulated largely by specific German federal state laws affecting hospitals or health information privacy (for example the data protection section of Baden-Württemberg’s State Hospital Act or North Rhine-Westphalia’s Health Data Protection Act).
This will change by May 25, 2018. At that time the EU General Data Protection Regulation (EU GDPR, enacted on May 25, 2016) will be in effect, or else the relevant national implementation laws for specific areas, such as the new German Federal Data Protection Act (a draft of which is already available). It remains to be seen whether the new regulations will entail new legal conditions for consent with regard to MPI data. Also unclear is the extent to which existing state/hospital/healthcare data protection regulations will remain in place.
MPI data: Demographic vs. patient data
The extent to which the transferred data (usually only demographics) constitutes patient data, and the extent to which the latter is covered by confidentiality, is an interesting question. The transferred records may contain only demographic data, but as soon as they include the information that a person is or was the patient of a particular provider, these data should be regarded as patient data. Furthermore, the mere fact that a person was a patient in a hospital or of a doctor is subject to confidentiality.
Several of the pertinent laws do allow for the transfer and disclosure of patient data to outside institutions or providers in principle, but only if the data recipient is involved in that particular patient’s current or future care, or requires the information in question for the treatment itself. Transfer of patient demographic data to an outside institution without the patient’s permission or knowledge may not necessarily be covered by these laws, however—even if the patient would benefit (often permanently) from optimized communication among the various providers. As a result—and also on account of the transparency towards the data subject that will be required in the future under the EU General Data Protection Regulation—the patient’s informed consent will always be necessary for the transfer of the data needed for the MPI.
Opportunities and risks of the MPI from a data protection perspective
From a data protection perspective, an MPI entails both opportunities and risks. It allows for more efficient communication between different healthcare providers using cross-sectoral or regional electronic patient records. Once the patient gives consent, the treatment-relevant information is at the doctors’ fingertips at the right time, in the right place, on a self-determined and transparent basis.
And this will all be secure and data protection-compliant. Data transfer by means of e-mail, fax, or electronic storage devices, and the security risks they involve, could become a thing of the past. This presents opportunities with regard to data protection. On the other hand, risks arise when there are large pools of patient demographic data stored in centralized locations in an MPI-based cooperation. The sites themselves do not have access to all of the patient data, however; the latter generally remains with the individual healthcare providers.
It would also be necessary to use appropriate technical and organizational tools for ensuring that data processing, transfer and use are truly secure and data protection-compliant Unauthorized parties should therefore be completely excluded; data should be available only to the desired recipients for the intended purpose.
Nevertheless, some risk still remains: Some patients may not be able to fully appreciate the scope and implications of self-determination of their data. This makes it all the more important for vendors and providers to design their information and services appropriately, and to offer advice and support. In this situation, the EU GDPR calls for data processing that affords transparency towards the subject and fairness. This should serve as the standard.