The patient as data gatekeeper

Patients must always be able to decide who can see their health information and who cannot. Data protection expert Helwig Opel explains how this works and what hospitals need to do in the matter of data protection.

What are the data protection standards for hospitals here in Germany in connection with cross-enterprise patient records?
In addition to the provisions of the Social Code, hospitals are mainly governed by the individual State Hospital Acts. However, the guidelines differ from one state to another. If a particular State Hospital Act does not include data protection regulations, for example Lower Saxony’s, either the state or federal Data Protection Act will apply, depending on the hospital’s legal form. Denominational hospitals, on the other hand, are subject to separate data protection laws. The hospitals must therefore determine whether their organization and processes are in compliance with the law. Data protection standards will become even more stringent in the future. The EU General Data Protection Regulation (EU GDPR), the new European data protection law, was enacted in May 2016, and will go into effect as of May 2018. Until then, hospitals will have time to make sure that their data handling procedures comply with the law.

What will change when electronic patient records are adopted nationwide?
Analogous processes will be digitalized. Paper documentation will increasingly become the exception. An electronic patient record needs to be at least as useful as paper files in support of processes and personal work habits. The security measures required by data protection laws must of course be implemented and utilized in the digital environment as well—especially protection against unauthorized access and sharing of information.

What changes will hospitals have to prepare for in terms of data protection?
When the Data Protection Regulation goes into effect in May 2018, hospitals will have more extensive obligations towards their patients in terms of transparency and information, among other things. “Corporate accountability” will then apply to data processing practices as a whole. Hospitals will have to document and demonstrate that their data processing is permissible, is limited to what is necessary, and has state-of-the-art security. Anyone who violates these provisions can expect substantial penalties. Fines can amount to 20 million euros or 4 percent of the previous year’s revenues worldwide.

How should patient records be structured from a data protection perspective?
The architecture and design of the record should always be geared toward data protection in addition to a specialized focus on professional groups (physicians, nurses, administration). This is what the term “privacy by design” refers to. Specifically, it means that functionalities must be in place for controlling data access and permissions. Patients must always know, and must always be able to decide, which doctors or nurses at which hospitals can see which documents. And information sharing must be safeguarded with encryption. And of course the basic standards for user administration, personal user IDs, and passwords must also be met. In short, it should be a user-friendly system that doesn’t consume too many resources. Patients should also be able to control access, and they should always be able to see who has, or has previously had, access to their information.

“Patients should always be able to see who has access to their information.”

A major source of support regarding data protection compliance is the Hospital Information Systems Guide (OH KIS), which was published jointly by the data protection authorities. It lays out target specifications that hospitals can use to identify areas where action is required and plan accordingly.

What opportunities and risks do electronic patient records involve?
Patients have quick access to all their information. And doctors can keep track of all the relevant information needed for a confirmed diagnosis and tailored treatment. This also makes processes within the hospital more efficient. Risks are present whenever data has to be managed across facilities. If I’m a hospital that provides information, I may know that my own IT system is secure and data protection-compliant—but what about the partner hospital? The OH KIS can help to establish a common basis in this area, sort of a common denominator for designing data protection. Regulators also use it for guidance in their audit activities.

If I run a hospital, am I required to provide notification when I set up a cross-enterprise patient record, or is there regular monitoring?
The obligation to notify—in the sense that the hospital is required to notify the data protection authority—only exists in special cases, for example if no data protection officer has been designated or if a data retrieval procedure has to be established. However, I advise hospital directors that they should always coordinate with the authorities during the planning phase when making any significant changes. After all, the regulators don’t just audit institutions, they also advise them on implementation issues. The contact person would be the data protection officer for the relevant state. Use of data protection-certified products will also be a more important issue in the future.

Where do you see a need for regulation in the future, and what role does policy play?
In Germany we have different regulations under state laws because of federalism, and therefore our legal environment is very heterogeneous. This makes it difficult to establish uniform guidelines. The OH KIS is a very good, global approach, even though it isn’t a law. But it does pull together all of the essential requirements, and ultimately it makes a useful checklist. In my opinion, though, its content is still undervalued