Legal framework

Two of the most important principles in the use of medical data, date back to 400 B.C when Hippocrates implemented the rule of law regarding a physician’s duty to the protection of personal identifiable information. The physician’s confidential use of medical data is based on the oath of secrecy and the right of self-determination of the patient with regards to his personal data. Based on these two principles, confidential care of a patient’s medical data and his right to privacy are legally secured. In order to provide proper healthcare, confidential care of personal information is vital. In figure 5, the two principles are set out is visualised.

Figure 2. Visualization basic principles for dealing with medical data.

The Royal Dutch Medical Association (Koninklijke Nederlandsche Maatschappij tot bevordering der Geneeskunst, hereinafter referred to as the KNMG) is the Dutch federation concerned with the supervision of patient records and the exchange of medical data in the Netherlands. The KNMG has, since its birth in 1849, defended the quality of healthcare en the

practice of the trait. The federation focuses on the files that are relevant for medical practitioners and as a result the KNMG has published a report of guidelines for dealing with medical data. This guideline addresses the legal rules that govern the exchange, storage and destruction of medical data. In order to define the basis of the legal framework, the following laws will be set out:

Medical Treatment Contracts Act

The Medical Treatment Contracts Act (Wet op de geneeskundige behandelingsovereenkomst, hereinafter referred to as the Wgbo) focuses on the processions concerning the confidentiality and transparency of healthcare professionals with medical data. This act has been set out in order to provide the patient with adequate healthcare.

The medical file.

The Wgbo obligates doctors and other healthcare providers to keep records in which all the information and documents relating to the treatment and supervision of the patient is tracked. From a patient’s point of view, these medical records will provide various healthcare providers with an adequate medical background of the patient and the patient’s situation. From a physician’s point of view, these records will provide the justification and verification of the medical actions that have been executed.

According to the KNMG (2010), the medical records are made up out of four main components.

1) Substantive information regarding medical procedures

2) Information that plays a role In maintaining continuity of care

3) Information that is also relevant for a patient in the case of subsequent treatment or examination

4) The patient’s written declarations of intent

The Wgbo guarantees a period of fifteen in years in which the medical information in patient records will be retained. After this period, the data has to be destroyed. In specific cases, the retention period may be reduced if the designated physician deems it necessary and/or at the patient’s request. This, however, does not apply to anonymised data. “Anonymised data may be retained for as long as deemed necessary” (KNMG, 2010). The care and destruction of the file is the responsibility of the healthcare provider. Although the patient is not the primary owner of the medical file, he does have a say regarding the information obligations of the healthcare provider and the patient rights. In this regard, it must be clear to the patient how his data is being processed, stored, and offered to other healthcare providers. The healthcare providers must periodically inform the patient which of his personal data is being stored and who has or has had access to his files (Nederlands Parlement, 2000, Art 35). The patient himself has the right to access, add, correct, destroy, and oppose certain exchanges. In some cases, the healthcare providers can under specific circumstances procure the patient’s data to others. These specific circumstances occur when the healthcare providers are dealing with adolescents, deceased, scientific research, outsourcing to healthcare insurance companies, or the court of justice among others.

Professional confidentiality.

In order to create and allow for an adequate doctor-patient relation, the professional confidentiality is fundamental for a doctor because it allows the patient to approach healthcare providers without hesitation. As visualized in figure 1, the professional confidentiality is made up out of two main components: the oath of secrecy and the right to refuse to answer questions. With the oath of secrecy, physicians and other healthcare providers testify that they will not disclose any information from the patient’s medical file to anyone but the patient. This also includes information regarding financial data and private information. The “Duty to refuse to answer questions” is the duty the healthcare providers have to not mention any personal information to a third party as is mandated by article 36 of the Dutch constitution (Nederlands Parlement, 2000, Art 36). The importance of the latter lies in the fact that every citizen should be able to seek medical attention without having to fear that their personal information will be shared with legal institutions. There are, however, a few exceptions which could lead to the discontinuity of the professional confidentiality and will thus, to some extent, allow the exchange of information. These exceptions are:

1) The public interest

2) Part of the same treatment team 3) Conflict of duties

An example of an exceptions such as “the public interest” is for instance a national epidemic for which closer research is necessary to resolve the issue. The second exception takes into consideration that healthcare providers must be part of the same treatment team and thus be directly involved in the provision of healthcare. The patient can therefore assume that his medical data will be based on the necessity and circumstances, and shared with other physicians in the treatment team. In the case of a conflict of duties, the professional confidentiality can also be broken. An example of this exception is an emergency situation such as child abuse. In cases where conflicts of duties are recognized, the right to refuse to answer questions is also exempted and healthcare providers are permitted to take action. The most occurring situation in which the profession confidentiality is broken, is when the patient gives permission to the healthcare provider.

Permission.

Permission is one of the most common and important ways in which the professional confidentiality can be broken. This can be done either by a written declaration or an oral declaration. The permission to break the professional confidentiality can be withdrawn at the patient’s request. There are several types of permission that can be granted. According to Bonthuis’s report (2008) these are:

1) Informed permission 2) Explicit permission 3) Assumed permission 4) Generic permission

In the case of informed permission, the patient accepts the processing of his personal information based on his volition of free, specific and informational exchange of his personal

data. This allows for a clear exchange of information without there being any doubt for the patient on what of his personal data is being shared. When the healthcare provider is familiar with the patient from a previous consult or earlier treatment, we refer to the given permission as explicit permission. In this case, the previously appointed permission for breaking the professional confidentiality should be restated so that the healthcare provider can ensure that the goal, content and possible consequences of the data exchange remain known to the patient. In the case that a physician needs help from another healthcare provider, which is then directly involved in the treatment process, in order to provide the adequate care to the patient, the practice of assumed permission can be applied. The desired help can be translated into several aspects of the treatment procedure such as the administration of the medical file, financial settlement, supervision, etc. In these cases, it is desired that as much of the personal data is being anonymised to uphold the professional confidentiality. Assumed permission can, therefore, only be applied in concrete situations, it can be reasonably expected by the patient, it entails healthcare purposes, there is no objection by the patient, and it is absolutely necessary to provide the information to a third party. In the case of generic permission, the exchange of information can be used in future situations anticipating a treatment in abstract terms which has yet to take place. The generic permission must, however, be specific enough and must limited to only that what is imperative to the adequate treatment of the patient. It is, therefore, fundamental for the use of generic permission that the processing is directed to specific data sets and the exchange occurs to specific healthcare providers which are known to the patient.

Protection of personal data

Protection of personal data cannot be contained within the borders of one country. That is why the EU-member states required common European guidelines which would allow adequate protection of personal data. On October 1995, the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, was established. Based on this Directive, the Dutch Act for the Protection of personal data (WBP) was created.

Types of personal data

There are two types of personal data that can be distinguished according to the WBP. The first one is based on someone’s religion, race, health, and/or political views. This type of data is known as “sensitive” data which often also includes data on an individual’s membership of a union or legal history. All the data that is not included in the above mentioned category, is referred to as regular personal data. Article 16 of the WBP (Nederlands Parlement, 2000, Art 16) prohibits the processing of sensitive data because it can lead to infringement of informational privacy. This, however, contradicts the obligation medical healthcare providers have to keep records in which all the information and documents relating to the treatment and supervision of the patient is tracked. Therefore, the WBP provides several exceptions for institutions that are bound by professional confidentiality. These exceptions can be found in article 21 and 23 of the WBP according to Bonthuis’s report (2008). In order for healthcare providers to be exempted from the prohibition of processing sensitive data, they need to qualify for exceptions. These may include benefits of a medical diagnosis or if it is in the

interest of healthcare services. In other words, healthcare providers can only be exempted if they qualify for the requirements based on legal fundaments.

Principles

According to article 8 of the WBP, there are two principles which indicate the lawful processing of personal data in the healthcare sector. The first one points out that in order for personal data to be lawfully processed, the person involved must give his or her explicit permission. The second principle indicates that the processing of personal data can only take place if it is necessary for the execution of an arrangement which is required by the person involved, or in order to take pre-contractual arrangements based on the request of the person involved which are necessary for the completion of an arrangement (Nederlands Parlement, 2000, Art 8). The first principle translates as the free, specific and on information based grant of permission. In practise, this means that a patient must not feel obligated or deprived from the ability to share his or her medical information. His or her decision must come forth from a specific and well informed choice to grant his or her permission to the healthcare provider involved. The second principle translates as the processing of personal data in healthcare when it is of vital importance to the person involved. This can be the case in circumstance where the individual does not have the physical or legal ability to give his consent to process his personal data.

Purpose, Informational obligations, and rights of the individual

According to article 9 of the WBP (Nederlands Parlement, 2000, Art 9), the personal data of an individual cannot be further processed if the purpose of the processing differs from the original goals. When the original purpose of the data collection is reached, the personal data cannot be stored, in such a way that the individual can be identified, longer than is necessary to finalize the original purpose (Nederlands Parlement, 2000, Art 10). In the case that personal data needs to be obtained from the person involved, the healthcare provider ia obligated to let the individual know who he is and for which purpose he is going to use the personal data (Nederlands Parlement, 2000, Art 33). According to article 36 of the WBP, the person involved has the right to verify the correctness of his data. He also has the right to correct, edit, remove, or to close off the personal data in the case of inaccurate representation in the database.

Supervision

According to article 51 of the WBP, the Dutch Data Protection Authority (from now on referred to as CBP) bears the responsibility of supervising the lawful processing of personal data. The responsibility entails that the CBP must assure the privacy of patients, provide information, and advice legislative propositions which are partially or entirely related to the processing of personal data. The Data Protection Working Party, set up under article 29 of Directive 95/46/EC, together with other supervising authorities of member states, has the objective to come to a common definition of the concept of personal data. This is done by looking at the situations in which national data protection legislation should be applied and how it should be applied. Therefore, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, set up article 29 in order to collectively develop a policy in which the protection of personal data is assured in the digital age. As a result, the

Data Protection Working Party was installed and has an advisory status which is set up out of (1) a representative of the supervisory authority designated by each EU country, (2) a representative of the authority established for the EU institutions and bodies, (3) a representative of the European Commission (European Parliament, 1995, Art 29). The Data Protection Working Party acts as an independent European advisory body but their opinions, working documents and letters are displayed on the website of the European Commission.

Security

In order to protect medical data from destruction or any form of unlawful processing, article 13 of the WBP requires healthcare providers to take the necessary technical and organisational measures (Nederlands Parlement, 2000, Art 13). These measures must guarantee an adequate level of protection given the risks that the processing of personal data entails. As was mentioned above, medical personal data is regarded as “sensitive data” which therefore requires a higher level of protection which in return results in the realisation of confidentiality and integrity in healthcare.

Standards in healthcare

In order to provide an optimal level of professional healthcare, the confidentiality for dealing with personal data and the protection of privacy needs to be guaranteed as good as possible. Therefore, three instances have been designate to contribute to the cause.

NEN 7510/7512/7513

The NEN (Nederlandse Norm) is the Dutch institute that supervises and stimulates the development of standards in The Netherlands. The NEN operates on sectors on national, European and global level and assesses which standards are in demand. The NEN, as a neutral hub, then assembles the interested parties to be able to finance and develop the standards. These standards are made up of voluntary agreements between interested parties regarding the quality and safety of their products, services and processes. On a regulatory level, governments can request the NEN to investigate whether standardization is possible within a certain sector or in a certain field.

In the field of healthcare the NEN 7510 standard refers to a management system which provides rules regarding the organisation and safeguarding of information security within a healthcare facility. The standards NEN 7512 and NEN 7513 provide additions to the specific demands in the NEN 7510.

The NEN 7510 (Nederlands Normalisatie-instituut, 2011) provides guidelines and basic principles for the organisation of information security, and is applicable to all organisations involved in the field of healthcare. These basic principles and guidelines are meant for the persons who take part in the daily organisation and protection of the information security process. The interpretation of the NEN 7510 can be applied in different ways depending on the healthcare institution. In order to provide clear guidelines for different healthcare institutions, the NEN 7510 principles can be segmented into three categories (Bonthuis, 2008).

1) Staff and accessibility – This category considers aspects such as a certificate of conduct for employees that handle sensitive data, specifications of the position the employee involved holds, responsibilities, access rights, the oath of secrecy and confidentiality as well as policy implementation.

2) Physical security policy – Aspects in this category can be anything from encryption, access control and firewalls, to virus scanners and door locks.

3) Operational ICT management – In the management of ICT operations, aspects such as functionality, solidity, effectiveness, maintainability and transmissibility play an important role.

By doing so, the criteria for a qualitative and adequate information security set up can be assured.

The NEN 7512 (Nederlands Normalisatie-instituut, 2015) provides a closer look on the specific aspects required for a basic confidentiality standpoint in the process of data exchange. The first aspect the NEN 7512 elaborates upon is the certainty involved parties need to be able to provide each other, in order to be able to exchange data in a confidential platform. The second aspect takes a look at the risk assessment that is needed in order to create the certainty of confidentiality. In practice this translates to the agreements that need to be made between the parties involved, which, thus, connect risk to level of certainty.

The NEN 7513 (Nederlands Normalisatie-instituut, 2010) provides insights in the control of electronic access to the personal medical data of patients. Access to a patient’s medical file can take place on different instances, in different systems and are registered, consulted and modified by different persons. This standard emphasizes on registering and controlling the legitimacy of the access to the medical files. By doing so, the security of the data and the privacy of the patient are guaranteed.

KNMG

The Royal Dutch Medical Association (KNMG) is the professional organization by and for physicians of The Netherlands which stands for the improvement of the quality of medical care and of public healthcare in general. In order to achieve these goals, the KNMG proactively responds to developments in health care and in society by developing guidelines and policies.