- Consultancy Report

(1)

Hospital Health Information System – EU HIS Contract No. IPA/2012/283-805

This document has been produced with the financial assistance of the European Union. The views expressed herein can in no way be taken to reflect the official opinion of the European Union.

Towards the Launch of Electronic Health Records in

Serbia: Legal Gap Analysis

- Consultancy Report –

Author: Aleksandar Zavišić

Final version – February 2013 Visibility: Public

Target Audience:

(2)

Abbreviations used in this report have the following meaning:

LHC – Law on Health Care

LPDP – Law on Personal Data Protection

LHI – Law on Health Insurance

LPH – Law on Public Health

LCD – Law on Classified Data

LHR – Law on Health Records

LPPCD – Law on Protection of Population from Contagious Diseases

LOT – Law on Organ Transplantation

LTCT – Law on Transplantation of Cells and Tissues

(3)

Executive Summary

The concept of the Electronic Health Records (EHR) was designed with the principal idea to collect all important health related data about a specific person, relevant for his long-term state of health, in one centralized place, so that for the purpose of future treatment comprehensive and relevant information is available to attending health professionals thus patients have a better chance of successful treatment.1

In the context of Electronic Health Record (EHR), the right to health care and the right to privacy (can) have an opposing logic. The Strategy for the Prevention and Control of Chronic Non-Communicable Diseases of Serbia2_{provides that in order to control chronic diseases, the}

strengthening of information and knowledge includes, among other things, the development of a national health information system and the adoption of legislation in order to ensure privacy, confidentiality and security of information.

One of the main conclusions of this analysis is that the right to privacy, or the institution of personal data protection, cannot and should not hinder the affirmation and furthering of one basic human right – that to health care. On the other hand, the realization of this right, accompanied by the use of modern technologies, should not offer the opportunity to malicious, negligent, or profit oriented individuals, to realize forbidden goals that could compromise the new system, and with that violate the right to privacy as one of the indicators of the progress of a society. From this starting point, the suggested legal, organizational and technical solutions for EHR aim to address all of these concerns. Most importantly, the existing legal framework and strategic direction conveyed in Government documents offer sufficient leeway for the introduction of EHR within the Serbian health system through the drafting and modification of a number of (by-) laws. There are two possible approaches that can be taken in order for this to happen, that have different weight and transmit a different message.

The first approach is more comprehensive and envisions the introduction and defining of EHR, apart from the new Law on Health Records, and also in the systemic Law on Health Care. This way, the entire health care community and health care beneficiaries would realize that EHR presents a fundamental reform effort, which leans on information technology and puts the patient and his relationship with his/her physician in the centre of attention. The second approach would be for EHR to be introduced through ’small’ doors (only) by adopting the new Law on Health Records (and, in both cases, the introduction of the related Rulebook). This is the easier, but „unsystematic“ approach.

The recommendation of this gap analysis is for the first approach to be taken, that is that the term of EHRs, their purpose, aim and authorized Administrator get defined and determined in the Law on Health Care (LHC). That is for at least three reasons. The first is the need for the set of rules regarding the protection of personal data to be taken under serious consideration, a position regarding them taken, and with that criticism and/or misunderstandings regarding this aspect avoided ahead of time. The second is the (possibly) limited scope of the new Law on Health Records, already prescribed in

1

The EU’s Working Document on the processing of personal data relating to health in electronic health records (EHR), dating February 15, 2007, page 5.

(4)

Article 73 of the LHC. And the third is the need for the role and significance of EHR to be potentiated from the highest level, from a legal perspective.

Apart from the already mentioned, differences in interpretation among institutions and health professionals included in the functioning of EHR would be avoided, which often occurs as part of major reform efforts.

If this is not possible, it remains for all aspects important for the functioning of EHR to be defined in detail (only) by the new Law on Health Records, such as their definition, set of data that is to be recorded and taken from already existing data-bases relevant for EHR, the authority responsible for administering the system, the circle of health professionals authorized to access the EHR system in concrete situations, the way how authorizations are to be issued and levels of access, the necessity for a patient’s consent to be given for one’s access to his health data, the rights of patients in regard to the stored data, etc.

(5)

Introduction

Health protection is a sector that increasingly puts the patient in the centre of attention. A recent survey conducted by the British National Health Service shows that a large amount of medical documentation in paper form gets lost or misplaced. It is estimated that about 1.2 million British patients get treated by a physician without adequate supporting documentation on an annual basis. It is not necessary to go into details about the severe consequences that the lack of adequate (historical) medical information can have on the medical treatment of a patient.

It is widely known that in many health systems, including Serbia, there is a gap between medical benefits and rights guaranteed by law and the financial means for them to be realized in practice. In an environment with a constant lack of resources, a reform effort which through the use of information technologies facilitates a more efficient use of available resources, and helps physicians to offer better and more all-embracing health services, becomes a necessity. In this context, the design and implementation of the EHR system does not serve the purpose” of better administering health services“. It is above all an effort aimed at delivering higher quality health services to patients. The EHR system saves the health professional’s time and energy since it allows him to channel his attention on the patient, and not on gathering information about him/her. Also, EHR is principally also helping the patient, enabling him to (fulfil an obligation) wholly brief the attending health professional about all facts regarding his/her health condition (Article 43, paragraph 1 LHC), hence helping the health professional to provide better health services. And not only does it allow him to fulfil his obligation, it practically also removes the legal possibility for the practicing physician to refuse further health care services to a patient should he not comply with his obligation (Article 43, paragraph 2 LHC).

The intent of this document is to help decision-makers and drafters of health regulations to more completely and analytically review the corps of rules in which the EHR system will be placed and to point towards the remaining challenges on the road to its lawful existence and structure. At the end of each headline, based on an analysis of obstacles and uncertainties (gap analysis), are specific recommendations for their removal, as well as a summarized overview of what needs to be regulated and on what an emphasis should be put on in the coming period.

(7)

II.

Preliminary Clarifications

An overview of issues that can cause certain concerns and contradictions is to follow. Their clarification is desirable in order for lawmakers and other interested participants to better understand each other during the process of conceptualizing regulations regarding the EHR.

II. 1. Difference between identity and personal data

Given that lawyers are the ones who primarily deal with laws, it is necessary to clarify the meaning of certain terms that are used in the relevant legislation.

Identity data (lični podaci) primarily relate to general data („generalije“) – data which distinguish one individual from all others in legal proceedings and generally in life. Identity data are data about one’s identity, and such definition is also used by the Law on Personal Data Protection (LPDP), which in one place3 explains that they refer to the name and surname, name of one parent, date and place of birth and personal ID number. Moreover, the Law on Identity Card spells out in Article 7 that personal data are the: 1) surname; 2) name; 3) sex; 4) day, month, and year of birth; 5) place, municipality and country of birth; 6) unique personal identification number – therefore, the same as in the LPDP. It can be concluded that identity data in fact present a subset of personal data.

Personal data (podaci o ličnosti) is any information concerning a natural person, regardless of the form in which it is expressed and the data format (paper, tape, film, electronic medium and the like), under whose mandate, in whose name or for whose account the information is stored, the date when information originated, the place where the information is stored, the mode of learning the information (directly, by listening, watching and the like, or indirectly, by insight into documents containing the information and the like), and regardless of other characteristics of the information. However, in ordinary speech, but also in laws that relate to heath care, the term personal data is used in places where it should not be used – for example in articles 138 and 150 of the Law on Health Insurance, which regulates how data from the Central Record of the Republic Health Insurance Fund are used; in Article 5, item 10) of the Law on Official Statistics; or in the earlier valid Article 37 of the Law on Health Care, which regulated the status of data from medical documentation. Therefore, the term “personal data” is used both – as a subset of the broad term “identity data” and, in other places, as its synonym.

Terminology needs to be used uniformly. Attention to these needs to be paid especially during the process of interpreting and drafting regulations.

II. 2. Relation between the Law on Health Care (LHC) and the Law

on Personal Data Protection (LPDP)

The LHC is a framework law in the area of health care, thus all other laws that relate to health care need to be in line (harmonized) with this law. The LPDP is the principal law in the area of personal data protection, i.e. serves as the structure for finding solutions for the LHC and the Law on Health Insurance (LHI), but also for the new Law on Health Records and all other regulations within the health care sector. Consequently, the LHC and all other health care legislation needs to adhere to the

(8)

solutions defined in the LPDP, in the part that refers to the processing and protection of a patient’s medical/ health data. In all other respects, the LHC is of greater significance than all other laws governing the health sector. Accordingly, the LPDP needs to be carefully worded and in line with best international and European standards, able to identify any exceptions in parts that refer to the gathering and processing of health data, should they exist.

A Law on the Protection of Patients’ rights is in the drafting stage at the Ministry of Health, which at this point foresees the transfer of a set of regulations regarding patients’ rights and obligations into this new law. To an extent possible, this analysis also takes into account suggested legal solutions from the outline of this document.

II. 3. Collection of Data, Controller, User and Processor of health

information within the health care system

Article 3 of the LPDP, as the principal law for personal data protection, provides a definition of the above.

Personal Data is a set of data kept in automated or un-automated manner, available according to personal, subject-matter related or other criteria, regardless of the manner and place of their storage.

The Controller is a natural or legal person or authority who processes personal data. It is, therefore, each health facility (primary, secondary and tertiary sectors) which collects, records, copies, reproduces, multiplies, classifies, stores, changes, uses, etc. health information concerning a person. In reference to the above, there is a tendency of other laws and the jurisprudence for the term „use“ to be used independently of the term „processing“, which is not the case in the LPDP. “Use” is just one of many activities that fall under “processing”. With that, the legal construction from the LPDP may be in conflict with the notion of language, so that the Criminal Code and the Law on Organ Transplantation4_{, but also the Serbian Constitution in Article 42, use the terms “processing“ and}

“use“ as two independent terms. Likewise, the Constitutional Court in its recent decision, dating back to July 2012, references “use” as a term that is independent of the term “processing”.5

A recommendation which is not of key significance, but would nevertheless potentially advance the LPDP is that it should be considered to separate the term „use of data“ from the term of „processing of data“, and/or that they should at least be defined in the LPDP. At a minimum, in the third line of Article 3 of the LPDP the word “use” should be deleted.

The Processor is a natural or legal person, or authority, to whom the Controller confers tasks related to data processing in accordance with the law or a contract. These are, hence, natural or legal persons to whom the data Controller outsources certain functions for different purposes. In other words, all those who based on a/more authorizations, delegated by the Controller, have access to data – health care professionals (above all, selected physician), administrative staff, companies that are working on data processing in place of the Controller, who are safeguarding computer resources,

4 _{See Article 146 of the Criminal Code and Article 34 of the LTO.}

(9)

are delivering administrative or other services, software developers, analysts, IT maintenance personnel, and others.

The User of Data is a physical or legal person, or government body, which is authorized to use the data based on law or consent. According to the law, this would be public health institutes, in case they were given/hold access to health data that are supplemented by personal data, or data which by logical reasoning point towards the identity of a concrete individual. If that is not the case, i.e. in case they do not receive identity data, they are not the users of personal data, since the information they possess is not to be considered as personal data. At this point, a separate issue that emerges is whether or not it is essential for public health institutes, which are performing activities in the area of public health, to have access to personal data.6 A user would e.g. be a physician from a private clinic to whom the patient willingly allows access to his medical data in EHR. It is irrelevant whether this is through direct access to the IT system or by hand delivering his/her entire medical record, previously obtained based on exercising his/her right to obtaining a copy. This could, hypothetically speaking, also be a pharmacological company to which the patient allows access to a part or his entire medical documentation for certain (pharmacological) needs, or an academic institution for research purposes, etc. Most importantly, the user is also the physician from a state medical facility, who is not the selected physician, but is viewing data about the patient in order to perform an intervention. If, he/she after the performed intervention (has the right to) modifies or updates existing data, he/she becomes a data processor (the processor in fact consumes the term user). The user would hence be only a silent observer of the stored (saved) data, while the processor apart from this, also modifies data. If the user creates a new collection of personal data, be it for scientific, statistical or other purposes, he practically becomes a Controller and assumes the obligations which Controllers are obliged to fulfil. In that regard, see quoted Article 37, paragraph 12, in the section of this report dealing with the LHC, and Article 138, paragraph 3 of the LHI, in the section of this report dealing with the LHI.

The recommendation regarding this is that a consensus needs to be reached among all parties in the discussion about the role e.g. status of different health entities (Controller, Processor, User) according to the LPDP. This dialogue also needs to include the Commissioner for Information of Public Importance and Personal Data Protection. This is important in order to clearly establish the rights and obligations of the parties according to the LPDP and make possible adjustments in other legislation.

The following chart shows the flow of medical information on individuals in the new EHR system and the determination of the status of the listed entities according to the LPDP.

(10)

Legend: - (personal) data base - controller - processor - user

It is planned that in a later stage of the existence and functioning of the EHRs system, other forms of health care facilities and health services such as pharmacies, private practices, military health facilities, social welfare centres, health units within the Institute for the Execution of Criminal Sanctions, and medical schools that perform certain medical services, should also become part of the EHR system. Also, if the data from the EHR's can be used for planning and statistical analysis within the area of responsibility of the Republic Health Insurance Fund, the sharing of depersonalized data with this institution should be enabled.

One of the major obstacles and pitfalls on the way towards the full affirmation of the idea of the EHR is that, at least for now, the involvement of private practices is not anticipated within the EHR. For something like this there is a mounting need. According to a recent estimate7, in private practices, in which 3400 doctors are employed, excluding consultants, which is almost ten times less than in state health services, currently provide between 30 and 40 percent of all health services.

So, if this finding is even partially true, the idea of EHR's, or the credibility of the new system may remain limited in reach if it does not (soon) integrate private practices under its umbrella.

The importance of medication records in the set of relevant data that are in the patient's EHR-is quite clear. At this point, the role that the EHR would have in the fight against corruption should be mentioned, given that examples of corruption in the health sector include the uncontrolled prescription of drugs and sanitation materials, ..., acceptance of bribes for the provision of medicines, medical supplies. This kind of abuse is frequently a consequence of a conflict of interest,

7_{See more about this at:}

http://www.novosti.rs/vesti/naslovna/aktuelno.290.html:411633-Trecinu-Srbije-lece-privatnici

EHR

RHIF

IPH

Primary HC center

Hospital

Data base of

insurees

Health prof. Health prof. ICT firms ICT firms adm. staff adm. staff

(11)

i.e. a specific relationship between doctors, pharmacists and drug manufacturers.“8 In an indirect way, the integration of pharmacies in the EHR system would give its contribution to the prevention and control of corruption in this area.

II. 4. The criminal aspect of the protection of personal data from

medical records

The use of personal data for purposes other than for which they were collected is prohibited and punishable according to Article 42, paragraph 3 of the Constitution of Serbia.

The violation of professional obligation, that to obeying to professional secrecy regarding medical data is regulated by penalty provisions of health legislation as a violation.9_{This is the first level of the}

protection of obligations imposed on health care professionals and other duty bearers.10

On the other hand, the criminal protection of personal data has its place in the Serbian Criminal Code. In the group of crimes against the rights and freedoms of individuals and citizens a separate offense is envisioned – the unauthorized collection of personal data:

Unauthorized Collection of Personal Data Article 146

(1) Whoever without authorization obtains, communicates to another or otherwise uses

information that is collected, processed and used in accordance with law, for purposes other than those for which they are intended, shall be punished with a fine or imprisonment up to one year. (2) The penalty specified in paragraph 1 of this Article shall also be imposed on whomever contrary to law collects personal data on citizens and uses data so collected.

(3) If the offence specified in paragraph 1 of this Article is committed by an official in discharge of duty, such person shall be punished with imprisonment up to three years.

Recommendation: In the future, when introducing health professionals to their rights and obligations arising from the (newly established) system of electronic records, their attention needs to be drawn to criminal liability.

As an additional (positive) pressure, a written statement should be signed by each health worker declaring that he he/she is aware of these rights and obligations. This statement should be archived in their respective personal files.

According to the LHC, the attending medical professional commits an offense if he shares a patient’s personal data, that he learned during the course of providing health care i.e. was given by the patient, with anyone else. Similarly, unauthorized access to data from the EHR by an attending medical professional should also be foreseen as a misdemeanour. Access is unauthorized if there no time and causal connection with the exercise of health care for a particular patient.

In Article 259 of the LHC, which begins with the words "An offence of a health professional will be

8_{More about this in the text "Corruption in the health care system and how to combat it", Dr. Nevena}

Karanovic and Dr. Snezana Manic, 2009.

9

Independent of the context of personal data protection, certain illegal actions are considered as an criminal offense. See Law on transplantation of Cells and Tissues and the Law on Organ Transplantation

(12)

fined with 30,000 to 50,000 dinars in the case of", add the new line:

Unauthorized access to patient data from electronic health records.

Should the LHC not be the framework law for the EHR, this provision should be included into the law that regulates it.

II. 5. Application of ICT solutions to the EHR system

The strategic goal of Serbia to move towards the implementation of information and communication technologies, and thus towards the introduction of EHR in the health information system is reflected in the Strategy for Information Society Development in the Republic of Serbia until 2020 and the Government decree about the Program of work, development and organization of an integrated health information system - "e-Health".

The principles that the application of information and communication technologies in health care has to meet are as follows:

1. Assurance of privacy and confidentiality of personal health information; 2. Effectiveness and usefulness of the health information system;

3. Promotion the optimal use of health data; 4. High quality of health information.

These four principles from the aforementioned Strategy for the development of Information Society and the Government "e-Health" Regulation, serve professionals and regulators as a lead for conceptualizing solutions based on them in practice. In other words, these are the principles that the EHR system must meet.

Recommendation: In light of these principles, conceive new solutions, primarily in the new Law on Health Records, but also in other regulations.

(13)

III.

Overview of legal provisions relevant for EHR with a

Gap Analysis

Before presenting any details, in order to comprehend the significance of certain legal acts and provisions in the context of EHR and the Electronic Health Information System (IHIS), it is necessary to put them in relation to each other. The following chart lists the provisions of the law that provide the basis for action and determine the content of future solutions.

III. 1. Law on Personal Data Protection

Health information is also used for scientific research purposes, as suggested by some laws and the mandate of the Institute for Public Health and the Ministry of Health.11

Thus, Article 6 of the LPDP authorizes for the use of (medical) personal data for other purposes than those they were normally intended for, but only for historical, statistical or scientific research purposes, provided that they do not serve for the decision-making or taking measures against a particular person by providing the necessary safeguards. It must be added that measures for protecting data stored solely for historical, statistical or scientific research purposes are determined by special regulations.

The Law on Public Health suggests that public health institutes are users of this data, but this law does not prescribe measures for the protection of data obtained from medical institutions.12 In

11

Concretely, the Ministry of Health, as a public authority is not required to obtain consent for the processing of data "if the processing is necessary for the performance of activities within its powers established by law with the goal to preserve ... the protection of health or moral ... "In other cases, a written consent of the individual (Article 13 of the LPDP) would be needed.

(14)

addition, the question arises whether or not there is a need for institutes and departments of public health to be receiving personalized information.13

The recommendation is to modify (supplement) the Law on Public Health and to determine the use of protective measures for obtained personal data in order for it to be aligned with the LPDP. However, if medical data are defined as particularly sensitive data, this would be regulated by a Government decree.

Article 8 specifies that processing is not allowed if an individual has not given his/her consent for the processing, or if the processing is done without legal authorization. On the other hand, Article 12 states that processing without consent is allowed to attain or protect the vital interests of the person or another person, such as life, health and physical integrity. Also, processing without consent is not required for the execution of duties as specified by law.

The activity of health workers in most part is realized in the sphere of the protection of vital interests of individuals, their lives and health. In addition, the LHC established a legal obligation of the state, local communities and, in particular, health care workers to care for the health of the population.14 These responsibilities are carried out in the system of mandatory health insurance/ care that exists in Serbia. In this regard, the need for patient consent for the processing of medical data and the level of (non) access to his medical information must be cautiously questioned.15 _{More specifically, potential}

problems associated with the (possible) specifying of different access rights for (unelected) physicians can be caused by the provisions of Article 8 of the LPDP which states that if the data being processed is unnecessary or unsuitable to achieve the purpose of processing, or the amount and type of data to be processed is disproportionate to the purpose of processing, processing is also not allowed.

Potentially each or the vast majority of medical data may have its practical value, especially when it comes to the treatment of complex cases, which are also the ones that often lead to unintended consequences and raise the issue of accountability. Due to the higher responsibility of holders of secondary and tertiary health care, narrowing their access rights i.e. the level of access to only certain medical information can lead to undesirable consequences in practice. In the entire complexity of life and hospital practice, the question of what (medical) data is necessary and serves a purpose, or is unnecessary or unsuitable for processing, is difficult to determine ahead of time. This problem may (perhaps) be bridged by providing a sort of linear access authorization to medical data to physicians who assume responsibility for the patient (whenever and whatever the occasion), and according to the LHC this is the attending physician. Again, a stand needs yet to be taken whether

12

The protection of confidential information is also a obligation according to the Law on Official Statistics (Article 46). If the act does not determine the appropriate measures and procedures to ensure the protection of data, the responsible producer of official statistics may be punished for an offense - a fine in the amount of (only) 50,000 to 100,000 dinars.

13

More about this later in the section about the Law on Public Health.

14_{See Chapter of the Law on Health Care entitled „II Social care for the health of the population.“}

15_{A study of the Development of an Health Information System for Basic Health and Pharmaceutical Services}

project from july 2007 uses Slovakia as an example:“... explicit consent of the patient is not necessary in collecting health care related information, as all citizens of Slovakia are obliged to have a health insurance,

(15)

access should be given to absolutely all data or certain data should be withheld from usage, depending on the circumstances of a concrete case.

The recommendation is to be very cautious in regard to the determination of different levels of access to medical information, should they at all exist.

In relation to this recommendation, the detection of abuse of authority given to health professionals (and other authorized persons) for access to data and adequate penalty can be assisted by the audit trail software function. In this regard, given the lack of such software application, it is necessary to amend the Rulebook on the Content of Technological and Functional Requirements for Establishing the Integrated Health Information System.

In part „2.3. General functional requirements“ of the „Rulebook on the Content of Technological and Functional Requirements for Establishing the Integrated Health Information System“, enter a request that would state:

The system takes into account the time and place of access when authorizing access to medical data.

To implement this requirement, if necessary, a certain (long enough) period could be allocated. Article 16 of the LPDP defines that the data relating to health conditions (as well as to sexual life, which to some extent has to do with the health of the individual) as particularly sensitive data, which results in that the data may be processed only based on the free consent of an individual. For the definition of medical data from the LHC, see above, section about the LHC.

The same article in paragraph 2 provides the key to resolving the dilemma of whether the patient's consent is required to access the data from the EHR, stipulating that data related to one’s health condition can be processed without consent only if this is prescribed by law. Accordingly, the possibility of automatic access of authorized persons would achieve the meaning and purpose of the EHR system, and that is to provide to the treating physicians (and a small circle of performing professionals) fast, complete and reliable information about the state of his patient and predispositions.

The recommendation is to define data related to the health condition or data from medical records as "particularly sensitive information." This will also strengthen the argument for high levels of data protection on the level of health workers accessing them and technical solutions.

The recommendation is to allow unconditioned access to data to health workers in charge, without seeking / giving consent of the patient, along with the parallel monitoring of the necessity of accessing. In this regard, provide adequate sanctions for unauthorized access to data from EHR's.

Protection measures

The determination of data relating to health as particularly sensitive data also has implications for the regulation of security measures. The previously cited Article 16 of the LPDP, in the last paragraph, provides that "the way for archiving (health) data and protection measures, with the prior opinion from the Commissioner, is regulated by the Government." Unfortunately, the regulation that governs it has still has not been adopted, even though the deadline for its adoption was May 2009. More troubling is that according to the recently adopted Action Plan for the implementation of recommendations of the European Commission related to the European integration process, the government is not planning any serious activities related to the protection of personal data before

(16)

the third quarter of the 2013. This state of affairs is a negative environment for the introduction of an important area of the EHR.

It should be noted that the data on one’s health condition, i.e. data from medical records are currently designated as classified data, and not as should be under Article 16 of the LPDP - as particularly sensitive data. There are two Government of Serbia decrees for the protection of classified information that were adopted in 2011 – the Decree on Special Measures for the Protection of Classified Data in Information and Telecommunication systems16_{and the Decree on}

Special Physical and Technical Measures for the Protection of Classified Information.17_{Since it is clear}

that information about the health condition of a patient cannot be considered as classified (more on this in the section about Article 37 of the LHC), there is a need to prescribe safeguard measures for the delivery and exchange of information from the EHR.

Hence, one of the major unknowns, i.e. gaps is the lack of regulation that determines the extent of protection and archiving method for particularly sensitive data. The recent announcement of the Commissioner points towards that.18

On the other hand, Article 47 of the LPDP states that data must be adequately protected from abuse, destruction, loss, alteration or unauthorized access. The Controller and the Processor are required to take technical, personnel and organizational data protection measures, in accordance with established standards and procedures, which are needed to protect data from loss, destruction, unauthorized access, alteration, disclosure and any other abuse, and to determine the liability of persons who are employed in the processing, to protect the confidentiality of data.

In the absence of the said Regulation, Article 47 provides an outline of (standard) solutions, which should be met in practice.

Accelerate the adoption of a (Government) Decree on the basis of Article 16 Paragraph 5 of the LPDP in order to establish a legal regime for archiving and protection measures for particularly sensitive data, i.e. data from the EHR. With that a legal framework would be completed that would allow the lawful and legitimate functioning of the EHR system.

If this does not happen in due course, protection measures should be (also) prescribed by the new Law on Health Records.

Patients’ Rights in regard to Processing

Article 42 of the Serbian Constitution guarantees everyone the right to be notified about data collected about him/her. Hereafter, is an overview of rights of individuals whose data are being processed, guaranteed by the LPDP, and their possible implications for the EHR.

Article 19 of the LPDP determines the entitlement to receive a notification about processing, stating that an individual has the right to request that the Controller accurately and fully informs him/her about all facts related to the processing. Through the media, leaflets and web portal,

16_{"Official Gazzette of the RS", n. 53/2011} 17

"Official Gazzette of the RS", n. 97/2011

18_{See more at:}

(17)

patients should be thoroughly informed about all aspects of the introduction of the new System of Records, including all 15 listed facts stated in Article 19 of the LPDP.

It is recommended to introduce the population to the purpose of this right (and obligations according to the LPDP) through an awareness campaign to be launched at the time of the launch of the EHR system.

The right to Information19_{from the LHC and right of access from the LPDP derive one from another,}

since the purpose of the right of access is the obtaining of information, The LPDP in Article 20 elaborates on the right of access to one’s own (medical) information, which is also in accordance with the practices in most European countries. More specifically, one of the general objectives of the "e-Health" Regulation is to facilitate the smooth and sound functioning of all parts of the health system through the active participation of citizens in their own health care, especially in terms of being fully informed, having a certain freedom of choice, the level of decision-making and influence in their own treatment, and participation in prevention. Therefore, full access to one’s medical data from the EHRs system must be allowed, and the main task that remains is to provide access to data via the Internet in the foreseeable future. This is necessary from the point of exercising ones rights in relation to insight, guaranteed by the LPDP - to correct, amend, update, and delete data, the temporary termination and suspension of processing, but also with the aim to stimulate one’s proactive and mindful care about one’s own health. After all, everyone has the right to test other complementary and alternative methods of treatment, and the EHR can serve as a starting point for that.

The right to access includes also the making of notes, free of charge, as outlined in Section 27 of the LPDP, which also states that the Controller may not condition the right of access to the data with the payment of fees, and that the right of access will be realized in the language in which the application was submitted.

Conclusion: The right of access to the entire medical record may not be charged, and in areas where national minorities live, the data from the EHR must be made available in their native languages. However, one must take into account the limited financial resources available for such a project. Article 21 elaborates about the right to access raising it to a higher level, predicting the right to obtain a copy of data concerning one (medical records). At the same time, Article 23 states that the right to information, insight, and a copy may be limited due to nine listed reasons.

Article 24 of the LPDP foresees a more difficult way for obtaining a copy through a sort of administrative and legal procedure, in contrast to the automaticity of the Rulebook of the Republic Health Insurance Fund about the way and procedure for the implementation of compulsory health insurance. Article 33 of the Rulebook affirms this right, stating that, at the request of the insured, the medical institution shall issue a copy of the medical record (as basic medical documentation). Unlike

19

The European Charter of Patients ' Rights provides for Right to Information, as one of the 14 primary patients' rights. The LHC in Article 27 affirms the right to information, but also the draft Law on the Protection of Patients' Rights under Article 8 does this in the same way. It would be more correct to call this law "right to being informed", since information does not relate only to one’s own health, but also to information about health services and how to use the health services. The latter is not information in the true sense of the word, but more an explanation. All information combined would actually lead to more completely informed patients.

(18)

the LPDP, the Rulebook does not specify who bears the cost of making copies, as well as deadlines for obtaining copies of medical records. In contrast to the LHC, it is encouraging that the Draft Law on the Protection of Patients’ Rights provides for the right to obtain a copy of one’s medical documentation (Article 20 of the draft law).

Although the security of personal data that one has in his/her possession are the responsibility of the patient, data printed on paper tend to get lost, confiscated, displaced, which can lead to unwanted situations. In addition, data collected over the years tends to become extensive. Therefore, in practice, insight should be primarily encouraged, while the printing20_{and delivery of documents}

should be used as a second option only.

Some aspects in regard to obtaining a copy of the data from the EHR can be regulated by the new Law on Health Records or, possibly, a rule adopted pursuant to that law.

Article 24 also provides that a request for information, insight, and a copy of the data is to be submitted to the Controller in writing, while the Controller can also accept an oral request, for reasons of efficiency and economy. It is clear that the request for medical records will in most frequently be sent to the primary Controller - the health facility. However, the realization of these rights in the context of EHRs can be problematic, especially for individuals outside of Belgrade (presumed seat of the manager of the centralized body which administers the EHR. In that sense the request for receiving an notification, insight, or an copy of the EHR would have to be directly submitted to the responsible entity (either by mail, or directly).

Clarify in the debate, in case that requests for information, insight, and a copy of the entire medical data from the EHR are submitted “directly”, where they are submitted to (the same applies for the realization of rights upon completion of insight – correction, amendment, update, deletion of data, and the temporary termination and suspension of processing). If the answer is that this is one central (summary) Controller - the recommendation would be to find a way for realizing the right to insight and obtaining a copy of an EHR through the health care facility where the patient achieves its primary right to health care.

The new Law on Health Records should clarify this important question.

Article 22 of the LPDP provides that, after the received permission for data processing, an individual has the right to request from the Controller, in writing only, a correction, amendment, update or deletion21 of data, as well as the termination or temporary suspension of processing.

20_{The technical solution for obtaining a copy of the electronic medical records dictates that the maximum}

available surface for printing should be used, reducing the print out copy of medical records (EHR) to the smallest possible number of pages. For example, a rule could be for all printing to be done two-sided with wide margins, without the loss of clarity and readability of data (especially given the assumption that older patients and those with weaker eyesight can use printed information). The system should also assure that the computer from which one accesses medical records within health care facilities is connected to a printer. The copy fee should correspond to the actual cost of utilized paper for printing and the depreciation of printers and toners (a rough guess is that the cost of a copy should not exceed, at most, a few dozen dinars).

21_{Reasons for deletion are specified as follows: 1) the purpose of processing is not clearly defined; 2) the}

purpose of processing has changed and the conditions for processing under the changed circumstances have not been met; 3) the purpose of processing has been realized, i.e. the data is no longer needed for accomplishing a purpose; 4 ) the processing method is not allowed; 5) the data belongs to the number and type

(19)

The termination and temporary suspension of data processing should be considered separately as it raises concerns, because this right is not recognized in many countries in the mandatory health insurance. Namely, the person has the right to terminate and suspend processing if he/she wants to challenge the accuracy, completeness and rightness of data, and the right for the information to be marked as disputed, until the opposite is proved. From the above it can be concluded that the legal presumption is that what the patient-processing entity claims is correct and not what is in the collection of data - the EHR, for example. Any processing can be terminated or suspended until the moment of determining the accuracy, completeness and rightness of it, based on a patient’s request. This leads to a period of vacuum from the moment the exactness of data is questioned, and the request for the suspension and termination of processing is submitted, to the resolution of the complaint, which may lead to undesirable situations in practice...

The recommendation is to resolve the question of the vacuum, either in the LPDP22_{in regard to}

health records, or in the new Law on Health Records which should specify what happens when the patient challenges the accuracy of data and requires the termination or suspension of processing. It is also unclear what the practical difference is between the withdrawal of the consent to processing (Article 18 read in conjunction with Article 11 of the LPDP) and the termination of processing (Article 22 of the LPDP). Specifically, what are the consequences in relation to the data already collected in the event of the interruption of processing or abrogation by the subject. It seems that the LPDP should take a stand in this regard.23

Potentially, the consequences of the withdrawal of the consent to processing and the termination of processing could for the purpose of EHR be regulated by the new Law on Health Records.

Article 27 of the LPDP which elaborates on the realization of the right to access can lead to undesirable situations in practice. An obligation is imposed on the Controller to make the (medical) information available "in an understandable form". However, it is highly subjective whether a piece of information is understandable to someone or not. Therefore, the data to be entered and the manner in which they are expressed in the EHR should be conceptualized in a manner that they are comprehensible and organized. In particular, the printed copy of the medical records should, to the extent possible, meet the criterion of intelligibility.

Recommendation: Examine the practice of the Commissioner in connection with information intelligibility, should one exist. Use as much as possible comprehensible terms in classifications and the presentation of data.

The new Law on Health Records could clarify that the information from EHR should be provided in

of data, the processing of which is disproportionate to the purpose; 6) the data is incorrect and can by way of a correction not be replaced with correct data; 7) the data is being processed without consent or authorization based on the law, and in other cases when processing cannot be carried out in accordance with the provisions of this law.

22

Article 12 of the LPDP could/should be applied in some (not all) situations, since it prescribes that processing without consent is permitted in order to achieve or protect vital interests of an individual, in particular life, health and physical integrity.

23

Undoubtedly, the revocation of consent would not apply to the use of depersonalized data for scientific and research purposes and the protection of the population against contagious diseases. This is mentioned in the already quoted article 12 of the LPDP but also most other health care related laws.

(20)

the original form, and that it is the obligation of physicians to make data intelligible, if requested by the patient.

Article 48 of the LPDP imposes an obligation on the Controller - health institution to establish and keep track of records on data processing.

On the basis of its legal authority, the Government of Serbia adopted the Decree on the Form of Recording and Keeping Records on the processing of personal data.24 Article 4 of the decree provides that records on processing need to include information about the date of the previous notice sent in regard to the establishment of the Collection of personal data, the date of the first records entry, and the date of a records update or amendment.

The Law and Decree indirectly impose obligations that need to be fulfilled with respect to the functional requirements of software solutions for the EHR and records in health care institutions. It is unknown whether health care facilities, as Data Controllers, are (at all) maintaining any records on processing. The assumption is that they are not, hence, it should be checked why this is the case. Consequently, the obstacles towards this goal need to be established and a solution conceptualized accordingly.

Recommendation: The EHR and health institutions should provide the information that is contained in the Government’s Form on keeping record of processing. If applicable, enter any adjustments in the inventory of functional requirements into the Integrated Health Information System in order to ensure compliance with the LPDP (Article 48) and the Decree.

Article 49 of the LPDP provides for the obligation to submit to the Commissioner a notice about the intention to establish a Data Collection prior to the initiation of processing, i.e. the establishment of a Data Collection, no later than 15 days prior to the establishment of a data collection. However, the obligation of notification does not apply to the commencement of processing, or the establishment of a Data Collection, in the case that the purpose of processing, the type of data to be processed, the types of users to whom data will be available, and the time for which the data will be archived, are prescribed through a special regulation.

The recommendation is to pay attention to Article 49 of the LPDP and to explicitly define four items as follows in the new Law on Records, that is - the purpose of the EHR, types of data to be processed, Users to whom data will be available, as well as the time for which data will be archived.

At the final stage of the preparation of the legal framework, it is essential to establish a good communication with the Commissioner.

III. 2. The Law on Health Care (LHC)

The LHC was adopted in 2005 and since then has been revised several times, most recently in mid-2011.

Article 18 prescribes that the conceptualizing and development of an Integrated Health Information System is in public interest and expresses the commitment of the State to move towards the integration of the health system.

(21)

III REALIZATION OF PUBIC INTEREST IN HEALTH CARE PROTECTION Article 18

The Republic provides in the public interest of health care: ...

10) the organizing and development of an integrated health information system by collecting, processing and analyzing health statistics and other data and information on the health condition and health needs of the population, as well as through monitoring data on the functioning of health services in terms of the provision of space, staff, equipment and medicines, as well as the monitoring of performance indicators;

…

This article along with Articles 73 and 74, which will be discussed later in this report, provides a legal basis for the introduction of a centralized electronic database.

Article 36 of the LHC, as well as the LPDP guarantee the right of access to one’s own medical records. The same article stipulates that it is the duty of an attending health professional to properly maintain medical records in accordance with the law. To enable the lawful and orderly delivery of services by health professionals, the new Law on Health Records must comply with the health professionals’ obligations that derive from the LHC and other laws. It is specified that a health professional records all medical measures undertaken on a patient, especially the history, diagnosis, diagnostic measures, therapy, and outcome of therapy, and advice given to a patient. For example, advice given to a patient is not specified in the applicable Law on Health Care Records. Thus, Article 36 of the LHC also determines the content of the data, or the data set to be entered into medical records, and indirectly, into the EHR itself.

Recommendation: Harmonize the existing Law on Health Records with the LHC in terms of the contents of medical records.

Due to obligations deriving from the LPDP and for the sake of a better coordination with the Commissioner, the new law on health records should/ could establish the context for the EHR. Article 37 which determines the right to confidentiality (and Article 73, paragraph 2) creates great confusion as to the status of health information, their classification, transfer etc. The latest amendments adopted by the Serbian National Assembly on July 28, 2011, provide that data about one’s health condition, i.e. data from medical records, belong to the patient's personal data and present classified information, according to the law:

Right to data confidentiality25 Article 37

Data about one’s health condition, that is data from medical documentation, is considered as the patient’s personal data and represents classified information, according to the law.

25_{Article 37 is not conceptually consistent within itself since it promotes in the title and at the beginning}

(22)

Classified information from paragraph 1 of this Article shall be kept by all health care workers and associates, and other persons employed in health care, private practices, in any other legal entity that performs health activities in accordance with the law, or in mandatory health insurance entities, as well as in legal entities that perform voluntary health insurance, where the patient is insured, which have access to such data and need the data to achieve their legally established responsibilities. Confidential information shall also include data on human substances based on which the identity of the person they originate from can be established.

Health workers and associates, and other persons employed by employers under paragraph 2 of this Article may be released of the duty to preserve confidentiality of data only upon the written or other clear and unequivocal consent of the patient or based on a court decision.

If the patient has given consent for the disclosure of information regarding his/her health, the responsible health care worker can disclose the information about the health condition of the patient an adult family member of the patient.

As an exception to paragraph 5 of this Article, the attending health professional may disclose information about the health of a the patient to an adult family member, even when the patient has not given consent to the disclosure of information about his/her health condition, if the disclosure of information is necessary in order to avoid health risks for family members.

Extracts or copies of medical records of a deceased family member can be given to family members at their request, to exercise legal rights, or the exercise of other legally defined interests.

A child who has reached 15th years of age and who is mentally capable for independent decision-making, has the right, upon request, to inspect medical records that relate to his health, as well as the right to confidentiality of the information contained in the medical records.

Exempt from paragraph 8 of this Article, the responsible health worker shall, in the case of a serious threat to the life and health of a child - regardless of a child’s request for information about the state of his health not to be disclosed to a parent, guardian, or legal representative – notify the parents, guardians or legal representative about the health condition of the child.

Data from medical record, i.e. extracts of data, as well as copies of medical records, may be disclosed to the guardianship authority, the organization of mandatory health insurance and legal entities engaged in activities of voluntary health insurance for performing activities prescribed by law, as well as other legal entities if prescribed by law.

Data from medical record, i.e. extracts of data, as well as copies of medical records, and exceptionally, the entire medical documentation, may be disclosed to the responsible judicial authorities for review for as long as proceedings before the judicial authority last.

Data from the medical documentation of a patient, i.e. medical records kept in accordance with the law, can be delivered to the body in charge of statistics as well as health institutions responsible for public health, in accordance with the law.

Data from paragraph 10 - 12 of this Article shall be submitted as classified information, in accordance with the law governing the confidentiality of information.

(23)

Persons from paragraph 2 of this Article, as well as other persons who unlawfully or without consent of the patient or adult family member of an patient, possess data from medical records in contradiction to this Article, and release the data to the public without authorization, are responsible for the disclosure of classified information, in accordance with the law.

Medical information in almost all laws - LHI26_{, the Law on Transplantation of Cells and Tissues, the}

Law on Organ Transplantation, the Law on Blood Transfusion – are protected as an official secret. Besides an erroneous determination of medical information (as classified data), the current solution opens up the problem of vagueness, since the degree of secrecy is not determined in the LHC, which must be assigned to any classified information according to the LCD. If medical records are categorized as confidential data, this opens up a number of obligations under the Law on Classified Data, and raises the question of the (in)viability or difficult feasibility of the protection of this type of data in practice.

What is not disputable in determining the patient's medical information as classified, is the way of transferring and delivering such data – given that in accordance with the provisions of the law governing the confidentiality of information, the transfer and delivery of classified information using telecommunications-information resources, shall be subject to the mandatory application of the prescribed measures of crypto-protection (Article 35, paragraph 4 of the LCD). So, if IT experts and practitioners see them as fit, crypto-protection measures may remain a possible solution for the transmission and delivery of medical data. However, this level of care in the delivery of data seems somewhat irrelevant in a situation where the right of access and the right to a copy of the medical documentation can be exercised by submitting an official request, i.e. medical records are being printed and paper copies are being handed out. In addition, the use of crypto-protection measures would significantly raise the implementation costs for the system.

There is a need to precisely define and assimilate the status of health information, as this has the opposite (conflicting) effects on protection systems, transmission, sanctioning etc. We believe that the previous version of the first paragraph27 of Article 37 of the LHC was generally good, and that it was modified in a bad way by the latest amendments of 28 July 2011. However, it seems that there is an initiative within the Ministry of Health to correct this error, which is encouraging. Thus, Article 18 of the currently available Draft Law on the Protection of Patients' Rights states:

Data on the health condition i.e. data from medical records belong to personal data and represent particularly sensitive information about the patient, in accordance with the law.

The recommendation is for the current draft version of Article 18 to remain unchanged (as it currently is) in the final version of the law.

Article 28 of the LHC28_{– The responsible health care worker enters into a patient’s medical}

documentation information about the fact that he has given a notification to the patient or family

26

See articles 118, 138 and 150 of the LHI.

27_{Data from medical records belong to the patient’s personal data and present a professional secret.}

28 _{Article 28, but also Article 9 of the Draft Law for the Protection of Patients’ Rights makes a mistake by}

defining the right of consent (as the European Charter of Patients' Rights in 2002. named this right) as the right to information. Notices that the patient receives from a health professional are in the function of the realization of the right to consent. In this sense, true consent is only one that is based on relevant and

(24)

member about the data explicitly stated below. He notifies him about: 1) diagnosis and prognosis of the disease, 2) a brief description, purpose and benefits of the proposed medical measures, duration and possible consequences of taking or not taking the proposed medical measures, and 3) the nature and likelihood of potential risks, and other painful or permanent or temporary side effects and 4) alternative methods of treatment, and 5) possible changes in the patient's condition after taking the proposed medical measures as well as necessary and possible changes in the lifestyle of the patient, and 6) the effect of drugs and possible side effects.29 This determines the content of the data, i.e. the subset of the data, entered into the medical documentation.

With regard to Article 28, there is a terminology gap that needs to be filled in order for the right and group of health professionals, authorized to view EHRs (and possibly enter changes), to be consistently labelled. The key is the term "attending health professional". Namely, it is quite clear that this term includes selected physicians and performing health professionals at the secondary and tertiary levels. Thus, an attending health professional is the physician to whom the patient comes with a valid referral to obtain a diagnosis, (further) treatment, immunization, rehabilitation, etc.; then the health care professional at the emergency ward, who receives the patient for an urgent intervention, as well as the health care professional who performs a medical experiment under Article 38 of the LHC. In one place in Article 30 of the LHC besides the term of the attending health professional the term „specialist“ is used, which causes certain confusion.

In this regard, it would be good for the terms that are generally undisputed – such as the term "attending health professional" – to be unequivocally defined in the LHC. This recommendation has greater significance if, for the purposes of the EHR, the LHC will be amended. Ultimately, the new Law on Health Records will deal with this.

The Open Issue of the Designation of an Attending Health Professional

The defining of the term of an attending health professional (to whom the right to access to patient data is linked) introduces ambiguity related to the participation of accompanying subjects in the provision of health care - specifically, a member of a Medical Council, and other professionals, whom the attending health professional consults during the provision of health care (pharmacists, specialists in various fields and the like).

Article 74 of the Code of Professional Ethics for the Medical Chamber of Serbia stipulates that when a physician needs professional help he will consult another physician and the Medical Council, while the next article specifies that the Medical Council convenes in the case of difficult and complicated cases that typically exceed the knowledge and experience of the attending physician.

On one hand, in the Council all doctors have the same rights, on the other hand, the opinion of a specialist physician who the attending physician approaches for help has the character of an advice,

comprehensible information, since it is the right of information-based consent. The emphasis is on the active participation of the patient in personal decision making, i.e. the giving of consent regarding one’s health. The obligation of physicians to provide certain notices, i.e. information is a prerequisite for giving consent. Therefore, the notice of the physician is the mean, while informed consent giving is the goal. This consideration does not have direct implications for the EHR, but in the broader context deserves attention of the Ministry of Health.

(25)

so that the attending physician 30 is responsible for the process of further treatment (Articles 74 and 75 of the Code).

This actually shows that every member of the Council, individually, has the status of an attending health care professional, while the consulted physician -specialist is not one.

There are two possible approaches in relation to the level of authority of a medical consultant regarding EHR's. According to one, a physician-consultant would not have the right of direct access to data, but would for the insight i.e. the introduction through the attending health professional, be tied by doctors’ ethics31, the obligation to preserve the confidentiality of patient data (i.e. an official or professional secret) according to the LHC, and if necessary, sanctioned by foreseen penalties. This "sharing" of knowledge about the patient would actually shift the responsibility (for the confidentiality of data) to the attending health professional, who would disclose only data from the area of expertise of the medical consultant. If needed, he would disclose all data from the patient’s EHR, except for the patient’s identity data which are unneeded (except the sex and date of birth). By that the attending health professional would avoid unwelcome situations.

Under the second approach, a physician-consultant (specialist) would have direct access to data about his colleague’s patient, that is the part of data that relates to the scope of his duties and responsibilities - for example, immunologists only to information on immunizations and allergies, pharmacists in the set of data about drugs, physicians from emergency rooms in information about allergies, the blood type, diagnosis and the like. The shortcoming of the other solutions is that it fits the needs of segmental cooperation, but does not respond to the needs of consultations among physicians of the same specializations, outside of auspices of the Council.

Apart from the already mentioned, there is a sphere of absolutely confidential information that would be excluded from access by anyone other than the attending health professional-specialist, who proceeds in the concrete case (proceeding infectologist - for viral diseases, gynaecologist for abortions and miscarriages, psychiatrist for mental illness and etc.).

The recommendation is that in a situation when a medical council was formed, all members of the council have or retain the status of an attending health professional, and with that are granted immediate access to patient data from the EHR.

In the case of engaging a physician-consultant, the attending medical professional can communicate, i.e. disclosed all or part of the data to the consulted expert, for which he believes can help him in making his opinions or advice. It is desirable for patient data to be disclosed/sent in a depersonalized form (without the general data about the patient, except for the date of birth and sex), and should be absolutely the rule if the c