310 likes | 496 Views
Implication of EU Data protection directive and national legislation on hospital administration and IT at. Landspitali University Hospital - Iceland Torfi Magnússon MD. www.landspitali.is torfimag@landspitali.is. Iceland - Reykjavik. Member of European Economic Area
E N D
Implication of EU Data protection directive and national legislation on hospital administration and ITat Landspitali University Hospital - Iceland Torfi Magnússon MD. www.landspitali.is torfimag@landspitali.is
Iceland - Reykjavik • Member of European Economic Area • 60% of EU legislation applies to Iceland • Data protection rules originate from EU
Landspítali University Hospital • Governmental institution • 80-85% of hospital services in Iceland
Merger 2000 2005 Hospital beds 850 Full time staff 3.850 Admissions 31.100
Milestones in e-Health at Landspítali • 1973: First electronic registration of lab results • 1985: Paper-based record with some computer- generated documents • 1990: Computer-generated documents made electronically available. • 2000: Focus on inter-operability of EPR systems. • 2003: EPR - building a patient-centered record.
Co-operation Agreement 2006 P.Stradiņš University Hospital (Riga, Latvia) and Landspítali University Hospital (Reykjavik, Iceland) Focus on IT support for medical and administrative work
The project e-health support for angio surgery for doctors and nurses • Specialized Electronic Medical Records system • extendable to all surgery • Application to EEA Grants by P. Stradiņš Hospital in partnership with • Landspítali University Hospital and • Association of Vascular Surgeons of Latvia
Integrated modular medical record system Overview of patient history regardless of location Brings all the modules together Electronic Medical Record Integration layer Specializedsystems Laboratory Radiology Surgery Other systems
Goals of project • To improve quality and efficiency of care in surgery and anaesthesia • To provide better, research and training capabilities • To improve statistics and analysis of information • To improve exchange of information within the hospital, as well as with the State • To develop new joint e-Health solutions that can be used in Baltic, Nordic and other countries. • To strengthen Baltic-Nordic co-operation
Microsoft technology software • Ultra mobile PC hardware • Wireless network • Training and support Dr. Edvīns Lietuvietis Head of Angio Surgery Center P.Stradiņš University Hospital angio@stradini.lv
EU vision • The EU “Electronic Health Record” aims at • compiling existing documentation on medical treatment from different sources • information on the past and present state of health of an individual “from the cradle to the grave” • available in electronic form to all authorized health care professionalswherever and whenever this information is needed • Access by unauthorised persons must be virtually impossible
EHR – a promise for a better future • Increased efficiency within the health care sector • Better protection of privacy • Enhanced role of the patient as decision maker in the treatment process
Privacy, confidentiality and securitycornerstones to the EHR. • Privacy • The state of being free from intrusion into one's private life or affairs - the right to be let alone. • Confidentiality • To keep in secret information told in confidence • Security • Human, technical, physical and environmental security EHR need rigorous protection of patient data
EHR - Legal Framework • Directive 95/46/EC of the European Parliament and of the Council • Working Document on the Processing of personal data relating to health in electronic health records(15 February 2007) • Act on the Protection of Privacy as regards the Processing of Personal Data ( 2000 ) • Icelandic rules and regulations • Act on the Rights of Patients • Health Record Regulations (Under revision)
Directive 95/46/EC • Article 8.1 • Member states shall prohibit the processing of […] data concerning health […] • Article 8.3 • Paragraph 3 shall not apply where processing of the data is required for purposes of preventive medicine, medical diagnosis, the provision of care or treatment […] and where those data are processed […] under national law or rules Processing of health data needs sufficient legislative framework in each member country
Categories of data concerning health EU: All data contained in Electronic Health Records are “sensitive personal data” • Administrative data, e.g. • social security number • date of admission to hospital etc. • Personal data on health • Particularly sensitive data • psychiatric treatment • HIV • abortion
Aim of the EHR • All necessary patient data is to be available to • All authorized health care personnel • Wherever and whenever • Needed and • Access by unauthorized persons must be virtually impossible
Unanswered questions • Are all “personal data on health” equally sensitive ? • How much do different caretakers “need to know” ? • What kind of authorization should different groups of health care professionals have?
Who needs access to EHR? • 30 healthcare professions in Iceland • Medical doctors • Nurses • Assistant nurses • Secretaries • Physiotherapists • etc.
Policy on access control • “Treatment relationship” • Data category and • Health care profession
Treatment relationship - basic access • Health care professionals - working within a clinical unit • The patient - treated at the clinical unit Department of Cardiology Health care professional (Password) Patient (Social security number) All authorized health information
LUH policy: Different data category - different access • Administrative data Category I • Enhanced administrative data Category II • Personal data on health - own department Category III • Personal data on health - other departments Category IV • Particularly sensitive data Category V • Strictly protected data (sealed envelope) Category VI
LUH policy: Different health care professions - different access Group I Administrative health care personnele.g. booking, billing Group II Specialized administrative health care personnel e.g. DRG-staff, health economists, analysts Group III Assistant nurses Group IV Registered nurses, Medical secretaries, physiotherapists Group V Medical doctors
Group I Administrative health care personnel - booking, billing Administrative data Category I-social security number, - date of admission to hospital etc
Group II Specialized administrative health care personnel - DRG staff, analysts health economists Administrative data Category I Advanced administrative data Category II - social security status - diagnosis, - procedure (operation), - DRG group
Group III Assistant nurses Administrative data Category I Advanced administrative data Category II Personal data on health - own department Category III
Group IV Registered nurses, Medical secretaries, Physiotherapists Administrative data Category I Advanced administrative data Category II Personal data on health - own dept. Category III Extended access Explanation Personal data on health - another department Category IV
Group V Medical doctors Administrative data Category I Advanced administrative data Category II Personal data on health, own dept. Category III Extended access Explanation Personal data on health - other departments Category IV Extended access Explanation Particularly sensitive data Category V - Psychiatric treatment - HIV - Abortion
Strictly protected data (sealed envelope) Category VI • Information from a third party – relatives • Other highly sensitive information Access on an individual basis
Audit committee • Minimum audit • Every staff’s EPR use for one day audited every year • Additional audit on selected groups • Patient audit • Upon request, a patient are given list of all personnel who have accessed his/her record