LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Implication of EU Data protection Implication of EU Data protection directive and national legislation on directive and national legislation on
hospital administration and IThospital administration and IT
atat
Landspitali University Hospital - IcelandLandspitali University Hospital - IcelandTorfi Magnússon MD.Torfi Magnússon MD.
www.landspitali.iswww.landspitali.is
[email protected]@landspitali.is
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
- Member of European Economic AreaMember of European Economic Area
- 60% of EU legislation applies to Iceland60% of EU legislation applies to Iceland
- Data protection rules originate from EUData protection rules originate from EU
Iceland - ReykjavikIceland - Reykjavik
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Landspítali University HospitalLandspítali University Hospital
Governmental institutionGovernmental institution 80-85% of hospital services in Iceland80-85% of hospital services in Iceland
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Merger 2000Merger 2000
Hospital bedsHospital beds 850 850Full time staffFull time staff 3.850 3.850AdmissionsAdmissions 31.100 31.100
20052005
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Milestones in e-Health at Milestones in e-Health at LandspítaliLandspítali
1973: 1973: First electronic registration of lab resultsFirst electronic registration of lab results 1985: 1985: Paper-based record with some computer-Paper-based record with some computer-
generated documentsgenerated documents 1990: 1990: Computer-generated documents made Computer-generated documents made
electronically available. electronically available. 2000: 2000: Focus on inter-operability of EPR systems.Focus on inter-operability of EPR systems. 2003: 2003: EPR - building a patient-centered record.EPR - building a patient-centered record.
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Co-operation Agreement Co-operation Agreement 20062006
P.Stradiņš University Hospital (Riga, Latvia)P.Stradiņš University Hospital (Riga, Latvia) and and Landspítali University Hospital (Reykjavik, Iceland) Landspítali University Hospital (Reykjavik, Iceland)
Focus on IT support for medical and administrative workFocus on IT support for medical and administrative work
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
The projectThe project
e-health support for angio surgery e-health support for angio surgery for doctors and nursesfor doctors and nurses Specialized Electronic Medical Records system Specialized Electronic Medical Records system
– extendable to all surgeryextendable to all surgery Application to EEA Grants by P. Stradiņš Hospital in Application to EEA Grants by P. Stradiņš Hospital in
partnership withpartnership with – Landspítali University Hospital and Landspítali University Hospital and – Association of Vascular Surgeons of LatviaAssociation of Vascular Surgeons of Latvia
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Integrated modular medical recordIntegrated modular medical record system system
Electronic Medical Record
Overview of patient history regardless of location
Brings all the modules together
Integration layer
Laboratory Radiology Surgery Other systems
Specializedsystems
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Goals of projectGoals of project
To improve quality and efficiency of care in surgery and To improve quality and efficiency of care in surgery and anaesthesia anaesthesia
TTo provide better, research and training capabilitieso provide better, research and training capabilities
TTo improve statistics and analysis of information o improve statistics and analysis of information
To improve exchange of information within the hospital, as To improve exchange of information within the hospital, as well as with the Statewell as with the State
To develop new joint e-Health solutions that can be used in To develop new joint e-Health solutions that can be used in Baltic, Nordic and other countries.Baltic, Nordic and other countries.
TTo strengthen Baltic-Nordic co-operationo strengthen Baltic-Nordic co-operation
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Dr. Edvīns Lietuvietis
Head of Angio Surgery Center
P.Stradiņš University Hospital
•Microsoft technology softwareMicrosoft technology software•Ultra mobile PC hardwareUltra mobile PC hardware•Wireless network Wireless network •TTraining and supportraining and support
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
EU visionEU vision
The EU “The EU “Electronic Health RecordElectronic Health Record” aims at ” aims at compiling existing compiling existing documentation on medical treatmentdocumentation on medical treatment
from different sourcesfrom different sources information on the past and present state of healthinformation on the past and present state of health of an of an
individual “individual “from the cradle to the grave” from the cradle to the grave” available in electronic form to available in electronic form to all authorized health care all authorized health care
professionalsprofessionals whereverwherever and and wheneverwhenever this information is this information is neededneeded
Access by unauthorised persons must be virtually impossibleAccess by unauthorised persons must be virtually impossible
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
EHR – a promise for a better futureEHR – a promise for a better future
Increased efficiency within the health care sectorIncreased efficiency within the health care sector Better protection of privacyBetter protection of privacy Enhanced role of the patient as decision maker in Enhanced role of the patient as decision maker in
the treatment processthe treatment process
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Privacy, confidentiality and securityPrivacy, confidentiality and securitycornerstones to the EHR.cornerstones to the EHR.
PrivacyPrivacy The state of being free from intrusion into one's private life The state of being free from intrusion into one's private life
or affairs - or affairs - the right to be let alone.the right to be let alone.
ConfidentialityConfidentiality To keep in secret information told in confidenceTo keep in secret information told in confidence
SecuritySecurity Human, technical, physical and environmental securityHuman, technical, physical and environmental security
EHR need rigorous protection of patient data
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
EHR - Legal FrameworkEHR - Legal Framework Directive 95/46/EC Directive 95/46/EC
of the European Parliament and of the Councilof the European Parliament and of the Council
Working Document on the Processing of personal data Working Document on the Processing of personal data relating to health in relating to health in electronic health recordselectronic health records (15 February 2007)(15 February 2007)
Act on the Protection of Privacy as regards the Processing of Act on the Protection of Privacy as regards the Processing of Personal Data Personal Data ( 2000 )( 2000 )
Icelandic rules and regulationsIcelandic rules and regulations Act on the Rights of Patients Act on the Rights of Patients Health Record Regulations (Under revision)Health Record Regulations (Under revision)
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Directive 95/46/ECDirective 95/46/EC
Article 8.1Article 8.1 Member states Member states shall prohibitshall prohibit the processing of […] data the processing of […] data
concerning health […]concerning health […]
Article 8.3Article 8.3 Paragraph 3 Paragraph 3 shall not apply where processing of the data is shall not apply where processing of the data is
requiredrequired for purposes of preventive medicine, medical for purposes of preventive medicine, medical diagnosis, the provision of care or treatment […] and diagnosis, the provision of care or treatment […] and where where those data are processed […] those data are processed […] under national law or rulesunder national law or rules
Processing of health data needs sufficient legislative framework in each member country
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Categories of data concerning healthCategories of data concerning health
EU:EU:All data contained in Electronic Health Records are All data contained in Electronic Health Records are ““sensitive personal data”sensitive personal data” Administrative data, e.g.Administrative data, e.g.
social security number social security number date of admission to hospital etc.date of admission to hospital etc.
Personal data on healthPersonal data on health Particularly sensitive dataParticularly sensitive data
psychiatric treatment psychiatric treatment HIVHIV abortionabortion
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Aim of the EHRAim of the EHR
All necessary patient data is to be available toAll necessary patient data is to be available to All authorized health care personnelAll authorized health care personnel Wherever and wheneverWherever and whenever NeededNeeded
andand Access by unauthorized persons must be Access by unauthorized persons must be
virtually impossible virtually impossible
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Unanswered questionsUnanswered questions
Are all “personal data on health” equally sensitiveAre all “personal data on health” equally sensitive ? ?
How much do different caretakers “need to know” ?How much do different caretakers “need to know” ?
What kind of authorization should different groups What kind of authorization should different groups
of health care professionals have?of health care professionals have?
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Who needs access to EHR?Who needs access to EHR?
30 healthcare professions in Iceland30 healthcare professions in Iceland– Medical doctorsMedical doctors
– NursesNurses
– Assistant nursesAssistant nurses
– SecretariesSecretaries
– PhysiotherapistsPhysiotherapists
– etc.etc.
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Policy on access controlPolicy on access control
““Treatment relationship”Treatment relationship” Data category and Data category and Health care professionHealth care profession
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Treatment relationship - Treatment relationship - basic accessbasic access
Health Health care professionals - working within a clinical unit care professionals - working within a clinical unit The patient The patient - treated at the clinical unit - treated at the clinical unit
Health care professional (Password)
Department of Cardiology
Patient(Social security number)
All authorized health information
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
LUH policy: LUH policy: Different data category - different accessDifferent data category - different access
Administrative dataAdministrative data Category ICategory I
Enhanced administrative data Enhanced administrative data Category IICategory II
Personal data on health - own departmentPersonal data on health - own department Category IIICategory III
Personal data on health - other departments Personal data on health - other departments Category IVCategory IV
Particularly sensitive data Particularly sensitive data Category VCategory V
Strictly protected data (sealed envelope) Strictly protected data (sealed envelope) Category VICategory VI
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
LUH policy: LUH policy: Different health care professions - different accessDifferent health care professions - different access
Group IGroup I Administrative health care Administrative health care personnelpersonnel e.g. booking, billinge.g. booking, billing
Group II Group II Specialized administrative health care Specialized administrative health care personnel personnel e.g. DRG-staff, health economists, analysts e.g. DRG-staff, health economists, analysts
Group IIIGroup III Assistant nursesAssistant nurses
Group IVGroup IV Registered nurses, Medical secretaries, physiotherapists Registered nurses, Medical secretaries, physiotherapists
Group V Group V Medical doctorsMedical doctors
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Group IGroup I Administrative health care personnelAdministrative health care personnel
- booking, billing- booking, billing
Administrative dataAdministrative data Category ICategory I -- social security number, social security number,
- date of admission to hospital etc- date of admission to hospital etc
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Group IIGroup II Specialized administrative health care personnelSpecialized administrative health care personnel
- DRG staff, analysts analysts health economistshealth economists
Administrative dataAdministrative data Category ICategory I
Advanced administrative data Advanced administrative data Category IICategory II - - social security status social security status - diagnosis, - diagnosis, - procedure (operation), - procedure (operation), - DRG group- DRG group
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Group IIIGroup III Assistant nursesAssistant nurses
Administrative dataAdministrative data Category I Category I
Advanced administrative data Advanced administrative data Category IICategory II
Personal data on health - own department Personal data on health - own department Category IIICategory III
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Group IVGroup IV Registered Registered nurses, nurses, Medical secretaries,Medical secretaries, PhysiotherapistsPhysiotherapists
Administrative dataAdministrative data Category I Category I
Advanced administrative data Advanced administrative data Category IICategory II
Personal data on health - own dept. Personal data on health - own dept. Category IIICategory III
Personal data on health - another department Personal data on health - another department Category IVCategory IV
Extended
accessExplanation
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Group V Group V Medical doctorsMedical doctors
Personal data on health - other departments Personal data on health - other departments Category IVCategory IV
Particularly sensitive data Particularly sensitive data Category VCategory V - Psychiatric treatment - Psychiatric treatment - HIV- HIV - Abortion- Abortion
Administrative dataAdministrative data Category I Category I
Advanced administrative data Advanced administrative data Category IICategory II
Personal data on health, own dept. Personal data on health, own dept. Category IIICategory III
Extended access
Explanation
Extended access
Explanation
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Strictly protected data (sealed envelope) Strictly protected data (sealed envelope) Category VICategory VI
Information from a third party – relativesInformation from a third party – relatives
Other highly sensitive informationOther highly sensitive information
Access on an individual basis
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Audit committeeAudit committee
Minimum auditMinimum audit Every staff’s EPR use for one day audited every yearEvery staff’s EPR use for one day audited every year
Additional audit on selected groups Additional audit on selected groups
Patient auditPatient audit Upon request, a patient are given list of all personnel who Upon request, a patient are given list of all personnel who
have accessed his/her recordhave accessed his/her record
LANDSPÍTALI UNIVERSITY HOSPITAL Riga, 19 April, 2007
Thank you