Gregory Tsolias

Legal Attorney, Prive law

Dimitris Anastasopoulos

Legal Attorney, President of “e-Themis”

Part 1: eHealth (Dimitris Anastasopoulos)

Part2: data privacy (Gregory Tsolias)

«eHealth» is the overarching term for the range of tools based on

information and communication technologies used to assist and

enhance the:

prevention

diagnosis

treatment

monitoring

management

“The combined use of electronic communication and information

technology in the health sector”(World Health Organization)

1. Clinical information systems

a) Specialised tools for health professionals within care institutions

b) Tools for primary care and/or for outside the care institutions

2. Telemedicine systems and services

3. Regional/national health information networks

including electronic health record systems and associated services

4. Secondary usage / non-clinical systems

a) Systems for medical education, research, public health

b) Health education and health promotion of patients/citizens

The global telemedicine market is expected to grow from $9.8 billion in 2010 to

$27.3 billion in 2016, a compound annual growth rate (CAGR) of 18.6% over the

next years.

The telehospital/clinic market segment was worth $8.1 billion in 2011. This is

expected to grow to $17.6 billion in 2016, demonstrating a CAGR of 16.8%

between 2011 and 2016.

The telehome segment is growing faster than the telehospital/clinic segment. This

market segment was valued at $3.5 billion in 2011, and this revenue is expected to

grow at a CAGR of 22.5%, reaching $9.7 billion in 2016.

source: www.bccresearch.com

HEALTH – EU

Your gateway to trustworthy information on public health

http://ec.europa.eu/health-eu/care_for_me/e-health/index_en.htm

electronic health record architecture

online health services

teleconsultation

ePrescribing

eReferral

eReimbursement

European Commission Objectives

Enabling EU citizens to lead healthy, active and independent lives until old age

Improving the sustainability and efficiency of social and health care systems

Developing and deploying innovative solutions, thus fostering competitiveness and market growth

Directive 2011/24/EU of the European Parliament and of the Counsil of 9

March 2011 on the application of patients’ rights in cross border healthcare

(Article 14)

Commission Recommendation of 2 July 2008 on cross-border interoperability

of electronic health record systems

eHealth Action Plan 2012 – 2020 – Innovative healthcare for the 21st century

Provides cross border services that support safe, secure and efficient medical

treatment for citizens when travelling across Europe

Focuses on services close to the patient:

• Patient Summary for EU Citizens

• Occasional Visitors or Regular Visitors

• ePrescribing for EU Citizens

Medication ePrescription and /or Medication eDispensation

Builds on existing National eHealth Projects

what happened in the past

By 2010 every doctor in Greece devotes 85% of his time to the management of

its clientele

o Result: the patient has only 3.5 minutes from his time

o European average: 8 minutes

o Sweden: 12 minutes

OECD: pharmaceutical expenditure in Greece amounted to 2.7% of GΝP, when

the EU average is below 1.8%.

the legislation in Greece

law 3235/2004 on “Primary Health Care”

Article 9 provides the establishment of “electronic medical records and electronic health card”

law 3892/2010 for “Electronic registration and execution of

prescriptions and referral medical examinations”

the implementation

www.e-syntagografisi.gr

www.e-diagnosis.gr

Authorized institution for retention the database of e-syntagografisi + e-diagnosis is the "Electronic Governance

Social Security - IDIKA SA» (www.idika.gr)

The mode of operation of e-prescribing under law 3892/2010

results and benefits

we saved 1 billion euros from 2010 to date

800 million euros for the next 2 years

about 30 million every month

92% of prescriptions are performed each month through e-

prescribing system

100% of pharmacies

90% of doctors

Thank you for your attention

Dimitris Anastasopoulos

Legal Attorney, President of “e-Themis”

www.ethemis.gr

Part2: Data Privacy

injuries

diseases

data on consumption of medical products, alcohol, drugs

genetic data

administrative data (social security number, date of admission

to hospital etc)

any data that have a clear and close link with the description of

the health status of a person or contained in the medical

documentation of the treatment of a patient

The definition of personal data contained in Article 2 (a) of Directive 95/46/EC

reads as follows:

«personal data' shall mean any information relating to an identified or identifiable natural

person ('data subject')· an identifiable person is one who can be identified, directly or

indirectly, in particular by reference to an identification number or to one or more factors

specific to his physical, physiological, mental, economic, cultural or social identity»

The definition of special categories of data contained in Article 8 (1) of the

Directive 95/46/EC reads as follows:

«Member States shall prohibit the processing of personal data revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade-union membership, and

the processing of data concerning health or sex life»

Proposal for a Regulation of the European Parliament and of the Council on the

protection of individuals with regard to the processing of personal data and on

the free movement of such data (General Data Protection Regulation)

Article 9

Processing of special categories of personal data

«1. The processing of personal data, revealing race or ethnic origin, political opinions,

religion or beliefs, trade-union membership, and the processing of genetic data or data

concerning health or sex life or criminal convictions or related security measures shall

be prohibited.

2. Paragraph 1 shall not apply where:

h) processing of data concerning health is necessary for health purposes and subject to

the conditions and safeguards referred to in Article 81»

In Greece there is a similar provision in Article 2 of Law 2472/1997 on the

Protection of individuals with regard to the Processing of Personal Data

Directive 95/46/EU of the European Parliament and of the Council of 24 October

1995 on the protection of individuals with regard to the processing of personal

data and on the free movement of such data

Article 8

The processing of special categories of data

“1. Member States shall prohibit the processing of personal data revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade-union membership, and

the processing of data concerning health or sex life.

…….

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of

preventive medicine, medical diagnosis, the provision of care or treatment or the

management of health-care services, and where those data are processed by a health

professional subject under national law or rules established by national competent bodies

to the obligation of professional secrecy or by another person also subject to an

equivalent obligation of secrecy.”

General Data Protection RegulationArticle 81

Processing of personal data concerning health1. Within the limits of this Regulation and in accordance with point (h) of Article 9(2), processing of personal

data concerning health must be on the basis of Union law or Member State law which shall provide forsuitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for:

(a) the purposes of preventive or occupational medicine, medical diagnosis, the provision of care ortreatment or the management of health-care services, and where those data are processed by a healthprofessional subject to the obligation of professional secrecy or another person also subject to an equivalentobligation of confidentiality under Member State law or rules established by national competent bodies; or

(b) reasons of public interest in the area of public health, such as protecting against serious cross-borderthreats to health or ensuring high standards of quality and safety, inter alia for medicinal products ormedical devices; or

(c) other reasons of public interest in areas such as social protection, especially in order to ensure the qualityand cost-effectiveness of the procedures used for settling claims for benefits and services in the healthinsurance system.

2. Processing of personal data concerning health which is necessary for historical, statistical or scientificresearch purposes, such as patient registries set up for improving diagnoses and differentiating betweensimilar types of diseases and preparing studies for therapies, is subject to the conditions and safeguardsreferred to in Article 83.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose offurther specifying other reasons of public interest in the area of public health as referred to in point (b) ofparagraph 1, as well as criteria and requirements for the safeguards for the processing of personal data forthe purposes referred to in paragraph 1.

Directive 2011/24/EU of the European Parliament and of the Council of 9

March 2011 on the application of patients’ rights in cross-border healthcare

Article 14: «The objectives referred to in points (b) and (c) shall be pursued in due

observance of the principles of data protection as set out, in particular, in Directives

95/46/EC and 2002/58/EC.».

Commission Recommendation of 2 July 2008 on cross-border interoperability

of electronic health record systems. Par.10:

«Member States should ensure that the fundamental right to protection of personal data is

fully and effectively protected in interoperable eHealth systems, in particular in electronic

health record systems, in conformity with Community provisions on the protection

of personal data, in particular Directives 95/46/EC and 2002/58/EC.»

Case of I v. Finland

17-7-2008

(Application no. 20511/03)

“41. However, the County Administrative Board found that, as regards the hospital in issue, theimpugned health records system was such that it was not possible to retroactively clarify the use ofpatient records as it revealed only the five most recent consultations and that this information wasdeleted once the file had been returned to the archives. ……….The Court for its part would also note thatit is not in dispute that at the material time the prevailing regime in the hospital allowed for the recordsto be read also by staff not directly involved in the applicant’s treatment.

44. The Court notes that the applicant lost her civil action because she was unable to prove on the factsa causal connection between the deficiencies in the access security rules and the dissemination ofinformation about her medical condition. However, to place such a burden of proof on the applicant is tooverlook the acknowledged deficiencies in the hospital’s record keeping at the material time. It is plainthat had the hospital provided a greater control over access to health records by restricting access tohealth professionals directly involved in the applicant’s treatment or by maintaining a log of all personswho had accessed the applicant’s medical file, the applicant would have been placed in a lessdisadvantaged position before the domestic courts. For the Court, what is decisive is that the recordssystem in place in the hospital was clearly not in accordance with the legal requirements contained insection 26 of the Personal Files Act, a fact that was not given due weight by the domestic courts.”

definition: «a comprehensive medical record or similar documentation of the

past and present physical and mental state of health of an individual in

electronic form and providing for ready availability of these data for medical

treatment and other closely related purposes»

Use limitation principle (purpose principle)

The retention principle

Data subject’s right to access

Security related obligations

Explicit consent

Article 8 (2) a of the Directive 95/46/EU:

«Paragraph 1 shall not apply where: (a) the data subject has given his explicit consent to

the processing of those data, except where the laws of the Member State provide that the

prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his

consent»

Consent must be given freely

Consent must be specific

Consent must be informed

Article 8 (3) of Directive 95/46/EU allows for the processing of

sensitive personal data under three culmulative conditions:

the processing of sensitive personal data must be “required” and

this processing takes place “for the purposes of preventive medicine, medical

diagnosis, the provision of care or treatment or the management of health –

care services” and

the personal data in question “are processed by a health professional subject

under national law or rules established by national competent bodies to the

obligation of professional secrecy or by another person also subject to an

equivalent obligation of secrecy”

Law 2472/1997 on the Protection of Individuals with regard to the Processing of

Personal Data

Article 7

Processing of sensitive data

“1. The collection and processing of sensitive data is prohibited.

2. Exceptionally, the collection and processing of sensitive data, as well as the

establishment and operation of the relevant file, will be permitted by the

Authority, when one or more of the following conditions occur: d) Processing

relates to health matters and is carried out by a health professional subject to

the obligation of professional secrecy or relevant codes of conduct, provided that

such processing is necessary for the purposes of preventive medicine, medical

diagnosis, the provision of care or treatment or the management of health-care

services.”

Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data

Article 7Α

Exemption from the obligation to notify and receive a permit

“The Controller is exempted from the obligation of notification, according toarticle 6, and the obligation to receive a permit, according to article 7 of thepresent Law in the following cases: d). When the processing involves medicaldata and is carried out by doctors or other persons rendering medical services,provided that the Controller is bound by medical confidentiality or otherobligation of professional secrecy, provided for in Law or code of practice, anddata are neither transferred nor disclosed to third parties.17 In order for thisprovision to be applied, courts of justice and public authorities are notconsidered to be third parties, provided that such a transfer or disclosure isimposed by law or judicial decision. Legal entities or organisations renderinghealth care services, such as clinics, hospitals, medical centres, recovery anddetoxication centres, insurance funds and insurance companies, as well asControllers processing personal data within the framework of programmes oftelemedicine or provision of health care services via Internet.”

Code of Medical Ethics (law 3418/2005)

Article 14

observance of medical records

“1. Any doctor is required to keep medical record, in electronic form orotherwise, which contains data that are inextricably linked or causally to thedisease or health of his patients. The observance of this file and the dataprocessing is determined by the provisions of Law 2472/1997

2.The medical records shall contain the name, father's name, sex, age,occupation, address of the patient, the dates of the visit, and any otheressential element associated with providing care to the patient, including,without limitation and depending on the specialization, the complaints ofhealth and the reason for the visit, the primary and the secondary diagnosis ortreatment followed.

3. Clinics and hospitals retention to their medical records and the results of allclinical and paraclinical examinations.”

Thank you for your attention

Gregory Tsolias

Legal Attorney, Prive law

120, Alexandras Av., Athens