Yesterday the European Data Protection Supervisor (EDPS) gave its verdict on the proposal for a Directive on the application of patients’ rights in cross-border healthcare. This proposal seeks to create a Community framework for the provision of cross-border healthcare within the EU when the care patients seek is provided in aMember State other than their own. Such a scheme requires the exchange of personal data relating to the health of patients between authorized organisations and healthcare professionals of different Member States. According to the press release,
“The EDPS welcomes the proposal and supports the initiatives for improving the conditions for cross-border healthcare. He however expresses concerns about the fact that current Community healthcare-related initiatives are not always well co-ordinated with privacy and security considerations — especially with regard to the use of new information and communication technologies, thus hampering the adoption of a universal data protection approach towards healthcare. This is also evident in the current proposal where, although references to data protection can be found, these are mainly of a general nature and fail to specifically address the data protection dimension of cross-border healthcare.
[Said Peter Hustinx …. “I regret that the data protection implications of the initiative are not addressed in concrete terms. References to data protection are too general and do not adequately reflect the specific privacy requirements of cross-border healthcare. A uniform and sound data protection approach throughout the various healthcare Community initiatives is also needed, not only to ensure the citizens’ fundamental rights to the protection of their data, but also to contribute to the further development of cross-border healthcare in the EU.”
Following an analysis of the exchange of health data in the context of cross-border healthcare, the EDPS has defined two main areas of concern with regard to data protection: the different security levels which may be applied by the Member States (in terms of technical and organisational measures) on the one hand, and the integration of privacy in e-health applications on the other. In order to address these elements, the EDPS issues a number of recommendations in the form of five basic steps for amendments:
* the provision of a definition for “health data”, covering any personal data that can have a clear and close link to the description of the health status of a person;
* the introduction of a specific Article on data protection, clearly describing the responsibilities of the Member States and identifying areas for further development, i.e. security harmonization and privacy integration in e-health;
* the adoption of a Community mechanism for the definition of a commonly acceptable security level for health data to be applied by the Member States;
* the incorporation of the notion of “privacy by design” in the proposed Community template for e-Prescription;
* the introduction of a more explicit reference to the specific requirements relating to the subsequent use of data concerning health (Article 8 of Data Protection Directive 95/46EC).
The opinion is available in full on the EDPS website.