Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Monday, August 04, 2008

The European Union and the Shared EHR

In the last week or so there have been a few reports of a case which was resolved in the European Court of Human Rights on Medical Privacy.

European judgement casts doubts on NHS CRS consent

25 Jul 2008

A GP campaigning against the consent model for the NHS Care Records Service (NCRS) claims a European Court of Human Rights judgement reinforces his view that the NHS database is unlawful.

In a judgement published last week the European Court of Human Rights ruled that a nurse in Finland had her right to privacy breached. The nurse had been attending a clinic for treatment of HIV and at the same time was working in a different department of the same hospital. It became apparent that staff in her work department had looked at her computerised medical record and she was denied subsequent employment.

The European Court of Human Rights ruled that there had been a violation of article eight of the European Convention on Human Rights and awarded the nurse compensation.

More here

http://www.ehiprimarycare.com/news/3993/european_judgement_casts_doubts_on_nhs_crs_consent

The full judgement is available here.

http://cmiskp.echr.coe.int/tkp197/view.asp?item=1&portal=hbkm&action=html&highlight=Finland&sessionid=12272189&skin=hudoc-en

If the URL does not work – here is the case header

CASE OF I v. FINLAND

(Application no. 20511/03)

JUDGMENT

STRASBOURG

17 July 2008

This judgment will become final in the circumstances set out in Article 44 § 2 of the Convention. It may be subject to editorial revision.

In the case of I v. Finland,

The European Court of Human Rights (Fourth Section), sitting as a Chamber composed of:

Nicolas Bratza, President,
Lech Garlicki,
Ljiljana Mijović,
David Thór Björgvinsson,
Ján Šikuta,
Päivi Hirvelä,
Mihai Poalelungi, judges,
and Lawrence Early, Section Registrar,

Having deliberated in private on 24 June 2008,

Delivers the following judgment, which was adopted on that date.

The basic details are outlined here:

European Court fines Finland for data breach

25 Jul 2008

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen's personal data, by not adequately securing and protecting a patient’s confidential record.

The case could prove significant by creating a legal precedent, based on the European Convention on Human Rights, linking data security and human rights.

The Court made its ruling based on Article 8 of the Convention, which guarantees every citizen “the right to respect for his private and family life, his home and his correspondence.” It said it was uncontested that the confidentiality of medical records is a vital component of a private life.

It also said Finland had failed to protect the confidentiality of patient information and ordered the state to pay a nurse about €14,000 in damages and €20,000 in costs.

The nurse involved in the case worked in a public hospital between 1989 and 1994 on a series of fixed term contracts. During the period, she paid regular visits to the same hospital’s infectious diseases clinic, having been diagnosed with HIV.

In 1992, it transpired that her colleagues at the hospital’s ophthalmic department had had access to her patient records. Three years later, her contract was not renewed.

The woman began to suspect that news of her disease had spread to other employees and asked for details of who had accessed her medical records and when. The health authorities only kept a note of the last five people to have accessed a record.

According to legal electronic newsletter Out-Law, the Court ruled that public bodies and governments will fall foul of the Convention if they fail to keep data private that should be kept private.

The woman in the case did not have to show a wilful publishing or release of data, it said. A failure to keep it secure was enough to breach the Convention.

The Strasbourg court found unanimously that the district health authority, by failing to establish a system from which the nurse’s confidential patient information could not be accessed by staff who did not treat her, had violated Article 8.

The woman, known in the case as I, sued the district health authority for failing to keep her medical records confidential.

More here:

http://www.e-health-insider.com/news/3992/european_court_fines_finland_for_data_breach

As I read it, what the court is saying is that there is an obligation on the part of record holders to ensure only those with a genuine ‘need to know’ and a genuine role in the patient’s care should be able to access the clinical record and it is up to the organisation holding the record that this is true.

Those, like NEHTA, who propose shared records where many people have access, need to be clear what the expectations of civilised communities are about how their private information is protected. If I had HIV, or another stigmatizing illness, I certainly would want confidence that my privacy would be protected and that I would be entitled to serious redress if this was not the case.

I recognise how challenging this all is but that does not mean we can ignore probably the most authoritative and experienced court on Human Rights the world has.

David.

Posted by Dr David G More MB PhD at Monday, August 04, 2008

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)