Data protection, integrity and digitalisation in healthcare
What is the legal development regarding digitalisation in healthcare and industrial networks or sales channels?
The fact that Swedish healthcare is quite complex and divided between several responsible bodies and stakeholders (at least in relation to the country’s size), may be a reason for many new and ongoing Swedish government initiatives in e-health. and standardization of healthcare information.
For example, in March 2016, the Swedish government and Sweden’s Municipalities and County Councils published a report entitled “Vision for e-health 2025”, which supports a common vision that Sweden 2025 will be a world leader in the use of e-health. and digitalisation in health and welfare. Since the reporting date, extensive work has begun with the goal of establishing standards for health data in order to achieve technical and semantic interoperability between different healthcare IT systems to facilitate the use of available information and simplify access to health. data for various actors in healthcare.
In June 2018, the Swedish Parliament passed the new law (2018: 1212) on the national drug list to introduce a new national drug register. The National Medicines List Act enters into force between 1 June 2020 and 1 June 2022. According to the bill to the new law, the national medicines list will improve patient safety by improving the transfer of information on prescribed medicines that need to be shared between healthcare providers, pharmacies and patients.
Provision of digital health services
What law regulates the provision of digital health services, and to what extent can such services be provided?
In recent years, especially during the covid-19 pandemic, the use of digital health services has increased significantly. There are several, mainly private players in the Swedish market that offer digital health services as well as digital platforms that are offered to care providers who create their own digital health services.
There is no specific law that regulates the provision of digital health services. Healthcare organizations, including conventional clinics and hospitals, as well as digital physical services and online medical consulting services, are considered healthcare providers, and the same rules generally apply to conventional healthcare and digital healthcare.
In March 2018, the Swedish government commissioned the National Board of Health and Welfare to issue recommendations on the type of care and treatment that is appropriate to handle via digital healthcare aimed at patients. In summary, the National Board of Health and Welfare came to four principles that should be met for digital healthcare to be appropriate:
- applicable rules or relevant medical experience do not require a physical meeting;
- the digital service is adapted to the individual patient’s needs and ability to use the service;
- the caregiver has access to sufficient information about the patient’s health and medical history in order to be able to provide good and safe medical care; and
- necessary follow-up and coordination with other bodies is possible.
Which authorities are responsible for compliance with data protection and privacy, and which is the applicable legislation? Have the authorities issued special guidelines or rules for data protection and integrity in health care?
The Privacy Protection Authority is responsible for compliance with data protection and privacy. The Privacy Protection Authority has not issued special formal guidance or regulations for data protection and integrity in health care, but regularly publishes notes, news and the authority’s opinion on best practice on its website.
The healthcare sector is subject to the rules and requirements set out in the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (2018: 218) which supplements the GDPR. In addition, care providers and employees working in healthcare are covered by rules on confidentiality and confidentiality (including confidentiality) as set out in the Public Access and Secrecy Act (2009: 400), the Patient Safety Act (2010: 659), the Patient Data Act (2008: 355), the Health Care Act (2017: 30) and the Pharmacy Data Act (2009: 367). The Criminal Code (1962: 700) contains provisions on penalties for breaches of confidentiality (also by health and medical staff).
What are the basic requirements for caregivers when it comes to data protection and privacy? Is there a regular need for qualified staff?
As a starting point, caregivers process health data to a certain extent, which is considered to be a special category of personal data according to the GDPR, and some care providers process health data on a large scale. This entails general obligations under the GDPR, for example requirements to carry out data integrity impact assessments and in some cases to appoint a data protection officer. The Patient Data Act (2008: 355) states that the care provider is responsible for personal data for the processing of personal data that the care provider performs. In a region and in a municipality, each authority that conducts health care is responsible for personal data for the processing of personal data that the care provider performs.
In addition, care providers and health care personnel are covered by special rules, including, for example, the duty of confidentiality and requirements for record keeping and restriction of access to such records.
What are the most common data protection and privacy breaches committed by healthcare providers?
In 2019, the Privacy Protection Authority initiated supervisory cases regarding eight caregivers ‘internal routines and restrictions on access to patients’ medical records, including routines and logs to prevent and detect unauthorized access. In December 2020, the Privacy Protection Authority announced its decisions. In summary, the authority had identified shortcomings that in seven out of eight cases lead to administrative sanction fees of up to SEK 30 million. Five caregivers appealed the decisions. In one case, the administrative court reduced the sanction fee while the court rejected the appeals in the other four cases.
Following the decisions, the Swedish Privacy Protection Authority has issued a written guide on ‘Necessity and risk analysis in care’ to emphasize the importance of caregivers’ assurance that necessity and risk analyzes are performed and to support caregivers in carrying out the analysis needed before access to medical records. allowed and assigned.
The Integrity Protection Authority has also stated that it is not uncommon for care providers to have insufficient routines and practices regarding conducting integrity impact assessments in accordance with the GDPR in general.