Post on 07-May-2015
description
transcript
An Implementation
Framework for Trust
SALAR, SENA, ATNA, Elga, IZIP, DENA, Gematik,DKNA,ESNA, CATA,ANDA, GIPDMP,
FRNA, LOMBARDY NLNA, NHIC, NHS, PHARMAXIS, Industry
National Contact Points
Legal and regulatory issues
Zoi Kolitsi
epSOS L&R WP Leader
Basic Assumption to be tested
3
if a Member State (MS) already
provides these ehealth services to
its residents…..
then it may also offer these services
to them when they travel abroad to
other epSOS Member States.
In epSOS we shall establish condition so that
…
4
epSOS as Pilot
epSOS is a Large Scale Pilot
must be of limited scope but comprehensive, robust
and universally accepted across MS, professions and
cultures.
long-term operation is out of scope of epSOS
But will deliver practical guidance and
recommendations on how to make the transition from
the pilots to normal operation.
L&R Challenges
Main Issues Legal Certainty
Data Protection and Confidentiality
sufficient Pilot and beyond
Health Systems sufficient pilot
Professional aspects and social context
sufficient pilot
Liability sufficient pilot
Access to standards-IPR issues
sufficientinsufficient
Pilotbeyond
Trust in epSOS -legal approach
Trust is built by
• elaboration of common epSOS “code of
practice” around important issues such as
privacy and confidentiality,
– Privacy and safety by design
– application of common epSOS safeguards by all
actors involved in the pilots
• systematic audit
– MS level (NCP)
– epSOS Level (PSB)
6
epSOS Trusted Domain
EU level- federating countries
National level- federating organisations
epSOS Trusted Domain
epSOS Practice Standards
National level- federating organisations
epSOS Trusted Domain
epSOS Practice Standards
National level Agreements
- To establish the NCP
- To establish NCP-pilot partners
relationships
-
National AgreementsepSOS blue print
Security Policy
Pilot Strategy
Pilot sites - duties &
responsibilities
National Pilot Set-up
and Deployment Guide
FW AGREEMENT
Annexes:
Patient Consent
Information to Patients
and HCPs
A Framework Agreement
for the establishment of an
epSOS NCP
What is the epSOS NCP?
JANUS
Janus is the Roman god of gates and
doors (ianua), beginnings and endings,
and hence represented with a double-
faced head, each looking in opposite
directions.
Janus was represented with two faces,
originally one face was bearded while
the other was not. Later both faces
were bearded.
JANUS and the epSOS NCP
A National Contact Point is…
• an organization delegated by each participating country to act as a
bidirectional technical, organisational and legal interface between
the existing different national functions and infrastructures.
• legally competent to contract with other organisations in order to
provide the necessary services which are needed to fulfil the
business use cases and support services and processes.
• identifiable in both the epSOS domain and in its national domain
as a communication gateway and establishes a Circle of Trust
amongst national Trusted Domains.
• a mediator as far as the legal and regulatory aspects are
concerned.
• an active part of the epSOS environment if, and only if, it is
compliant to normative epSOS interfaces in terms of structure,
behaviour and security policies.
An epSOS NCP shall…
• General- Terms to be embodied in national
contracts
• Duties and responsibilities to other NCPs
• Duties for Patient Consent
• Duties under the epSOS Security Policy
• Relationships between NCP and other pilot
partners
Legal Relationships
Part 2
Patient Consent for
eHealth services across EU borders
Patient Consent in the
epSOS trial
Petra Wilson, Continua Health Alliance
on behalf of the Legal and Regulation Workpackage
Patient Consent :
Policy (I)
Patient consent to the processing of health related data is
a legal requirement in every EU country.
It is defined as:
A Freely given specific and informed indication of the
patient’s wishes by which s/he signifies his agreement to
personal data relating to him being processed.( Art 2(h) of the Data Protection Directive 1995/46/EC)
This means:
Patient must be able to withhold consent without fear of getting
less good healthcare.
Patient must be able to withdraw consent previously given
Patient must know who ( or what category) of person will process
the data and why.
Patient must know which data will be
processed and for what purpose.
Patient Consent :
Policy (II)
In addition national transpositions of the EU Directive
have clauses which:
Limit access to patient data to accredited
healthcare professionals and their support staff.
Require that access to data is only in the context of
a care relationship.
Specify that only relevant information may be
collected and stored.
Patient Consent :
Policy (III)
There will also be clauses which
provide some exceptions to allow certain data to
be processed for
running an efficient and effective health service.
and
provide some exceptions to allow treating patients
when it is impossible to obtain consent
(incompetence or incapacity)
Some countries may require additionally that
consent is explicit and given in writing for all or
certain categories of data .
.
Patient Consent:
epSOS (I)
epSOS does not create new uniform patient consent practices
BUT epSOS must ensure that all European Data Protection
duties are observed.
epSOS patients must be aware of the level of data protection
assured in epSOS and must give informed consent for data
access in that context.
Two modes of epSOS consent for data access are envisaged:
General epSOS consent for data access in any Country B given
in the country of origin and confirmed in a specific Country B at the
time of an encounter.
or
Specific epSOS consent given and documented at the time of the
encounter in Country B at the time of the encounter.
Patient Consent: epSOS (II)
NOTE: No special epSOS consent is needed for epSOS
data collection in Country A if the epSOS data
are part of data already collected. If a new summary
record is created specifically for epSOS normal
country A rules will apply for obtaining consent for
the creation of such a record.
No special epSOS consent is needed for data
collection in Country B for the purpose of
treatment in country B is outside the scope of
epSOS, normal country B rules will
apply
Patient Consent:
epSOS (III)
General epSOS consent with local confirmation:
The consent confirmation given at the PoC is
valid for the given treatment eposide.
If a further access to the PS or eP is necessary
the HCP will need to confirm consent again, by
asking the patient again if data may be
accessed and again ticking the box
Patient Consent:
epSOS (IV)
Specific epSOS consent at PoC Once the patient has been given epSOS information at the
first time of registering at a PoC, the patient is in the same
position as the patient who has given a general consent in
his/her home country
Therefore if a further access to PS or eP is necessary only the
confirmation box will need to be completed
Note that this is valid only for the HCO which has
document that epSOS information and general consent has
been documented ( HCO may comprise several PoC)
If access to PS or eP is needed in
another HCO in the same country B or
in another country B the information will have to be given again.
Patient Consent : process
General + Confirmation
HCP granted access to patient data
Patient obtains epSOS background information in
Country A and provides a generalized prior consent.
Country A stores record of general prior consent
Patient is identified at PoC in country B as
epSOS eligible. ID shows prior general
consent exists
HCP at PoC confirms that patient is still happy
for Country A record dot be accessed. Ticks
box in epSOS process to confirm. Patient is
given opportunity to revoke prior consent
Patient not
able to confirm
consent, HCP
ticks override
box
OR
HCP sends request to local NCP
Some Country A
NCPs may not
require further
confirmation of
consent. In this
case the
confirmation box
may be pre-
poulated and a
note attached
stating that
further
confirmation is
not required
Patient Consent : process
consent provided at PoC
HCP granted access to patient data
Country B stores record of consent. This consent
is valid only to the given HCO
Patient is identified at PoC in country B as
epSOS eligible. ID shows no prior general
consent exists
HCP at PoC ticks box in epSOS process to
confirm consent has been provided. Opportunity
to revoke any prior consent.
Patient not
able to confirm
consent, HCP
ticks override
box
O
R
HCP sends request to local NCP
HCP at PoC accesses relevant language and format
information for patient, prints copy and asks patient
sign if s/he consents
Some Country A
NCPs may not
require written
proof of consent,
in this case a
further check box
could indicate that
the patient has
been shown the
information
necessary for
informed consent.
Thank you!