Italy: Privacy and data protection considerations for establishing and implementing eHealth databases
Since 2022, the Government of Italy ('the Government') has been working on the establishment of a new eHealth database named 'Health Data Ecosystem' ('Ecosistema Dati Sanitari' or 'EDS'), as well as on strengthening the existing database named 'Electronic Health Record' ('Fascicolo Sanitario Elettronico' or 'FSE'). Cristina Criscuoli, Lawyer at DLA Piper, explores key considerations to keep in mind from a privacy and data protection perspective, in relation to the establishment and implementation of centralised eHealth databases.
The relationship between patients' right to privacy and the need for the stakeholder of the healthcare sector to have all possible data needed to provide valuable healthcare activities has always been particularly problematic. This relationship is the subject of a delicate balancing test, especially in recent years, characterised by incredible technological developments. New technologies allow more effective treatments, but expose data subjects to higher risks.
The scope and purposes of the FSE and EDS
The FSE was established in 2012 by means of Decree Law No. 179 of 18 October 20121 ('Decree Law No. 179'). However, this database has achieved limited application so far. The Italian legislator had already tried to reinforce the FSE in 2017. Later, the COVID-19 pandemic accelerated existing digital transformation efforts and pushed an overall increase in IT investments in the healthcare field.
Hence, the National Recovery and Resilience Plan set out a €1.38 billion investment aiming at converting the FSE to the sole point of access for Italian citizens to services offered by the National Health Service, as well as providing healthcare professionals with a valuable tool supporting the diagnosis and treatment of their patients.
Consequently, through Law No. 25 of 28 March 20222 converting into law, with amendments, Decree Law No. 4 of 27 January 20223, the Italian legislator changed the nature of the FSE and introduced the EDS by amending Article 12 of Decree Law No. 179. This legal provision preliminarily defines the FSE as 'the set of health and social-health digital data and documents generated by present and past clinical events concerning the patient, also referring to healthcare assistance provided outside the National Health Service'.
The FSE is established by the Italian regions to pursue the following purposes:
- diagnosis, treatment, and rehabilitation;
- healthcare prevention;
- international prophylaxis;
- study and scientific research in medical, biomedical, and epidemiological fields; and
- healthcare planning, quality of care verification, and healthcare evaluation.
Article 12 of Decree Law No. 179 also identifies different stakeholders acting as data controllers to pursue the abovementioned purposes:
- healthcare professionals will pursue the purposes listed under the first point above;
- healthcare professionals will equally pursue the purposes listed under the second point above; nonetheless, healthcare prevention purposes will also be pursued by the offices of the Italian regions and the Ministry of Health in charge of managing healthcare prevention, presumably acting as independent data controllers;
- the Ministry of Health also pursue the purposes listed under the third and fourth point above;
- study and scientific research in medical, biomedical, and epidemiological field purposes and healthcare planning, quality of care verification, and healthcare evaluation purposes are pursued by the Italian regions, the Ministry of Labour, and the Ministry of Health, each one within the limits of the relevant duties as assigned by law; however, Decree Law No. 179 provides that said public bodies may process only pseudonymised data to pursue these purposes.
According to the original version of Decree Law No. 179, patients' consent was required to record their health data in the FSE. Decree Law No. 34 of 19 May 2020 established that such consent is no longer necessary. Conversely, Article 12 of Decree Law No. 179 now requires healthcare professionals to record, in their patients’ electronic health record, the information concerning each healthcare service delivered to patients, within five days from the delivery. In our view, this provision imposes on healthcare professionals an obligation to feed the FSE, although the Italian data protection authority ('Garante') believes the contrary4.
In any case, the FSE will include a large amount of information concerning patients' health status, including, but not limited to, the information on drugs and medications taken by patients, the records of hospitalisation and relevant discharge letters, and the so-called 'synthetic health profile' summarising the whole medical history of the patient.
Risks and challenges
The FSE may become an incredibly useful tool to pursue patient care and disease prevention, as well as to improve the efficiency of the whole healthcare system. Nonetheless, new severe risks for patients' privacy arise from its implementation.
However, patients' consent is still necessary for consulting the information available on the FSE. If a patient denies their consent or withdraws it at a later stage, the sole person entitled to access the FSE - except for the patient themself - is the healthcare professional recording the information.
On the other hand, the establishment of the EDS will result in the duplication of information included in the FSE in order to 'ensure IT coordination and guarantee consistent services across the country' (see Article 12(15-quater) of Decree Law No. 179). The EDS will include data submitted by health and social care institutions, National Health Service bodies, and data made available through the Health Card System ('Sistema Tessera Sanitaria'). In other words, the EDS will be the largest eHealth database in Italy.
The Ministry of Health will be the controller of personal data collected by means of the EDS, to be managed by the National Agency for Regional Health Services ('Agenzia Nazionale per i Servizi Sanitari Regionali' or 'AGENAS') acting under its capacity of processor on behalf of the Ministry of Health.
According to Article 12(7) of Decree Law No. 179, the Ministry of Health, along with the Ministry of Economy and the Ministry for Technological Innovation and Digital Transition, will adopt one or more decrees to further clarify:
- the information to be recorded in the FSE;
- the duties and responsibilities assigned to each stakeholder involved in implementing the FSE;
- the security measures and further guarantees required to ensure adequate protection to personal data uploaded on the FSE;
- access privileges assigned to each stakeholder; and
- applicable pseudonymisation techniques to avoid that patients may be identified directly.
The Garante must give its opinion on the draft of these decrees before their formal approval.
Similarly, Article 12(15-quater) of Decree Law No. 179 provides that the Ministry of Health, along with the Ministry of Economy and the Ministry for Technological Innovation and Digital Transition, will adopt a decree to further clarify:
- the information to be included in the EDS;
- how to record the information in the database;
- the persons allowed to access the EDS;
- their privileges as EDS users; and
- security measures required to ensure protection to data subjects' rights.
Again, the Garante must give its opinion on the draft of these decrees before their formal approval. An opinion by the National Cybersecurity Agency is also required.
While the main rules governing the 'refreshed' FSE are set out by Decree Law No. 179, this legislation only includes a few laconic provisions concerning the EDS. Therefore, the adoption of the decree mentioned in Article 12(15-quater) of Decree Law No. 179 by the Ministry of Health will be pivotal to understanding the functions and features of the new EDS. In any case, the establishment of such a database will further increase the risks for patients' privacy, primarily if it should collect uncoded health data. It is not a case that cyber attacks on health databases managed by research institutes, regulatory authorities, and hospitals are frequent and incredibly damaging
The Garante's position on the implementation of the FSE and EDS
On 18 May 2022, the Ministry of Health adopted a decree governing the integration of essential data composing the FSE's documents5. Two days later, it also issued its guidelines for the implementation of the FSE6. Furthermore, on 15 July 2022, the Ministry of Health transmitted to the Garante a draft of two decrees, respectively governing the FSE and EDS's use. In response, on 22 August 2022, the Garante issued two different opinions7, both raising several serious concerns from a privacy law standpoint.
In fact, the Garante issued its contrary opinion to adopting the two draft decrees. The Garante highlighted 'structural and substantive deficiencies' of both legal drafts and asked the Ministry of Health to reformulate them. In a nutshell, the two draft decrees fail to address essential aspects of using the FSE and EDS.
One of the main criticalities identified by the Garante concerns the lack of clear legal obligations on the different stakeholders involved in the management and use of the two databases at stake. This aspect is crucial to avoid the possible loss of control over patients' health data, potentially damaging their rights and freedoms.
A desirable outcome would be that the decrees in question unambiguously identify the duties and responsibilities of each data controller processing personal data through the FSE and EDS, outlining the perimeter of their controllership and specifying the set of processing operations that they are allowed to carry out. This is the only way to ensure the full implementation of the accountability principle.
Additionally, the Government should provide for the application of robust technical and organisational security measures to ensure complete control over the data stored in the FSE and EDS. For instance, log files should be tracked to record any access made within these databases, including the identification code of the person accessing the database, date and time of execution, identification code of the workstation used, patient identifier, and the specific operation performed on patients' data. Log files should be periodically checked to identify anomalies and punish abusive access to data.
The risk of abusive or unlawful access to data is only one of the criticalities that the use of the 'refreshed' FSE and the new EDS may trigger. Other serious risks may arise from using inaccurate, incomplete, or outdated data or possible loss of this data. For instance, such events may divert healthcare professionals' decisions on treatments to be delivered to patients, with a direct and negative impact on patients' health.
Further risks relate to the possible use of data for purposes inconsistent with those for which data was collected, decisions based on automated processing which significantly affect the data subject, re-identification of the data subject caused by interconnections with new systems, and components established by new legal provisions.
We hope that the Government will adequately address the criticalities identified by the Garante in the two opinions at stake through an in-depth risk assessment and establishing precise regulation governing all significant aspects concerning the implementation of the FSE and EDS.
In our view, the success of these databases will strictly depend on the ability of the stakeholders involved in making these databases safe and reliable. Implementing appropriate security measures to protect patients' health data may make these tools incredibly valuable for the benefit of the community. On the contrary, patients might be induced to withhold their consent to use their data if this data will not be protected adequately, with a negative impact on the profitability of the investment made by the Government.
We can quote the same words used by the European Data Protection Board and European Data Protection Supervisors in their EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space: the FSE and EDS should serve as an example of transparency, effective accountability, and proper balance between the interests of the individuals and the shared interest of society as a whole.
Cristina Criscuoli Lawyer
DLA Piper, Rome
1. Available at: https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legge:2012;179 (only available in Italian)
2. Available at: https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2022-03-28&atto.codiceRedazionale=22G00035&atto.articolo.numero=0&atto.articolo.sottoArticolo=1&atto.articolo.sottoArticolo1=10&qId=2bca69fe-3b82-4cb1-b3fe-13339e6b0775&tabID=0.9980086387810967&title=lbl.dettaglioAtto (only available in Italian)
3. Available at: https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2022-01-27&atto.codiceRedazionale=22G00008&atto.articolo.numero=0&atto.articolo.sottoArticolo=1&atto.articolo.sottoArticolo1=10&qId=9c981849-11cf-4d15-a397-a0e4aa2bc3a2&tabID=0.9980086387810967&title=lbl.dettaglioAtto (only available in Italian)
4. See at: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9802729 (only available in Italian)
5. Available at: https://www.gazzettaufficiale.it/eli/id/2022/07/11/22A03960/sg (only available in Italian)
6. Available at: https://www.gazzettaufficiale.it/eli/id/2022/07/11/22A03961/sg (only available in Italian)
7. Available at: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9802729 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9802752 (both only available in Italian)