Privacy First comments on draft bill Electronic Data Exchange in Healthcare
How do we digitise the exchange of medical data? That question has been around for about 15 years now. For the first time, the minister has made a pragmatic, thoughtful and comprehensive analysis of what is really needed to achieve this.
On the whole, Privacy First considers this bill the best we have ever seen on this file. In the elaboration, we do still see risks. Its success will depend on the perseverance of the Ministry of Health, Welfare and Sport and the extent to which it is able to get parties in the care field to look beyond their own horizons.
The treatment relationship is central
At the behest of the Patients Federation, Minister Schippers decided to end 2015 to 'patient direction' in the medical record.
Privacy First considers 'putting the patient at the centre' a fundamental fallacy. It does too little justice to the added value provided by a healthcare provider and its responsibility in monitoring the quality of care. It is the care process that should be central. Doctor and patient conduct together, in mutual trust, take charge.
To our relief, the Minister is taking a different route with this bill (see draft explanatory memorandum §2.3.4, p.11). The treatment relationship becomes the main basis for data exchange, in line with the healthcare process and the WGBO. This offers huge opportunities for efficient and effective data exchange, with the best possible privacy protection.
Patients are relieved of tracking consents and the importance of copying data to a PBM decreases.
Decentralised data exchange
Privacy First's opposition in recent years has mainly focused on the centralised way in which access to medical data is regulated.
The draft explanatory memorandum states (3.3.2, p.11):
"the standard must not result in the exchange of data being possible only through an electronic exchange system as referred to in the Wabvpz (art 15a, ed.)."
With this law, patients will soon have the choice of a decentralised alternative that makes the exchange of medical data simpler, more efficient, effective, secure and privacy-friendly. Privacy First believes it is crucial that the Minister has taken recent initiatives from market players (such as NUTS and Whitebox) will support an open and free-to-use standard.
Slow standardisation and certification through NEN
The development of a NEN standard is a heavily protocolised process, usually with a lead time of several years. NEN standard-setting procedures are also not characterised by great openness; for example, how does the process of appointing the various committees mentioned in the bill work?
Moreover, NEN standard-setting processes may become part of lobbies. Large institutionalised IT suppliers have more influence on this process and will want to maintain their dominant market position. The question is whether every stakeholder organisation (such as civil rights organisations, universities and smaller IT companies) can adequately contribute to the standard-setting processes.
The ministry will have to ensure that standard-setting is an open and transparent process, involving stakeholders across the playing field in the development of technical standards.
In addition, software is developed 'agile'. Short times between different releases allow developers to adapt to new technological developments. Complex, or too detailed, certification requirements can therefore hamper innovation. This should be clarified in the explanatory memorandum.
The 'emergency situation' is missing from the law
Care is usually provided on the basis of a referral: there is a treatment relationship in accordance with the WGBO. The only exception to this rule is the 'emergency situation'. If a patient ends up in the Emergency Department (ED), there is no treatment relationship and therefore no basis for access to medical data.
The minister left this situation out of the bill. In his letter dated 20 December 2019 becomes clear that he has no alternative to using a centralised system (such as the National Switch Point, LSP), with all its risks. We now see a similar approach with the COVID-19 opt-out (euphemistically called "opt-in" by the ministry), which means that every patient is still included in the LSP by default.
Privacy First finds this situation particularly worrisome, especially as it means for patients that they are still (indirectly) forced to participate in a 'sharing system', as referred to in Art 15a Wabvpz.
An alternative solution using a printed access code is simpler, more secure, cheaper, privacy-friendly and compatible with both decentralised and centralised architecture. Only the patient and the doctor's system know the code, and if lost, a new one can easily be created. Who has access to the emergency record and what it contains can be set in the doctor's system.
At a minimum, this gap in the law should be closed, by explicitly including the 'emergency situation' in the explanatory memorandum (§3.3.2, p.11).
Privacy First's full input on the draft bill is on its website internetconsultation.co.uk.
Update: 22 November 2022
Privacy First delivered today input to VWS committee meeting of the Senate.
Our call to the House: enable decentralised exchange of medical data!
Update: 6 April 2023
Privacy First delivered today input to the debate next Tuesday on the relationship between the WEGIZ and the European Health Data Space (EHDS).