Machine translations by Deepl

New EHR law turns patient consent into carte blanche

Minister Schippers' new EHR law lets patients give consent whose consequences they cannot foresee. This violates the right to privacy and medical confidentiality, argues our campaign Specific Consent In a letter to the Senate.

The bill Client rights in electronic data processing (33509) allows medical data to be accessed with a single consent at any healthcare provider with whom the patient has had contact. Indeed, if the patient gives permission at one healthcare provider, data can also be accessed at other healthcare providers on this basis.

The minister calls this 'specified consent' in her proposal, but the article of law in question actually leaves enough room for a carte blanche. A consent with such a scope is unthinkable from the point of view of both the patient's right to privacy and the healthcare provider's professional secrecy, according to Specific Consent.

A broad consent with opaque scope

A patient who gives permission to share data with one healthcare provider does not know what information can then also be accessed from the records of other healthcare providers - from pharmacists and GPs to specialist healthcare providers and hospitals. He is thus not in a position to make an informed decision about data disclosure whose consequences he can oversee.

Such consent may also result in records becoming accessible to the patient's future healthcare providers without the patient's awareness. Sharing records out of the patient's sight can undermine public trust in professional secrecy.

Moreover, a consent of such scope violates the requirements of necessity and proportionality arising from Article 8 of the European Convention on Human Rights (ECHR), the fundamental right to privacy. Similarly, sharing medical data on the basis of consent given elsewhere violates the professional secrecy of the healthcare provider, who is only allowed to share information about his patients for specific, treatment-related purposes and has to obtain the patient's own consent for the broad disclosure of data.

When sharing medical personal data, it must be clear to the patient in advance what data is involved and who can access it for what purpose. This is a fundamental right of the patient and a duty of the doctor. These requirements are not met in Minister Schippers' new law, which allows large-scale access to medical data by basically all healthcare providers connected to the system without a medical necessity being established.

An opt-out on extension of the system

Patients who once consented to data sharing must themselves curtail this consent if the system is expanded and they disagree, the bill also states. Specific Consent points out that a 'silent' extension of consent, relying on implicit patient consent, can never be lawful based on the aforementioned legal and treaty provisions.

Download the full letter to the Senate HERE.

The D66 Group of the Senate asked the government to respond to the letter of Specific Consent; see HERE Senate report published today (pdf, p. 8).