SmartHealth.co.uk, 24 April 2014: 'Can any healthcare provider access all your medical data?'

“Last week saw the launch of the website specifieketoestemming.nl, an initiative by a number of security experts and the Privacy First and Civil Rights Protection Foundations. Patients should retain control over exactly what medical data is shared, and with whom, is the message. This is not possible with current ICT systems, putting privacy at risk, critics say. Moreover, doctors themselves must take responsibility in this. "Basically, it's like everyone has a Random Reader of your account, and you can only see afterwards who has looked into your banking."

The Landelijk Schakelpunt or LSP - the infrastructure for electronic exchange of medical data between, for example, GPs or pharmacies - works on the opt-in principle. As a healthcare consumer, you first give explicit permission for your medical data to be shared.

But the current ICT systems that healthcare providers then use to exchange medical data are unsafe, the initiators of the website specifieketoestemming.nl believe. Why? Because they do not place sufficient limits on access to someone's medical data. Once you have given generic permission to GP or pharmacy to share your data electronically, there is a danger that this will allow many more healthcare providers to look into your private file, say the initiators. That is why the Privacy First Foundation is starting an internet campaign for medical privacy, to return control of those medical data to patients and their GPs, as a kind of patient's fiduciary.

Send a letter

Through the campaign's website, people can send a say letter to their doctor, indicating the conditions that the exchange of their medical data must meet. This allows doctors to call on their interest groups and ICT providers to enable specific consent. Instead of generic consent, specific consent allows a patient to determine which healthcare provider can see which information. Vincent Böhre of Privacy First: "Both patients and doctors no longer have a clear view of who their medical records are accessed by. For example, if you need medical data from a particular doctor, you only want the data relating to that treatment, not your entire medical record. It's none of your physiotherapist's business that you have a mental illness."

But surely the Landelijk Schakelpunt, the system for exchanging information digitally, tests whether there is a treatment relationship? "As far as I know, it does not guarantee whether there is a treatment relationship. As a patient, you have no guarantee that data is only viewed by people you have given permission to. If you have a UZI pass as a healthcare provider - required to use the LSP - you can very easily view records of patients with whom you have no treatment relationship." It is a sturdy claim by specificetoestemming.nl: when a patient has given permission to share medical data, "their data often becomes accessible to many (possibly tens to hundreds of thousands) of healthcare providers".

But according to Alf Zwilling, the perception that consent for data processing via the LSP would be generic and one-off is a "completely incorrect representation of reality". Zwilling is spokesperson for VZVZ - the organisation responsible for data exchange via the LSP healthcare infrastructure. In a statement, VZVZ stresses, for example: permission is requested separately for each healthcare provider (GP, pharmacist); each healthcare provider needs its own permission to make selected data available; and there is only permission for selected necessary data, so no 'files'. VZVZ cannot agree with the website's claims. "There is certainly no generic or one-off consent, but rather targeted and specific consent. Moreover, there is therefore no access by 'countless' healthcare providers but only for named healthcare providers under the set conditions." Zwilling stresses that the actual design of the consent procedure and data processing complies with all legal frameworks.

A Random Reader from your bank account

"I sometimes compare the current LSP to a Random Reader, the box you use to do online banking. It's as if every healthcare provider gets a Random Reader and can use it to look into your banking details. Only afterwards is it logged who can get in. Is that safe? I don't think so." GP Niels Rossen is critical of the LSP. Indeed, he argues that the LSP is incompatible with his duty of confidentiality as a doctor. Patient privacy is seriously compromised with the current system. Rossen: "Let me start by saying that I am in favour of electronic data exchange, but an opponent of the current set-up. In my GP information system, I can indicate 'privacy-sensitive', and thus that data is only visible to me, but a modern solution is desirable. Technically, an adjustment in ICT systems is not that difficult, I feel more like it is a political choice."

GP Rossen notes that the big players in the healthcare ICT software market find the demand for specific permission less urgent. "I am a GP and can't programme it myself. You need a software specialist to look at a customisation like specific consent, but that is not really picked up in that sector right now."

So what do those caregivers see?

What exactly can a GP or healthcare provider see once I have given permission to share my data? Böhre of Privacy First : "That depends on the system being used. With the LSP, it depends on the type of healthcare provider requesting data. The summary of the GP record is mainly for service provision - the GP post - and may normally only be requested by GPs. But we cannot know whether this could become more parties in the future: the consent you give for the LSP does not limit this in advance."

"Medication data - including privacy-sensitive data, think antidepressants or HIV medication - can soon be accessed at the LSP by all specialists, GPs, pharmacists, and their staff. The question is whether this is necessary," says Böhre. "We think this consent is far too much, and far too broad. We want the consent to clearly define what data is exchanged with whom. Not only with the LSP but also with other systems."
(…)

A check afterwards

Guido van 't Noordende is a privacy and security researcher at the University of Amsterdam and regularly publishes about the LSP. "The claim that the LSP does not guarantee that there must be a treatment relationship is not entirely true. The treatment relationship is formally checked. But with the LSP, only the system on the requesting side checks whether there is a treatment relationship," says Van 't Noordende. "There are various ways to do this: it can be checked whether a file already exists, whether there is an appointment in the agenda - but anyone can enter that. The doctor himself can also indicate 'I have a treatment relationship with this patient'. Legally this may be OK, but technically such a system is not secure. If the system is very large, there are too many places where a malicious person can bypass such a test beforehand."

Van 't Noordende adds: "This principle of specific consent is more of a restriction at the source: that's where you decide what you want to share with how many people. And I think that's very good. I think it's important that people decide for themselves what risk they want to take. If you can make agreements with your doctor beforehand, who does and does not have access, and with what delimitations, that offers stronger protection than a check on the treatment relationship."

Public discussion

(...) According to Privacy First's Vincent Böhre, a new discussion is sorely needed, but the profession will have to call on its own ICT suppliers and supporters for improvements in technical systems.

Incidentally, the idea that the medical professions themselves have a responsibility in this is also reflected in the discussion of the bill on client rights in electronic data processing, which is now before the Lower House and awaits plenary discussion. (...) The aim of specificetoestemming.nl to trigger a public discussion is thus in any case well timed: in the coming months, the various groups in the Lower House will have to determine their final verdict on the legislation concerning the sharing of medical records. The LSP plays a prominent role in that discussion, but many experts point out that in many places today older systems are still being used where the patient has not given explicit consent to share data in any way."

Source (full article): http://www.smarthealth.nl/2014/04/24/specifieke-toestemming-lsp-medische-gegevens/, 24 April 2014.