The USA federal regulation of EHR must be measured against the basic constitutional requirements as defined above. It must be understood that the federal regulation is also aimed at harmonizing different state regulations, the variation and lack of uniformity of which hinder.
However, the impact of Federal regulation in harmonizing protections throughout the nation has expanded.
In the time, I have been allowed here I can only give you a general overview, without delving into details.  Therefore, I will mention four key points: consent, data sharing, correction of errors and compensation for breaches of privacy.

a) The consent follows an opt out approach; in other words the patient must not necessarily say an explicit yes, because his silence is equivalent ex lege to a tacit consent, which can subsequently be withdrawn.
b) Data sharing is in principle prohibited without consent, but the exceptions are so many that the existence of an effective general rule may be questioned.
c) Correction: should the patient disagree with his EHR data, he is not entitled to a correction, but only has a right that his disagreement be mentioned in the EHR So too much noise for nothing!
d) Compensation: in case of breach of privacy for any reason – theft of data, illegal sharing or other events – the patient has no direct civil action against the person or body infringing his fundamental right. He can apply to the Department of Health, which has jurisdiction to bring a civil action to enforce the law and to seek penalties for violations. We also have to consider that if the vendor of the software has not invested in the security system of the software, and the weak protection of data opens the door to theft, the vendor is not deemed to be liable. Therefore, there is no incentive that the system be made more secure. This framework has been changing thanks to the increased civil and criminal penalties, and the activism of state attorney generals and of the Department of Health. These are clear signs of a growing political and legal attention, but the goal of promoting a new patients’ confidence in the digitalization of sensitive data has yet to be reached.

At the same time, we still have two different approaches competing: one side sustaining the patient’s rights to give an expressed consent, to be informed, to correct the errors because he should have the total control over his personal health record, to ensure that information he wishes to be kept private is really kept confidential; the other side claiming that “too much patient control could hamper a patient’s health in a medical emergency”.
Therefore, although the basic law, HIPAA, has been amended towards a stronger protection of the privacy, the way is still long.  A bill of rights has been set out: it includes the right to fully access the patient’s health data, the right to accurate information about any disclosure, and legal aid in the event that a breach has caused harm. Up to now, it may appear as wishful thinking.

5 The European Union system
Now it is time to give you a comprehensive view of the European approach to EHR.
First of all, we should point out that the USA and EU legal systems are quite different, especially as far as privacy is concerned. We have already seen that the USA has mostly kept privacy within the narrow limits of an immaterial property right; in the European context privacy is considered a fundamental right, as which inalienable and indispensable. Nevertheless, we find significant similarities between the USA and EU approaches to HER.
We may recall the definition adopted by the Working Group art. 29, European Independent advisory board: “A comprehensive medical record or similar documentation of the past and present physical and mental state of health of an individual in electronic form and providing for ready availability of these data for medical treatment and other closely related purposes.” This formula closely resembles the American experience. Also, there are no doubts that all data contained in medical documentation, in electronic health records should be considered “sensitive personal data”. We find here another point of contact with USA. But, as a consequence, in EU such data are not only subject to all the general rules on the protection of personal data in the Directive, but in addition, subject to the special data protection rules on the processing of sensitive information contained in Article 8 of the Directive.
These two different approaches cause different legal regimes and here I will show how the USA and EU models prove to be different as far as significant profiles are concerned.
a) The issue of consent.
In Europe, the consent must be given, freely, specific and informed, but first of all it must be explicit. Opt-out solutions will not meet the requirement of being ‘explicit’ because it lacks a declaration of intent. I want only to remind you the opposite American solution.
Here the owner of health data must be aware that he is renouncing special protection. Written consent is, however, not required. So in the digital contest it could be enough doing click on the box. We have a lot of criticism against this system that does not offer an adequate protection, but for reason of time I will refer to my paper under publication.
For what concerns the ‘Free’ consent, it means a voluntary decision, by an individual in possession of all of his faculties, taken in the absence of coercion of any kind, be it social, financial, psychological or other. Any consent given under the threat of non-treatment or lower quality treatment in a medical situation cannot be considered as ‘free’. Consent given by a data subject who has not had the opportunity to make a genuine choice or has been presented with a fait accompli cannot be considered to be valid.
b) Data sharing.
From the European point of view, if data are utilized by a doctor different from the first who collected it, must the second obtain a new consent? The answer is in the ‘specific’ consent, as required by the Directive 95/46, it means that it must relate to a well-defined, concrete situation in which the processing of medical data is envisaged. Therefore a ‘general agreement’ of the data subject e.g. to the collection of his medical data for an EHR and to subsequent transfers of these medical data of the past and of the future to health professionals involved in treatment would not constitute consent in the terms of Article 2 (h) of the Directive 95/46. Remember the wide possibility to utilize data by any other health professional different from the first that it has been allowed by the USA system, as explained above.

Pagine: 1 2 3 4