Convenient access to full medical records is an important goal, but it cannot be pursued contrary to the GDPR and the Constitution. Liability for use of beneficiary’s data for non-medical purposes should also be regulated.
Recently, there have been media reports on the use of a pregnancy register to implement the ruling of the Constitutional Tribunal limiting the right to abortion in Poland. In social media, Senator Krzysztof Brejza published a document which he sent to the Minister of Health as a senatorial intervention. At issue is a provision in the draft amendment to the regulation on the Medical Information System, which states that as of January 2022, “providers of healthcare services financed with public funds, as well as commercially, will be required to report the fact of a patient’s pregnancy to the Medical Information System.”
In response, the government’s eHealth Centre issued a statement claiming that “the need to report and obtain information about pregnancy is dictated by medical considerations.”
Minister of Health Adam Niedzielski also spoke out. He said, “The standard for keeping patient records is to record information about the patient’s health condition. We have a situation where we are moving from information recorded on paper in a traditional patient record, to IT solutions, digital solutions that record exactly the same information electronically. In this regard, the regulation, which expands the scope of the documentation, says that one of the medical ‘records’ is whether a woman is pregnant, which is obvious because in any patient’s file, this is important information relating for example to the medications that may be used. It is well known that not all medications can be used by pregnant women, so this is key information for medical treatment.”
Assuming for the moment that the goal is really to create a complete medical registry for the benefit of female patients, let us examine what the law says about the planned solution.
Access to data is important…
Undoubtedly, technological progress and digitalization in medicine are needed. Healthcare providers, physicians, patients and their families would like to have medical records at their fingertips at all times, and the role of medical registers, including the patient’s register, has long been acknowledged. But shouldn’t the progress in this area be accompanied by a discussion of the risks and threats? Maybe this is a good time to introduce a legislative solution benefitting all stakeholders?
According to the draft regulation on the detailed scope of data on medical events processed in the information system and the method and time limits for transferring the data to the Medical Information System, healthcare service providers should submit information to the system about medical devices implanted in the patient, allergies, blood group, and pregnancy.
The explanatory memorandum to this draft states that this data is to be provided on an optional basis until 30 June 2022, but then it will be obligatory. What is the purpose? According to a statement from the eHealth Centre, the need to report and obtain information about pregnancy is dictated by medical reasons, including those related to prescribing medications. According to the eHealth Centre, this will help avoid prescribing drugs that are not recommended during pregnancy and will also be important when providing lifesaving services, if this information cannot be obtained from the patient.
The data from the Medical Information System are transferred to the Patient’s Internet Account and can be accessed by a doctor or primary care nurse, presumably at any facility where the patient is sent. Thus, the call for availability of patient data at all necessary times would be fulfilled.
…but such changes are introduced by statute
The key problem is that sensitive patient data would end up in the system, and under an executive regulation, not a statute. Such interference with the right to protection of personal data requires a legal basis in a statute, as indicated in the Polish Constitution (Art. 51(1), (2) and (5)) and in the EU’s General Data Protection Regulation (Art. 9(2)(h)). But here, the proponent decided to introduce changes in an executive regulation, an act of lower rank. As an act of executive power, this encroaches on the sphere of individual rights and freedoms, thus violating the GDPR and constitutional standards.
Also, according to the judgment of the Constitutional Tribunal of 18 December 2014 (case no. K 33/13), the scope of data that can be collected in medical registers must be set by statute. This ruling confirms the constitutional requirement that the issue of encroachment on the sphere of individual rights and freedoms be regulated exclusively by statute. It also confirms the prohibition against regulating the principles and procedures for collection of and access to information concerning a person (including personal and sensitive data) in a normative act other than a statute.
The purpose of processing is also relevant
Under Art. 4(3)(2) of the Healthcare Information System Act, data concerning patients, including individual medical data, are to be processed in the Medical Information System. And under Art. 2(7) of that act, individual medical data are defined as data regarding services and data concerning a patient’s health condition, including health prophylaxis and implementation of health programmes.
But the system in which these data are to be collected is to contain data “necessary to carry out state health policy, and improve the quality and availability of healthcare services and the financing of healthcare tasks.” Therefore, it is necessary to specifically identify the purpose of processing such data, also taking into account that these are data relating to health (i.e. special categories of data under Art. 9(2) GDPR). When drafting the provisions on this category of data, compliance with the GDPR must be ensured.
Additionally, the statutory delegation cited by the eHealth Centre refers to the possibility of addressing in the regulation the detailed scope of data on medical events, but in the case of pregnancy, allergy or blood group as well, this will not be data of a medical event, but of a service recipient.
Complete data: yes, but in accordance with the law
Undoubtedly, from a data quality perspective, complete patient data, both medical and non-medical data, are invaluable. For example, data about environment, diet and well-being can be useful. Therefore, building a complete patient record is the right direction to pursue. But a flawed legislative tool in the form of an executive regulation, i.e. an act of the executive branch, cannot be used for this purpose without corresponding changes at the level of a statute.
A bill to amend the Healthcare Information System Act in this respect (assuming that the Ministry of Health abandons the idea of amending only the mentioned regulation) should address, apart from the catalogue of medical data, also the following:
- Rules for verifying data provided by the patient (who may be mistaken or deliberately withhold information)
- Liability rules
- Rules for correcting and amending existing data.
Therefore, the draft should specify who enters information about the service recipient, and on what basis. Furthermore, under the GDPR, a patient should be guaranteed the right to lawfully delete data under certain conditions, and the right to object to the processing of such data. Liability for use of data of the service recipient for non-medical purposes should also be regulated.
Małgorzata Sokołowska, attorney-at-law, Life Science & Healthcare Practice, Wardyński & Partners