Norway rethinks law on use of electronic patients' records
2010; Elsevier BV; Volume: 376; Issue: 9738 Linguagem: Inglês
10.1016/s0140-6736(10)61170-1
ISSN1474-547X
Autores Tópico(s)Electronic Health Records Systems
ResumoAn investigation into the unauthorised use of electronic patient records in Norway has highlighted the need for clearer laws governing patient confidentiality. Oda Berit Riska reports.Harnessing the potential of electronic patient records at the same time as protecting patient confidentiality is a challenge in many countries. In Norway, a case currently under investigation by the Board of Health Supervision draws attention to some of the potential pitfalls of using electronic patient records, after Norway's Data Protection Agency (DPA) found that researchers at the Norwegian University of Science and Technology (NTNU) had used data from 116 000 patients' records without obtaining any form of consent.The data were originally taken from backups of the electronic patient record system run by the company PROMED AS in several general practitioner (GP) offices in western Norway. The manager of PROMED AS Carl-Fredrik Bassøe was also a researcher at NTNU's Norwegian Centre for Electronic Patient Systems (NSEP). In 2009, NTNU applied to the Ministry of Health and Care Services to be exempted from confidentiality laws to use patient records for research. The application made it clear that the information had already been gathered, and so the DPA stepped in.“We found that the manager of PROMED AS had used his role to collect data all the way back from 1999, when he'd taken backups of the patient records in 21 GP offices before the transition to 2000. When no problems occurred with the journal systems, he took the backup to NTNU to use for research. He then made sure to keep it regularly updated”, explains Cecilie Rønnevik, who led DPA's investigation. Additionally, a GP in Surnadal Council, Anders Grimsmo, who also worked at NSEP, took an entire server containing 6000 complete patient records to the NTNU when his clinic changed their IT system.DPA's investigation showed that concerns had been raised as early as 2007 by a PhD student at NSEP, but these were ignored until 2009, when he took his complaint to NTNU's administration. The research had been used in several research projects before anyone applied to the Ministry of Health and Care Services, says Rønnevik. Helge Klungeland from NTNU explains that very little of the data from patients' records were used in the research, since it focused on information technology. “But it would have been an enormous challenge to invent fictitious [patients' records]. It's far more useful to use real records. The error was not asking for permission”, Klungeland told The Lancet.Although the DPA have concluded their investigation of NTNU, the Board of Health Supervision is still investigating PROMED AS, the 21 GP clinics whose records were used, and Surnadal Council's GP clinic. “It is a complicated case, and several agencies are involved; however, we hope to conclude our inspections during the summer”, says Anne Myhr, at the Board of Health Supervision.Currently, no national system for electronic patients' records is in place in Norway. But critics fear a proposed law change could effectively allow for patients' records to be shared across individual health enterprises. The proposed changes in the law will be decided on in a hearing in September. For information to be shared between health enterprises, the proposed law stipulates that both health enterprises have to have “technical solutions to limit access to structured clinical information related to the query”, according to the report from the Ministry of Health and Care Services. A new query also has to be made for each patient record.But the Norwegian Medical Association (NMA) and the DPA are concerned that the law will be passed despite their concerns about a lack of focus on IT security and patient confidentiality. “We've been critical [of] this as we feel that confidentiality is key, and we have to be careful not to create regulations that could weaken confidentiality and trust in the health service over time. And as there isn't adequate control over access to records now, how will we maintain control across health enterprises?”, asks the NMA's Lars Duvaland.Both the NMA and the DPA would prefer an extension of an electronic messaging system. “If we have a system where information and images can be safely and quickly sent, we could ensure that the person who holds the information has to consider each request, which makes maintaining confidentiality easier than allowing people in to the system”, says Duvaland.Although most agree that a national system for electronic patients' records could bring many benefits, including quick access to potentially life-saving information, the potential for security breaches could be far greater than with a paper-based system. “If any exceptions are made to confidentiality these have to be regulated. But at NTNU no permissions were in place. In this case the information suddenly ended up in several research projects without anyone having considered it. That's quite scary”, says Monica Fornes, a senior legal adviser to the DPA. An investigation into the unauthorised use of electronic patient records in Norway has highlighted the need for clearer laws governing patient confidentiality. Oda Berit Riska reports. Harnessing the potential of electronic patient records at the same time as protecting patient confidentiality is a challenge in many countries. In Norway, a case currently under investigation by the Board of Health Supervision draws attention to some of the potential pitfalls of using electronic patient records, after Norway's Data Protection Agency (DPA) found that researchers at the Norwegian University of Science and Technology (NTNU) had used data from 116 000 patients' records without obtaining any form of consent. The data were originally taken from backups of the electronic patient record system run by the company PROMED AS in several general practitioner (GP) offices in western Norway. The manager of PROMED AS Carl-Fredrik Bassøe was also a researcher at NTNU's Norwegian Centre for Electronic Patient Systems (NSEP). In 2009, NTNU applied to the Ministry of Health and Care Services to be exempted from confidentiality laws to use patient records for research. The application made it clear that the information had already been gathered, and so the DPA stepped in. “We found that the manager of PROMED AS had used his role to collect data all the way back from 1999, when he'd taken backups of the patient records in 21 GP offices before the transition to 2000. When no problems occurred with the journal systems, he took the backup to NTNU to use for research. He then made sure to keep it regularly updated”, explains Cecilie Rønnevik, who led DPA's investigation. Additionally, a GP in Surnadal Council, Anders Grimsmo, who also worked at NSEP, took an entire server containing 6000 complete patient records to the NTNU when his clinic changed their IT system. DPA's investigation showed that concerns had been raised as early as 2007 by a PhD student at NSEP, but these were ignored until 2009, when he took his complaint to NTNU's administration. The research had been used in several research projects before anyone applied to the Ministry of Health and Care Services, says Rønnevik. Helge Klungeland from NTNU explains that very little of the data from patients' records were used in the research, since it focused on information technology. “But it would have been an enormous challenge to invent fictitious [patients' records]. It's far more useful to use real records. The error was not asking for permission”, Klungeland told The Lancet. Although the DPA have concluded their investigation of NTNU, the Board of Health Supervision is still investigating PROMED AS, the 21 GP clinics whose records were used, and Surnadal Council's GP clinic. “It is a complicated case, and several agencies are involved; however, we hope to conclude our inspections during the summer”, says Anne Myhr, at the Board of Health Supervision. Currently, no national system for electronic patients' records is in place in Norway. But critics fear a proposed law change could effectively allow for patients' records to be shared across individual health enterprises. The proposed changes in the law will be decided on in a hearing in September. For information to be shared between health enterprises, the proposed law stipulates that both health enterprises have to have “technical solutions to limit access to structured clinical information related to the query”, according to the report from the Ministry of Health and Care Services. A new query also has to be made for each patient record. But the Norwegian Medical Association (NMA) and the DPA are concerned that the law will be passed despite their concerns about a lack of focus on IT security and patient confidentiality. “We've been critical [of] this as we feel that confidentiality is key, and we have to be careful not to create regulations that could weaken confidentiality and trust in the health service over time. And as there isn't adequate control over access to records now, how will we maintain control across health enterprises?”, asks the NMA's Lars Duvaland. Both the NMA and the DPA would prefer an extension of an electronic messaging system. “If we have a system where information and images can be safely and quickly sent, we could ensure that the person who holds the information has to consider each request, which makes maintaining confidentiality easier than allowing people in to the system”, says Duvaland. Although most agree that a national system for electronic patients' records could bring many benefits, including quick access to potentially life-saving information, the potential for security breaches could be far greater than with a paper-based system. “If any exceptions are made to confidentiality these have to be regulated. But at NTNU no permissions were in place. In this case the information suddenly ended up in several research projects without anyone having considered it. That's quite scary”, says Monica Fornes, a senior legal adviser to the DPA.
Referência(s)