EDPS opinion on patient's rights: specific data protection dimension of cross-border healthcare needs to be addressed in more concrete terms

On 2 December 2008, the European Data Protection Supervisor (EDPS) adopted an opinion on a proposal for a Directive on the application of patients' rights in cross-border healthcare. The proposal aims at establishing a Community framework for the provision of cross-border healthcare within the European Union (EU) for those occasions where the care patients seek is provided in another Member State than in their home country. The implementation of such a scheme requires the exchange of personal data relating to the health of patients between authorized organisations and healthcare professionals of different Member States.

The EDPS welcomes the proposal and supports the initiatives for improving the conditions for cross-border healthcare. He however expresses concerns about the fact that current Community healthcare-related initiatives are not always well co-ordinated with privacy and security considerations - especially with regard to the use of new information and communication technologies, thus hampering the adoption of a universal data protection approach towards healthcare. This is also evident in the current proposal where, although references to data protection can be found, these are mainly of a general nature and fail to specifically address the data protection dimension of cross-border healthcare.

Peter Hustinx, EDPS, says: "I welcome the attempt made in the proposal to show the overall need for data protection and privacy in the context of cross-border healthcare. However, I regret that the data protection implications of the initiative are not addressed in concrete terms. References to data protection are too general and do not adequately reflect the specific privacy requirements of cross-border healthcare. A uniform and sound data protection approach throughout the various healthcare Community initiatives is also needed, not only to ensure the citizens' fundamental rights to the protection of their data, but also to contribute to the further development of cross-border healthcare in the EU."

Following an analysis of the exchange of health data in the context of cross-border healthcare, the EDPS has defined two main areas of concern with regard to data protection: the different security levels which may be applied by the Member States (in terms of technical and organisational measures) on the one hand, and the integration of privacy in e-health applications on the other. In order to address these elements, the EDPS issues a number of recommendations in the form of five basic steps for amendments:

• the provision of a definition for "health data", covering any personal data that can have a clear and close link to the description of the health status of a person;
• the introduction of a specific Article on data protection, clearly describing the responsibilities of the Member States and identifying areas for further development, i.e. security harmonization and privacy integration in e-health;  
• the adoption of a Community mechanism for the definition of a commonly acceptable security level for health data to be applied by the Member States;
• the incorporation of the notion of "privacy by design" in the proposed Community template for e-Prescription;
• the introduction of a more explicit reference to the specific requirements relating to the subsequent use of data concerning health (Article 8 of Data Protection Directive 95/46EC).