You are here: Resources > FIDIS Deliverables > Interoperability > D4.11: eHealth identity management in several types of welfare states in Europe > 
 Storage of health data


Collection of health data

In the question list, we asked for the mechanisms for collecting health care related data.  

According to the Article 29 Data Protection Working Party, medical data shall in principle be obtained from the data subject. However, there are a lot of exceptions. First of all, medical data can be collected (and processed) if it’s provided for by law for public health reasons or other important public interests. It is also permitted by law for preventive medical purposes or for diagnostic or for therapeutic purposes with regard to data subjects or a relative in the genetic line, to safeguard the vital interests of the data subject or a third person, for the fulfillment of specific contractual obligations or to establish, exercise or defend a legal claim. Also, when consent is given by the data subject (for one or more purposes), other parties can also give the medical data of the data subject, in so far as domestic law does not provide otherwise (Council of Europe, R (97) 5, 1997).

A particular issue in data collection is related to the issue of quality of the data (correct (valid and reliable), up to date, and specified for the purposes of use of data). Wrong or incomplete medical information can lead to medical errors which entails financial losses (Frost and Sullivan, 2004). Especially in a context where databases can be connected through health care networks vast amounts of health care data can be handled. Moreover reflections have to be made on the usability of the systems to bring in reliable and valid data in the databases: ‘the relevant step forward is that information is gathered during routine patient treatment, not during activities explicitly dedicated to scientific research within universities or research institutes’ (Kell)’

Two important topics for the collection of health data get more attention in this section. These are (1) patient (and healthcare) identifiers and (2) the question of the ownership of health data and health records.  

Patient identifiers

Patient identifiers enable the identification of the medical data to the citizen and are therefore essential but also privacy-invasive tools of eHealth. Member states of the EU have the duty ‘to determine the conditions under which a national identification number or any other identifier of general application may be processed’ (article 8 (7) Directive). The unique identifier can either be used exclusively for identification and authentication in the domain of health care or can be used in broader contexts (e.g. e-Government). General identification number are welcome ‘to render the management of administration more efficient, to save costs and to reach a good level of accuracy in the identification of the data subject’ (Rouillé -Mirza, Wright, 2004, 158). On the other hand, general identification numbers bear risks because administration can link various information to one number, this brings about ‘a huge power of identification’ (Rouillé -Mirza, Wright, 2004, 158).

The contributing partners report that most healthcare institutions use their particular identification approaches for patient identification. Often patient records have been assigned ad hoc unique numbers randomly because the identification number is depending on the particular application/software used. Citizen identifiers or social security numbers enable identification could be a tool to linking data as an essential element for operational and epidemiological information systems. In Germany control numbers are used in the epidemiological cancer registries ‘to allow record linkage of anonymised records that describe cancer cases and are collected independently from multiple sources’ (Thoben, Appelrath, &Sauer, 1994). But in Germany too, there is strong controversy on ‘identifiers’. It is one of the main stumbling blocks in the development of national health card project. In the UK as well, the use of patient health card is debated in the context of public liberty.  

In the Netherlands, the Citizen Service Number (BSN) will be used for the EMD and WDH and it will replace the social security number as key identifier in administrative matters. The unique social security number is used in Sweden and Belgium. On several occasions, the Belgian privacy committee contemns the national practice and calls for a ‘unique patient identification number specifically dedicated to the processing of personal information regarding healthcare’ (HEPI – GO final report, 2006). This is already the case in the UK, where a unique national patient number is used. In Switzerland, there is a unique identification number for electronic records, which is now based on the social security number. The national citizen identifier is used in Norway. In Spain the NHS personal identification code links the various system-specific personal identification codes of citizens: ‘regulation RD 183/2004 which regulates the individual health card: The regulation was approved in order for all NHS beneficiaries to have a unique personal identification code that would provide good service and would permit obtaining the appropriate medical information at every point of the public health system. The assignment of the NHS personal identification code is realised at the moment of the inclusion of the relative data to every citizen in the database protected by the NHS, developed by the Ministry of Health, and acts as the link for the different autonomous personal identification codes that every person may be assigned during his/her life.’

Several states are currently developing new initiatives in the context of patient identification. We aready referred to the Dutch Citizen Service Number (BSN). Switzerland will introduce a new social security number (after July 2008). This number will no longer entail sensitive information - it will be a totally random number. Belgian‘s HEPI GO project favours the idea of a Health Electronic Patient Identifier (HEPI). HEPI would be an irreversibly transformation of the citizen’s social securtiy number. Interestingly, the project plans two test phases: first a ‘primary HEPI’ which is not 100% anonymous will be implemented, whereas in the second phase they use a ‘secondary HEPI’ (using pseudonyms and Trusted Third Parties to garantuee the anonymity of the citizen/patient) (HEPI – GO final report, 2006).

The identification of healthcare professionals received new attention because of eHealth applications. This practice can help to guarantee the secure access to patients’ records for example. In the Netherlands, reference can be made to the UZI card and server cerificate as means to identify health professionals. In Belgium healthcare providers and some social institutions have a SAM card (secure access module card), distributed by the RIZIV, the federal institute for sickness and invalidity insurances. The code of the SAM card is depending on the category of healthcare providers and constitutes of logistic and a serie number (this link between these numbers is protected by the crossroad bank for social security). In the Andaloucian region, health professionals are uniquely identified with a unique user identifier / password and with digital certificates. Health professionals working in the Lombardian SSIS system need to proof their identity with an e-signature. The next generation of Jhospital records will be secured with PKI infrastructure and certificates. In the UK health professionals as well as managerial/clerical and secretarial staff are uniquely identified with a user number and user name and (varied) password.

According to Hämäläinen, one would assume that in region-driven countries where ‘the architectural choice for an eHealth service network with interoperable connections is favoured more than an integrated information system’ (Hämäläinen, 2007, 10), patient identification is even more essential. However, the study reports that patient identification and health cards are deployed in all insurance-based systems but ‘in region-driven countries this is not such a strong priority’ (Hämäläinen, 2007, 10). However, the Spanish the NHS identification code, ‘the central node which manages information streams between regions’ (Spain – 12) as part of ‘Plan Avanza’ provides a counter-example.

Beside patient and healthcare identification, the ownership of medical data is another crucial topic, closely linked to the collection of health data by means of eHealth tools. 

Some countries see the data controller (health care organization) as owners of the health information (Norway, Sweden). Other countries/regions stipulate that the patient is the owner of the information (Switzerland, Flanders, Andaloucian Region). As the rightful owner, the patient decides what happens with his medical data: ‘the authority to decide upon the use of medical data shall remain with the citizens and the principle of voluntarism of medical data retention shall be upheld’ (Germany – 1). In Spain, ‘the doctor is the owner of the ‘Subjective Observations’ (comments made by the doctor), which may not be accessible by the patient, if the doctor indicates so’ (Spain - 9.7) The Dutch answer shows that control over the data (regardless if they are owned by the patient or the healthcare organization) is diffuse: ‘(relating, sic) EMD: Sometimes, the healthcare professional is considered to be the owner of the health information. However, the healthcare professional only has certain control over the health information: he is responsible for the storage and quality of the data. The patient also has control over the health information: he has a right of access and a right to delete his own health information. Finally, the healthcare establishment (hospital) has control: the hospital often determines the means of processing the health information and is often the owner of the health information system’ (Netherlands – 9.7). In the answer of the UK doubts about the ownership of health information on health cards and records are related to the fact that there has been a transition from paper records to digital records (UK- 9.7).

According to the Article 29 Data protection Working Party, ‘in the legal provisions introducing an EHR system, it should be laid down as a rule that entering data into a EHR or accessing such data such be governed by an incremental system of opt-in requirements (especially when processing data, which are potentially extra harmful such as psychiatric data, data about abortion etc.) and opt-out possibilities for less intrusive data’ (Art 29 Data Protection Working Party, 2007).  

The explicit consent of the patient is needed to include personal health related information into records and databases. However, the notion of explicit consent differs along the national laws. According to the Norwegian Personal Health Data Filing System act, it is sufficient that ‘consent is asked when the database is first established’ (‘written’ or ‘explicit’ are not mentioned). In the Belgian FLOW project, an explicit consent to include information in an electronic medical file of a patient is needed, who is in an independent position. This written explicit consent can be withdrawn at any moment.

In order to consent to the use of one’s health data, sufficient knowledge about the data processing is essential. However, in practice this is very hard. Maybe, as Dierks (2003, 177) suggests, ‘there is a need for an evaluation of necessary minimum information that is required for informed consent’. A patient does have the right to withdraw his or her consent. But how can this be done and how can we turn back the clock if we withdraw our consent? This poses a lot of practical difficulties. Actually, the fact that patients must provide consent to collect and use health related data at the time of contact with healthcare provider is, from the ethical point of view, unjustified because there is no informed consent without the purpose being specified in advance. Another example of unjustified consent is the way health data is processed in the electronic individual health system in Flanders: in the operational system, ‘there is an automatic input from the regular individual health care file to the electronic version of the file. The consent of the patient regarding the data exchange in the operational information system is assumed but not asked explicitly. This is not in line with the Federal law on patient rights. Explicit consent has to be given by patient.’ (Belgium –9.6)


  fidis-wp4-d4.11.eHealth_identity_management_in_several_types_of_welfare_states_in_Europe.sxw  Storage of health data
13 / 19