Gregory Tsolias Legal Attorney, Prive law Dimitris Anastasopoulos

Gregory Tsolias
Legal Attorney, Prive law
Dimitris Anastasopoulos
Legal Attorney, President of “e-Themis”
Part 1: eHealth (Dimitris Anastasopoulos)
Part2: data privacy (Gregory Tsolias)
«eHealth» is the overarching term for the range of tools based on
information and communication technologies used to assist and
enhance the:
 prevention
 diagnosis
 treatment
 monitoring
 management
“The combined use of electronic communication and information
technology in the health sector”
(World Health Organization)
1.
Clinical information systems
a) Specialised tools for health professionals within care institutions
b) Tools for primary care and/or for outside the care institutions
2. Telemedicine systems and services
3. Regional/national health information networks
including electronic health record systems and associated services
4. Secondary usage / non-clinical systems
a) Systems for medical education, research, public health
b) Health education and health promotion of patients/citizens

The global telemedicine market is expected to grow from $9.8 billion in 2010 to
$27.3 billion in 2016, a compound annual growth rate (CAGR) of 18.6% over the
next years.

The telehospital/clinic market segment was worth $8.1 billion in 2011. This is
expected to grow to $17.6 billion in 2016, demonstrating a CAGR of 16.8%
between 2011 and 2016.

The telehome segment is growing faster than the telehospital/clinic segment. This
market segment was valued at $3.5 billion in 2011, and this revenue is expected to
grow at a CAGR of 22.5%, reaching $9.7 billion in 2016.
source: www.bccresearch.com
HEALTH – EU
Your gateway to trustworthy information on public health
http://ec.europa.eu/health-eu/care_for_me/e-health/index_en.htm






electronic health record architecture
online health services
teleconsultation
ePrescribing
eReferral
eReimbursement
European Commission Objectives



Enabling EU citizens to lead healthy, active and independent lives until
old age
Improving the sustainability and efficiency of social and health care
systems
Developing and deploying innovative solutions, thus fostering
competitiveness and market growth

Directive 2011/24/EU of the European Parliament and of the Counsil of 9
March 2011 on the application of patients’ rights in cross border healthcare
(Article 14)

Commission Recommendation of 2 July 2008 on cross-border interoperability
of electronic health record systems

eHealth Action Plan 2012 – 2012 – Innovative healthcare for the 21st century

Provides cross border services that support safe, secure and efficient medical
treatment for citizens when travelling across Europe

Focuses on services close to the patient:
• Patient Summary for EU Citizens
• Occasional Visitors or Regular Visitors
• ePrescribing for EU Citizens

Medication ePrescription and /or Medication eDispensation

Builds on existing National eHealth Projects
what happened in the past

By 2010 every doctor in Greece devotes 85% of his time to the management of
its clientele
o
Result: the patient has only 3.5 minutes from his time
European average: 8 minutes
Sweden: 12 minutes
o
o

OECD: pharmaceutical expenditure in Greece amounted to 2.7% of GΝP, when
the EU average is below 1.8%.
the legislation in Greece

law 3235/2004 on “Primary Health Care”
Article 9 provides the establishment of “electronic medical records and electronic health card”

law 3892/2010 for “Electronic registration and execution of
prescriptions and referral medical examinations”
the implementation
 www.e-syntagografisi.gr
 www.e-diagnosis.gr
Authorized institution for retention the database of e-syntagografisi + e-diagnosis is the "Electronic Governance
Social Security - IDIKA SA» (www.idika.gr)
The mode of operation of e-prescribing under law 3892/2010
results and benefits






we saved 1 billion euros from 2010 to date
800 million euros for the next 2 years
about 30 million every month
92% of prescriptions are performed each month through eprescribing system
100% of pharmacies
90% of doctors
Thank you for your attention
Dimitris Anastasopoulos
Legal Attorney, President of “e-Themis”
www.ethemis.gr
Part2: Data
Privacy






injuries
diseases
data on consumption of medical products, alcohol, drugs
genetic data
administrative data (social security number, date of admission
to hospital etc)
any data that have a clear and close link with the description of
the health status of a person or contained in the medical
documentation of the treatment of a patient

The definition of personal data contained in Article 2 (a) of Directive 95/46/EC
reads as follows:
«personal data' shall mean any information relating to an identified or identifiable natural
person ('data subject')· an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social identity»

The definition of special categories of data contained in Article 8 (1) of the
Directive 95/46/EC reads as follows:
«Member States shall prohibit the processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade-union membership, and
the processing of data concerning health or sex life»

Proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)
Article 9
Processing of special categories of personal data
«1. The processing of personal data, revealing race or ethnic origin, political opinions,
religion or beliefs, trade-union membership, and the processing of genetic data or data
concerning health or sex life or criminal convictions or related security measures shall
be prohibited.
2. Paragraph 1 shall not apply where:
h) processing of data concerning health is necessary for health purposes and subject to
the conditions and safeguards referred to in Article 81»

In Greece there is a similar provision in Article 2 of Law 2472/1997 on the
Protection of individuals with regard to the Processing of Personal Data
Directive 95/46/EU of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data
Article 8
The processing of special categories of data
“1. Member States shall prohibit the processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade-union membership, and
the processing of data concerning health or sex life.
…….
3. Paragraph 1 shall not apply where processing of the data is required for the purposes of
preventive medicine, medical diagnosis, the provision of care or treatment or the
management of health-care services, and where those data are processed by a health
professional subject under national law or rules established by national competent bodies
to the obligation of professional secrecy or by another person also subject to an
equivalent obligation of secrecy.”
General Data Protection Regulation
Article 81
Processing of personal data concerning health
Within the limits of this Regulation and in accordance with point (h) of Article 9(2), processing of personal
data concerning health must be on the basis of Union law or Member State law which shall provide for
suitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for:
(a) the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or
treatment or the management of health-care services, and where those data are processed by a health
professional subject to the obligation of professional secrecy or another person also subject to an equivalent
obligation of confidentiality under Member State law or rules established by national competent bodies; or
(b) reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of quality and safety, inter alia for medicinal products or
medical devices; or
(c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality
and cost-effectiveness of the procedures used for settling claims for benefits and services in the health
insurance system.
2. Processing of personal data concerning health which is necessary for historical, statistical or scientific
research purposes, such as patient registries set up for improving diagnoses and differentiating between
similar types of diseases and preparing studies for therapies, is subject to the conditions and safeguards
referred to in Article 83.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of
further specifying other reasons of public interest in the area of public health as referred to in point (b) of
paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for
the purposes referred to in paragraph 1.
1.

Directive 2011/24/EU of the European Parliament and of the Council of 9
March 2011 on the application of patients’ rights in cross-border healthcare
Article 14: «The objectives referred to in points (b) and (c) shall be pursued in due
observance of the principles of data protection as set out, in particular, in Directives
95/46/EC and 2002/58/EC.».

Commission Recommendation of 2 July 2008 on cross-border interoperability
of electronic health record systems. Par.10:
«Member States should ensure that the fundamental right to protection of personal data is
fully and effectively protected in interoperable eHealth systems, in particular in electronic
health record systems, in conformity with Community provisions on the protection
of personal data, in particular Directives 95/46/EC and 2002/58/EC.»
Case of I v. Finland
17-7-2008
(Application no. 20511/03)
“41. However, the County Administrative Board found that, as regards the hospital in issue, the
impugned health records system was such that it was not possible to retroactively clarify the use of
patient records as it revealed only the five most recent consultations and that this information was
deleted once the file had been returned to the archives. ……….The Court for its part would also note that
it is not in dispute that at the material time the prevailing regime in the hospital allowed for the records
to be read also by staff not directly involved in the applicant’s treatment.
44. The Court notes that the applicant lost her civil action because she was unable to prove on the facts
a causal connection between the deficiencies in the access security rules and the dissemination of
information about her medical condition. However, to place such a burden of proof on the applicant is to
overlook the acknowledged deficiencies in the hospital’s record keeping at the material time. It is plain
that had the hospital provided a greater control over access to health records by restricting access to
health professionals directly involved in the applicant’s treatment or by maintaining a log of all persons
who had accessed the applicant’s medical file, the applicant would have been placed in a less
disadvantaged position before the domestic courts. For the Court, what is decisive is that the records
system in place in the hospital was clearly not in accordance with the legal requirements contained in
section 26 of the Personal Files Act, a fact that was not given due weight by the domestic courts.”
definition: «a comprehensive medical record or similar documentation of the
past and present physical and mental state of health of an individual in
electronic form and providing for ready availability of these data for medical
treatment and other closely related purposes»




Use limitation principle (purpose principle)
The retention principle
Data subject’s right to access
Security related obligations
Explicit consent
Article 8 (2) a of the Directive 95/46/EU:
«Paragraph 1 shall not apply where: (a) the data subject has given his explicit consent to
the processing of those data, except where the laws of the Member State provide that the
prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his
consent»



Consent must be given freely
Consent must be specific
Consent must be informed
Article 8 (3) of Directive 95/46/EU allows for the processing of
sensitive personal data under three culmulative conditions:



the processing of sensitive personal data must be “required” and
this processing takes place “for the purposes of preventive medicine, medical
diagnosis, the provision of care or treatment or the management of health –
care services” and
the personal data in question “are processed by a health professional subject
under national law or rules established by national competent bodies to the
obligation of professional secrecy or by another person also subject to an
equivalent obligation of secrecy”
Law 2472/1997 on the Protection of Individuals with regard to the Processing of
Personal Data
Article 7
Processing of sensitive data
“1. The collection and processing of sensitive data is prohibited.
2. Exceptionally, the collection and processing of sensitive data, as well as the
establishment and operation of the relevant file, will be permitted by the
Authority, when one or more of the following conditions occur: d) Processing
relates to health matters and is carried out by a health professional subject to
the obligation of professional secrecy or relevant codes of conduct, provided that
such processing is necessary for the purposes of preventive medicine, medical
diagnosis, the provision of care or treatment or the management of health-care
services.”
Law 2472/1997 on the Protection of Individuals with regard to the
Processing of Personal Data
Article 7Α
Exemption from the obligation to notify and receive a permit
“The Controller is exempted from the obligation of notification, according to
article 6, and the obligation to receive a permit, according to article 7 of the
present Law in the following cases: d). When the processing involves medical
data and is carried out by doctors or other persons rendering medical services,
provided that the Controller is bound by medical confidentiality or other
obligation of professional secrecy, provided for in Law or code of practice, and
data are neither transferred nor disclosed to third parties.17 In order for this
provision to be applied, courts of justice and public authorities are not
considered to be third parties, provided that such a transfer or disclosure is
imposed by law or judicial decision. Legal entities or organisations rendering
health care services, such as clinics, hospitals, medical centres, recovery and
detoxication centres, insurance funds and insurance companies, as well as
Controllers processing personal data within the framework of programmes of
telemedicine or provision of health care services via Internet.”
Code of Medical Ethics (law 3418/2005)
Article 14
observance of medical records
“1. Any doctor is required to keep medical record, in electronic form or
otherwise, which contains data that are inextricably linked or causally to the
disease or health of his patients. The observance of this file and the data
processing is determined by the provisions of Law 2472/1997
2.The medical records shall contain the name, father's name, sex, age,
occupation, address of the patient, the dates of the visit, and any other
essential element associated with providing care to the patient, including,
without limitation and depending on the specialization, the complaints of
health and the reason for the visit, the primary and the secondary diagnosis or
treatment followed.
3. Clinics and hospitals retention to their medical records and the results of all
clinical and paraclinical examinations.”
Thank you for your attention
Gregory Tsolias
Legal Attorney, Prive law
120, Alexandras Av., Athens