MEDICINE, LAW & SOCIETY Vol. 8, pp. 35 - 45, October 2015 E-documentation and Crossborder Healthcare MARTA SJENIČIĆ* ABSTRACT E-health is, in many European countries, one of the health care areas that are in the fastest development, due to the endeavor to apply modern information and communication technologies for the purpose of meeting the needs of citizens, patients, health professionals and the health policy creators. E-health potentials are virtually endless and can reach from the delivery of health information and health controle over the internet, through on- line consultations, issuing of drugs through electronic devices, till robotised surgeries or care of elderly population. European Union works actively in this field through different conventions and directives related to the patients’ rights in cross-border healthcare, but also protection of individuals with regard to the processing of personal data. One of the most recent and important documents in this field was Working Document 01/2012 on epSOS (Article 29 Data Protection Working Party), which was enacted January, 2012, and which was the basis for so-called epSOS project that has been impelemented from July 1, 2008 till June 31, 2014. The main objective of epSOS project is to shape, establish and evaluate the infrastructure of services which would enable the crossborder operability between the system of electronic health documentation in Europe. epSOS project aims to develop practical frame for e-health and information-communication infrastructure that would be basis for the safe access to the information on patients' health, in the diferent European health systems. KEYWORDS: • electronic health documentation • electronic medical record • electronic health record • epSOS • national contact point CORRESPONDENCE ADDRESS: Marta Sjeničić, Ph.D., Research Aassociate, Institute of Social Sciences, Kraljice Natalije 45, 11000 Belgrade, Serbia, email: marta.sjenicic@gmail.com. DOI 10.18690/8.35-45(2015) ISSN 2463-7955 Print © 2015 LeXonomica Press Available online at http://journals.lexonomica.press. 36 MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare 1 Introduction E-health is, in many European countries, one of the health care areas that are in the fastest development, due to the endeavor to apply modern information and communication technologies for the purpose of meeting the needs of citizens, patients, health proffesionals and the health policy creators (Rynning, 2007:105). E-health potentials are virtually endless and can reach from the delivery of health information and health control over the internet, thorugh on-line consultations, issuing of drugs through electronic devices, till robotised surgeries or care of elderly population. European Union works actively in this field. In 1981, Convention for the protection of Individuals with regard to automatic processing of personal data (Council of Europe, 1981) was enacted. In 1995, the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (European Parliament and the Council of the European Union, 1995) was enacted. In February 2007, the Working document on the processing of personal data relating to health in electronic health records (EHR) (Article 29 Data Protection Working Party) was enacted. Beside working in the areas of electronic health documentation, EU has been working also in the area of cross-border healthcare and electronic documentation, especially in the last few years. For example, in 2012, eHealth Action Plan 2012- 2020 - Innovative healthcare for the 21st century (European Commission, 2012) was enacted by the European Commission. Beside that, in 2011 the Directive 2011/24/EU on the application of patients' rights in cross-border healthcare (European Parliament and the Council of the European Union, 2011) and in January 2012, Working Document 01/2012 on epSOS (Article 29 Data Protection Working Party (European Commission, 2012a) were enacted. Action plan is related mostly to the support to the EU members, for the purpose of improvement of the cross-border e-health process, and, so called, mobile health (mHealth). The barriers to deployment of eHealth, according to the Action plan, are the following: lack of awareness of, and confidence in eHealth solutions among patients, citizens and healthcare professionals; lack of interoperability between eHealth solutions; limited large-scale evidence of the cost-effectiveness of eHealth tools and services; lack of legal clarity for health and wellbeing mobile applications and the lack of transparency regarding the utilization of data collected by such applications; inadequate or fragmented legal frameworks including the lack of reimbursement schemes for eHealth services; high start-up costs involved in setting up eHealth systems; regional differences in accessing ICT services, limited access in deprived areas. Several barriers can contribute to one market failure e.g. the important issue of the lack of health data exchange can only be tackled by addressing in a coordinated way fragmented legal frameworks, lack of legal clarity and lack of interoperability. MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare 37 The vision of the Action Plan is to utilize and develop eHealth to address several of the most pressing health and health systems challenges of the first half of the 21st century: to improve chronic disease and multimorbidity (multiple concurrent disease) management and to strengthen effective prevention and health promotion practices; to increase sustainability and efficiency of health systems by unlocking innovation, enhancing patient/citizen-centric care and citizen empowerment and encouraging organizational changes; to foster cross-border healthcare, health security, solidarity, universality and equity; to improve legal and market conditions for developing eHealth products and services. The Action Plan addresses the barriers and the following operational objectives: achieving wider interoperability of eHealth services; supporting research, development and innovation in eHealth and wellbeing to address the lack of availability of user- friendly tools and services; facilitating uptake and ensuring wider deployment; promoting policy dialogue and international cooperation on eHealth at global level. The Action Plan emphasizes cross-border activities, but it should be noted that work done at the EU level has a strong effect at the national level and vice versa. Therefore, the Action Plan encourages national and regional authorities, healthcare and social care professionals, industry, patients, service providers, researchers and EU Institutions to closely work together. Action plan envisaged that from 2013 the Commission would engage in discussions on legal issues affecting eHealth, within the eHealth Network and other fora, such as the European Innovation Partnership on Active and Healthy Ageing (EIP AHA), as well as cross-sectorial legal work linking eHealth to other ICT-led innovation, with the first conclusions foreseen in 2013-2014. Data protection issues, according to Action plan, also need to be addressed in respect to the use of cloud computing infrastructures and services for health and wellbeing data processing. The Commission will closely monitor the implementation of this Action Plan and report on the progress made and the results achieved. One of the results listed in the Action Plan and whose implementation should be monitored is epSOS project (European Commission, 2012). Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare has the objective to improve functioning of the EU inner market and free movement of goods, persons and services. Directive, of course, emphasises that the Member States maintain their responsiblity for providing safe, quality, effective and quantitatively acceptable health cae to their citisens. So, each Member State has the freedom to decide which kind of health care is considered appropriate. On the other side, this Directive aims to establish the rules for easier access to the safe and quality cross-border healthcare in EU and to ensure mobility of the patients and improvement of cooperation in the areas of healthcare between 38 MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare Member States. Directive generally defines which kind of health services are covered with it, i.e. which services are not (transplantation, routin treatment, long- term care, home care, elderly care). It limits the obligation of reimbursment of the cross-border healthcare to the healthcare which the patient is entitled to, according to the legislation of his state of residence. Directive establishes also the other rules for cross-border healthcare. It tackles the eHealth network and the exchange of information among Member States. Commission should, according to the Article 14, adopt necessary measures for establishment, management and transparent functioning of the eHealth network. Working document on epSOS gives the basis for imlementation of the epSOS project (Salar, 2013a). The objective of epSOS project is to formulate, establish and evaluate the infrastructure of services which enable cross-border operability between the electronic health documentation systems in Europe. epSOS project develops the practical frame for e-health and informational-communicational infrastructure which enables the safe access to the information on patients health, in different health systems of Europe. In emergency situations, this information provided to medical professionals can be from vital relevance and can reduce the possiblity of repeating of diagnostic procedures. Before going in details into the possibilities of the epSOS project, it would be useful to have an insight into the main sorts of electronic health documentation. 2 Sorts of electronic health documentation European informatic, medical and legal theory and practice make the difference between electronic medical record (hereinafter: EMR) and electronic health record (hereinafter: EHR). EMR is electronic data base on the patient at the level of one health care provider, while EHR is computer-based collected and mainatined data set of health and other personal data, connected with the unique identification code of the patient. EHR is above EMR, since it collects patients data from all the institutions patient were treated in. These are not all data, but are basic data (minimal data set) on the whole personality of the patient. If one state would consider introducing EHR, it should keep in mind that data within EHR are available to the wider spectrum of persons, since they are not collected only at the level of one institution. In EHR patients personal data and his right to privacy may be more vulnerabile than in EMR. Keeping records about the patient has, in principle, the basis in national law. If the paper documentation is equalised with the electronic health documentation in the national regulation, then keeping of EMR is based on the national law, since in most of the national laws it is stipulated that processing of personal data without of the consent of data subject is allowed in the cases stipulated in the law or for achieving of purposes stipulated in the law. Directive 95/46 reguulates the same. Case when the consent is not needed is regulated by the Paragraph 8, provision 3 MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare 39 of the Directive 95/46/EC: ”Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy”. Hovewer, when having EHR, it is necessary to obtain the explicit consent of the patient for the collection and processing of personal data within EHR. Working document on the processing of personal data relating to health in electronic health records (EHR) (Article 29 Data Protection Working Party), which was enacted in 2007, by the independent European advisory body on data protection and privacy, defines EHR as: „A comprehensive medical record or similar documentation of the past and present physical and mental state of health of an individual in electronic form and providing for ready availability of these data for medical treatment and other closely related purposes“. Being so comprehensive and proceessing senstive personal data, EHR can be functional only with the prior explicit consent of the patient to data processing. Opt-out solution does not fullfill the request of expliciteness, since it only assumes that the consent exists (in this case patient, that does not agree to the data collection within EHR, would have to express it explicitely). Working document emphasises that the consent has to be „freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed«. It requires explicit consent of the patient, i.e. opt-in solution, since EHR is data collection (minimal data set) obtained from all health care provders that treated the patient, and with wider range of possible accesses to the personal data. This data set does not have the legal basis in most of the national legislations. Therefore, the explicit opt-in consent of the patient, as the legal basis, is required. 3 Differences between EMR and EHR For the purpose of better understanding of the sorts of the abovementioned sorts of electronic health documentation, it is useful to list the criteria for differentiation between EMR and EHR. First criterion for differentiation is the number of data collections. Data collection is the systematised set of personal data (evidences, register, dataset), regardless the form of data and the resources for their maintainance (Sjeničič, 2008:336). In accordance with this, EMR and EHR are both data collections. However, there are as many EMRs as many health institutions which provided health service to the patient, are there. EHR is only one for one patient (Sjeničić, 2008:336). Second criterion for differentiation is the content of the health record. EMR contains the data on health treatment of the patient in one health institution. EHR 40 MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare is the set of most relevant data on the complete patients' health status (Sjeničić, 2008:336). Third criterion is the obligatness of keeping records. EMR should be obligatory, as the alternative to the paper medical record (this is still not the case everywhere). This obligation, of course, exists for the health institutions which have technical preconditions. However, keeping records within EHR is not obligatory, i.e. it is the subject of the explicit consent of the patient. Fourth criterion is the person which imports the data into records. Health institution which keeps EMR imports the data into EMR. According to the opinion and experiences of different countries, data are entered into EHR by different subjects which ae defined by the law, with the consent of the patient. The patient himself can also import the data into EHR (Sjeničić, 2008:336). Fifth criterion for differentiation between EMR and EHR is the possibility to access to the patients' data. The access to these data within EMR is limited to health professionals treating the patient in the health institution keeping EMR. Access to the data within EHR is theoretically possible to all health institutions and other persons defined by the law, under conditions that patient gave his consent. Sixth criterion is the power to dispose with the data collection. Team of health profesionalls within health institution disposes with EMR data collection. Patient has disposal over EHR data collection. The reason for such power of disposal is in the before mentioned criteria: EMR (as well as the paper medical record), would be obligatory (when and if introduced) and would be kept, regardless the patients consent, since it would have the basis in the law. Content of EMR is detailed overview of one problem of the patient and does not give the comprehensive overview into the complete patients personality and health status. Access to the data in EMR is much more limited than to the data in EHR. Therefore, the power of disposal with EHR is in the hands of the patient (Sjeničić, 2008:337). 4 epSOS project epSOS (Smart Open Services for European Patients) focuses on electronic patient record systems. The initial focus is on cross-border access to Patient Summary data sets and ePrescriptions. The technical, legal and organizational concepts developed within the framework of the project are subject to the practical testing phase which will last until the end of the project (June 31, 2014). epSOS tests cross-border e-health services in the following areas: 1) Patient Summary: access to important medical data for patient treatment, and 2) Cross-border use of electronic prescriptions ("ePrescription" - or "eMedication" systems). Participating nations had to choose which projects area they will test: ePrescription or Patient Summary. epSOS has been conceived of as a pilot project designed to take place MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare 41 on a large scale, initially involving 12 EU-Member States, but expanded to 25 Participating Nations (PN) during the course of the project. Some of the Participating Nations left the project so far, but most of them are implementing it. Participating Nations in epSOS project are: Austria (Austrian Federal Ministry of Health, Elga), Belgium (Recip-E Vzw, Integrating the Healthcare Enterprise- Europe Aisbl (Ihe)), Croatia (Hrvatski Zavod za zdravstveno osiguranje (Hrna)), Denmark (Danish National Board of e-Health, Ministeriet for sundhed og forebyggelse, Estonia (Eesti e-Tervise Sihtasutus (Eesti)), Finland (Terveyden Ja Hyvinvoinnin Laitos (Thl), France (French Ministry of Health, Asip Santé (Agence des systèmes d'information partagés de santé)), Germany (German Federal Ministry of Health, Fraunhofergesellschaft zur Förderung der angewandten Forschung (Fraunhofer Isst), Gematik Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH, Empirica Gesellschaft für Kommunikations– und Technologieforschung mbH (Empirica)), Greece (Pharmaxis, Aristotelean University of Thessaloniki), Hungary (Egeszsegugyi Strategiai Kutatointezet (Eski)), Italy (Region of Lombardy, Lombardia Informatica (Lispa)), Luxembourg (Agence eSanté G.I.E. (Luna)), Malta (Ministry for Health (Mtna)), Norway (Helsedirektoratet (Nona)), Poland (Narodowy fundusz zdrowia (Nfz), Instytut logistyki i magazynowania (Ilim), Portugal (Administração Central do Sistema de Saúde, I.P. (Ptna), Serviços Partilhados do Ministério da Saúde, E.P.E. (Spms)), Slovenia (Institut za varovanje zdravja Republike Slovenije (Niphrs)), Slovakia (National Health Information Centre (Nhic)), Spain (Spanish Ministry of Health and Consumer Affairs, Fundació TicSalut Catalonia). Regional Healthcare Service of Andalucia, Regional Healthcare Service of Castilla La Mancha (Sescam), Catalan Agency for Health Information, Assessment and Quality (Aiaqs) Agencia valenciana de salud (Avs), Servei de salut de les illes balears (Bal)), Sweden (Swedish Association of Local Authorities and Regions (Salar), Swedish Ministry of Health and Social Affairs), Switzerland (Les hopitaux universitaires de Geneve (Hug) Federal Office of Public Health (Chna)), The Netherlands (National IT Institute for Healthcare in the Netherlands (Nicitiz), Dutch Ministry of Health, Welfare and Sport), Turkey (Turkiye Cumhuriyeti Saglik Bakanligi (Trna), Srdc yzilim arastirma ve gelistirme ve danismanlikticaret limited sirketi (Srdc)), United Kingdom (Department of Health) (Salar, 2013c). Each country nominated National Contact Point (see below the explanation) for epSOS project and these are listed in brackets. The concept of the epSOS project is in twofold consent. Firstly, patient gives the consent in the country of his residence (Country A). By giving the consent, patient agrees to participate in the epSOS project or its parts. He also agrees that the Patients Summary (or e-Prescription) is formed with the intention that in the future, data from the Summary are available to the health care providers in the Country B (country included in the epSOS project), if necessary and under certain 42 MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare conditions. After that, when being in Country B which is in the network of cross- border e-health care servies and has a need for medical treatment, patient gives the second consent to the processing of his health data, i.e. to the access to his Patient Summary. Patient Summary is, obviously, emphasised by this project as one more sort of electronic documentation at the internatinal level. Patient Summary is a standardized set of basic medical data that includes the most important clinical facts required to ensure safe and secure cross-border healthcare. This summarized version of the patient’s medical data gives health professionals the essential information they need to provide care in the case of an unexpected or unscheduled medical situation (e.g. emergency or accident) of the patient coming from another country (Salar, 2013d, 2013e). EpSOS project is based on the explicit, specified consent. „Specified“ means that the consent is given to the defined, concrete situations, in which the processing of medical data is forseen. Therefore, the general consent of data subject does not have legal effect. Besides, consent should follow after the adequate information on the facts and implications of giving the consent to forming of Patients Summary, and processing of data, afterfwards (European Commission 2012a). So, it has to be informed consent. If and when patients gives the second consent in the Country B, this country will ask Country A to transfer into the neutral epSOS content the data on patient, and this is then translated into the language of the Country B, for the purpose of using data by the health care providers offering the medical treatment in the Country B. So, on the basis of first consent, Country A prepares Patient Summary which has to be available in every moment and Country B requires transfer of the Patients Summary, on the basis of the patients second consent. 4.1 The National Contact Point and the Framework Agreement within epSOS Each Participating Nation is represented in epSOS by a National Contact Point (NCP) mentioned related to Participating Nations. An epSOS NCP is an organization legally mandated by the appropriate authority of each PN (Salar, 2013d) to act as a bidirectional technical, organizational and legal interface between the existing different national functions and infrastructures. The NCP is legally competent to contract with other organizations in order to provide the necessary services. The epSOS NCP is identifiable in both the epSOS domain and in its national domain (Salar, 2013f). The Framework Agreement (FWA) has been localized in the form of national level contracts in the piloting participating nations which are a pre-requisite to engagement in the pilots. The use of a common FWA blue print as guideline for national contracts establishes the epSOS trusted domain amongst NCPs. This domain is considered to be an extension beyond national or regional territories where epSOS services are physically provided. Its function is to ensure that MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare 43 epSOS services can be delivered without limitations to population travelling between countries participating in the epSOS pilot. The FWA is used to establish the NCPs, govern the cooperative model of data exchange and form the documented basis for the trusted relationships between parties exchanging data. It also facilitates transparency to ensure that the legal rights of patients to data privacy can be maintained in a cross-border healthcare setting. At the end of the pilot, the recommendations of the project will hopefully support the process towards more sustainable legal framework for longer-term operational cross-border eHealth services (Salar, 2013f). 5 Challenges when seeking healthcare abroad and benefits of epSOS solutions Besides the obvious language barriers when being abroad, the lack of documented medical history (medical reports, vaccination records, laboratory results, etc.) can be a problem. Health professionals abroad may have difficulties in determining the correct treatment for a foreign patient. This can have a negative effect on the quality of the healthcare treatment. Since epSOS offers cross-border electronic healthcare record system (including Patient Summaries) and electronic Prescriptions (ePrescriptions) such a system allows elimination of these problems and improvement of the quality of healthcare abroad and having the prescriptions dispensed abroad, which could be quite a benefit for the patients travelling to another country. epSOS also offers some advantages to health professionals: access to a Patient Summary and the patient’s currently active prescriptions to improve the decision making process in diagnosis, based on the relevant clinical data from the patient’s home country; ability to identify the patient in the country of origin and consult the essential healthcare data using tools integrated in the work station or via the internet at the epSOS portal; assistance in obtaining patient consent for healthcare services; access to a leading service supported by the European Commission, while using the familiar technical environment or the epSOS portal; access to patient data and eHealth information in own language; better patient care through cross-border healthcare data exchange; improved use of resources when providing healthcare to foreign patients; increase of security by using a paperless electronic patient data system (Salar, 2013b). 6 epSOS in Slovenia Slovenia has chosen to develop Patients Summary, as the epSOS pilot. National Focal Point for Slovenia is National Institute of Public Health. Slovenian Law on data collection in the area of health care (Zakon o zbirkah podatkov s področja zdravstvenega varstva, 2000) lists the data collections that can be processed by the specified entities. So, if this Law does not contain certain data collection (data 44 MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare registry), data cannot be processed, except with the consent of the data subject. Therefore, Slovenia does not have the legal basis for collecting and processing data within the Patients Summary. In coordination between National Institute of Public Health and Information Commissioner of Slovenia, this issue is solved in a manner that during the pilot, data can be collected and processed on the basis of patients consent. 7 Conclusion As already mentioned, at the end of the pilot, project will recommend the support of the more sustainable legal and operational framework for longer-term operational cross-border eHealth services. epSOS is a trial if the cross-border health services could be provided and how. Health issues are in the competence of Member States of European Union. Member States have different health and health insurance systems. In order to have sustainable framework for cross-border health care, all these differences and differently developed operational, IT and legal systems have to be taken in consideration. References Council of Europe (1981) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strassbourg: Council of Europe), available at: http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm (March 1, 2014). European Commission (2012) eHealth Action Plan 2012-2020 - Innovative healthcare for the 21st century : communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Region (Brussels: European Commission), available at: http://ec.europa.eu/health/ehealth/docs/com_2012_736_en.pdf (March 1, 2014). European Commission (2012a) Working Document 01/2012 on epSOS : article 29 Data Protection Working Party (Brussels: European Commission), available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2012/wp189_en.pdf (March 1, 2014) European Parliament and the Council of the European Union (1995) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal of the European Communities, No L 281/31, 23.11.1995), available at: http://ec.europa.eu/justice/policies/privacy/docs/95- 46-ce/dir1995-46_part1_en.pdf (March 1, 2014). European Parliament and the Council of the European Union (2011) Directive 2011/24/EU Of The European Parliament And Of The Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, available at: http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:088:0045:0065:en:PDF (March 1, 2014). Rynning, E. (2007) Public Trust and Privacy in Shared Electronic Health Records, European Journal of Health Law, 14(2), 105-112, doi: 10.1163/092902707X211668. Salar (2013a) About epSOS (Stockholm: Salar), available at: http://www.epsos.eu/home/about-epsos.html (October 8, 2015). Salar (2013b) Benefits (Stockholm: Salar), available at: http://www.epsos.eu/for-health- professionals/benefits.html (October 8, 2015). MEDICINE, LAW & SOCIETY M. Sjeničić: E-documentation and Crossborder Healthcare 45 Salar (2013c) epSOS (Stockholm: Salar), available at: http://www.epsos.eu/home.html (October 8, 2015). Salar (2013d) Patient Glossary (Stockholm: Salar), available at: http://www.epsos.eu/faq- glossary/glossary.html?tx_a21glossary%5Buid%5D=542&tx_a21glossary%5Bback%5 D=3438&cHash=c3253fb498 (October 8, 2015). Salar (2013e) Patient Summary (Stockholm: Salar), available at: http://www.epsos.eu/epsos-services/patient-summary.html (October 8, 2014). Salar (2013f) The National Contact Point (NCP) and the Framework Agreement (FWA) (Stockholm: Salar), available at: http://www.epsos.eu/legal-background/the-national- contact-point-and-framework-agreement.html (October 8, 2015). Sjeničić, M. (2008). Pravna pitanja uvođenja elektronske zdravstvene dokumentacije u Srbiji, Zbornik – Pravo i međunarodne integracije, Pravni život, 9, p. 336.