Draft legislation envisages Ireland’s first electronic health information system
The primary objective hers the same as the summary care record – using information technology to enable those providing care to have better access to relevant and necessary patient information. What’s different is that the shared care record involves detailed medical records and intends to work on a decentralised model of storage – essentially a viewing platform hosted by the Health Service Executive to link scattered datasets rather than a centralised database. Clinicians will need patient consent to use the platform to view records stored elsewhere.
It is envisaged that, in time, the shared care record will evolve into an Electronic Health Record (EHR). Instead of patient information being accessible to view in separate records held by individual providers, all records will be held in one central place. Individual providers such as GPs and hospitals will share access and be able to input into the EHR in real time. It is anticipated that these records will initially focus on information held by GPs, hospital, and pharmacies, but in time, expand to a wider range of healthcare providers like opticians, dentists and specialist clinics.
A new ‘duty to share’
Sitting alongside these proposals is a new ‘duty to share’, requiring healthcare providers to share relevant health information with others involved in the care of a particular patient. This new duty addresses the current reality that healthcare providers are generally reluctant to share data for many reasons, but particularly due to perceived data protection concerns.
National Health Information Authority
The General Scheme’s drafting notes emphasise the need for more effective, dedicated national leadership on the use of healthcare information in Ireland. It acknowledges various options for that role, including reliance on existing institutions or the creation of a new statutory body.
For drafting purposes, the General Scheme creates a new body, the National Health Information Authority, but this position is likely to evolve as the legislation progresses and it is likely that some or all of the responsibilities of this new body may be assigned to or become shared across existing institutions.
The Authority will have the power to require healthcare providers to provide health data for “relevant purposes” that promote the goals of the health service, such as:
- policy making and management of health services,
- supporting clinical safety and auditing;
- promoting research and innovation;
- identifying threats to public health; and
- compiling health related statistics.
This is one of the most important powers in the legislation as it facilitates, for the first time, the mandatory collection of health data on a mass scale for ‘secondary’ purposes beyond the care and treatment of individuals.
Third party access to patient data
Built into the Authority’s powers are mechanisms to facilitate information sharing with third parties with legitimate interests – for example, researchers. The provisions have been drafted to align with the proposed EU Regulation on the European Health Data Space, which intends to bring together European health datasets on similar terms.
It is hoped that these functions will facilitate a better understanding of population health and inform better planning and development of health services in Ireland, as well as addressing the information gap in the research sector and aligning our health information system more closely with European standards.
Data protection concerns
Data protection concerns have been at the forefront of the conversation around our health information system and will continue to inform this legislation as it moves through the drafting process. Importantly, health data is “special category” data under the EU General Data Protection Regulation (GDPR), and so afforded a heightened level of protection with more stringent rules.
The collection and storage of health data, particularly in a centralised way, can create considerable risk. The HSE ransomware attack in 2021 – commonly understood to be the largest known cyber attack against a health information system – reminded institutions in Ireland of the possible consequences of failing to meet that risk.
It is clear from the General Scheme that the proposals around the collection, use and sharing of health data have been informed by substantial engagement with the Data Protection Commission, which will likely continue over the coming months. The result is extensive consideration, throughout the General Scheme, of the legal bases for the processing of health data across healthcare providers, state institutions and third parties. Built into the provisions are a wide range of data safeguarding measures including transparency and data minimisation requirements, robust security arrangements, and various restrictions on how data can be used.
A new advisory position, the National Health Information Guardian, will guide the government and industry stakeholders on data confidentiality, security and safeguarding issues going forward.
The role of the patient
Patient autonomy is at the forefront of several proposals. The Bill establishes a legislative basis for processing health data contained in the summary care record based on the public interest rather than consent of the data subjects. This is a population-inclusive approach that facilitates the creation of summary care records without individual patient consent. However, consent will be required for a given provider to access the summary care record, giving patients autonomy over their data and the opportunity to opt-out at the point of care. Practitioners will similarly require patient consent to view an individual’s health information via the EHR and shared care record.
In all circumstances, use of records will only be permitted by the provider who accesses it for the care and treatment of the relevant individual, and not for purposes such as research without explicit consent. Health information made available to the Authority for secondary purposes is subject to pseudonymisation, anonymisation and transparency requirements.
The General Scheme also proposes new measures to ensure that an individual can access their summary care record electronically. In particular, the HSE will be required to put in place measures to enable accessibility where an individual requires assistance, for example due to age or lack of capacity.
Under the current system, gaps in electronic record keeping and variation in approaches taken by different providers create a range of obstacles to access. According to the Health and Information Quality Authority, Ireland is one of just two countries in the EU without a system that provides patient access to electronic records. This proposal is the first step to allowing patients better access to their own medical records, in line with the objectives of Sláintecare and evolving European policy.
Practical obstacles
The glaring question is whether Ireland’s current healthcare infrastructure can adapt to meet the demands of this new framework. Significant infrastructure is required to create and run the centralised database required for the summary care record and the technology necessary to facilitate the shared care record, among the rest of the Bill’s proposals.
Before we get there, most individual providers will need to undergo extensive modernisation. The reality is that many healthcare settings – notably most public hospitals – still rely on paper record keeping and serious initial investment in infrastructure, personnel and training will be required to move to digital ways of working.
This process has already been initiated by various stakeholders and pushed, in particular, by the implementation of Sláintecare. However, change has been criticised as too slow. By putting reforms on a statutory footing with dedicated national leadership, it is hoped that this new legislation will accelerate progress across the board.
Co-written by Charlotte Bowen of Pinsent Masons
link
