August 26, 2011

As Regards Protection Of Health Data, Law Trails Behind Reality

Unai Aberasturi, jurist at the University of the Basque Country, concludes that regulations are incomplete

What happens if the seropositive condition of a patient is leaked? What social and work consequences might this involve? This is just one example that illustrates the importance of regulating health data protection. Mr Unai Aberasturi, a jurist at the University of the Basque Country (UPV/EHU), has made a study of what the Spanish Statute Law on Data Protection (LOPD in its Spanish acronym) says about this, drawing the conclusion that, normally, this is left open to interpretation. He warns of the judicial insecurity in this respect and stresses the need for concrete regulations on health data protection. His thesis is entitled The principles of data protection applied to health care.

The researcher undertook a joint study of health regulations and data protection. With the latter, he focused on the content of the LOPD norms bearing on the health sector, including most of those under its second section (principles of data protection) and third (rights of individuals). Mr Aberasturi pointed out that the LOPD provides special protection for health data (article 7), by which a stricter safeguarding scheme is set out.

Quality and consent

Within this regime, the so-called principles of quality should be respected although, as health data is involved, the thesis explains that compliance therewith has to be studied case by case. The principles of quality are, concretely, the principle of end purpose, of pertinence and of veracity. According to the principle of end purpose, the data cannot be used for a purpose that is different from that of the gathering. Mr Aberasturi explains that, of all the possible motives for data gathering in the health sector (health care, research, statistics, and so on), the purpose for each gathering must be specified. As regards the principle of pertinence, more data than is sufficient and pertinent should not be gathered. When health data is involved, the researcher, when in doubt, thinks it is better to have more than sufficient information rather than to have insufficient, as otherwise this could be harmful to health. Finally, the principle of veracity involves cancelling past data on its being updated. In health, medical records are useful, and so this norm should be flexible.

What is known as informed consent (involving both the right to be informed as well as that of providing consent) is another right that includes special protection provided by the LOPD legislation. Nevertheless, in the field of health, conflicts can occur, because there are cases where the rights of a patient to control what happens to their data (self-control of information) clashes with that of health care and protection.

Although the patient should always receive information when possible, for practical reasons, it is not possible for the doctor to inform about each and every act of health care. Likewise, handling of and access to data involving health care cannot be subjugated to the individual giving consent in each case. In order to protect the health of patients, medical records and documentation must be accessible to health personnel (health regulations require this), as well as be easy to deal with. Thus, Mr Aberasturi believes there to be a sufficient basis in the LOPD to conclude that the right to self-control of information has to cede to that of health care and protection.

Transmission and personal rights

There are other aspects to consider, such as the transmission of data. The out-sourcing of services has not left the health care sector untouched, and so access to health data by third parties is regulated. Nevertheless, Mr Aberasturi explains that problems arise when this transmission occurs at international level, because the LOPD does not always guarantee (depending on its end purpose) that the transfer will be undertaken to a country that is safe as regards data protection. In this case, stricter compliance is argued for and not allowing too wide an interpretation about when information can be transferred without prejudicing the rights of the individual.

Finally, the LOPD also makes reference to the rights of individuals, some of which are in conflict with the health care sector. For example, the right to rectification: health data are not easy for the person in the street to understand, and so the individual should not correct or update them unilaterally. Mr Aberasturi believes, thus, that, while it is a fundamental task, it should be carried out in consultation with health professionals. Also, the right to cancellation clashes with the health legislation obliging the conserving of clinical records over a certain period. As a solution to this, only that data that is strictly necessary should be guaranteed and information should be discarded where possible.


On the Net: