Confidentiality in Healthcare in Greece


	Updated: Sep 23, 98
Confidentiality in Healthcare in Greece

Prof. George Pangalos, Informatics Laboratory, Aristotelian University of Thessaloniki, Greece, e-mail: gip@cng.auth.gr

Ethical and Legal Aspects

The consequences of confidentiality breaches in health care are far reaching. Patients may be embarrassed by, or be socially ostracised following disclosure of sensitive information about their general health, mental health, sexually transmitted diseases, adolescent care, drug addiction, genetic fingerprints, etc. Health information systems must therefore be designed, implemented and run in such a way that the potential to harm or embarrass the patient is minimised.

Most professional ethical bodies in Europe give the responsibility for protection of patient records to health care practitioners. If clinicians are to assume this responsibility, however, they must have an appreciation of the major issues affecting the processing of health care records. Furthermore, those involved in design, implementation and management of computerised health record systems must have detailed technical knowledge of information security. According to data protection law in most European countries, the principal purpose of recording health data is to facilitate, or record events relevant to, delivery of health care to an individual or population. It is generally accepted that such data can be used for purposes of administration, audit and performance review but patient identifiers should preferably be removed beforehand.

Even then, care must be taken to ensure that an individual's identity is not revealed by unusual combinations of apparently anonymous data. For instance, the date and time of admission and date of birth may be sufficient to identify an individual from an apparently anonymised list of cases. European Data Protection legislation also requires that informed consent of the patient must be obtained prior to disclosure of personal data to another health care practitioner. It is common practice in health care to assume the implied consent of the patient to share his or her health data with other health care professionals but there is increasing political pressure to require written consent. This would be difficult to manage and unnecessarily burdensome in practice and a practical compromise must be sought. As a minimum, patients should be provided with information about how their records will be used and to whom they may be disclosed without obtaining specific informed consent. Regardless of how they are informed, the patient's own instructions regarding variation in the extent of use and disclosure of their records must be documented and observed where possible. However, it remains to be decided what action can reasonably be taken by the health care facility should a patient refuse consent for disclosure. Few health care information systems, manual or computerised, record the individual patient's wishes regarding confidentiality and control disclosure accordingly.

New mechanisms need to be incorporated into information systems if patients are to have such control over access to their records.

The situation in Greece

In April 1997 the Greek Parliament passed the Data Protection Act. Designed to guarantee a basic level of privacy protection, the Act is in line with EU Data Protection Directive 95/46/EC and the 1981 Convention of the Council of Europe. It establishes a Data Protection Authority together with a set of guidelines, principles and rules relating to the use, processing, storage and export of personal data both in electronic and manual files. It also imposes registration and notification of electronic data processing and defines the licensing requirements which apply to the establishment of databases containing personal data and to the transfer of personal data overseas.

Transborder data transmission from Greece to EU countries is unrestricted. Transmission of data to other countries requires a licence to be granted by the Data Protection Authority on the criterion of reciprocity. Data subjects are entitled to access and correct data relating to them and to claim compensation where loss or damage is suffered as a result of the use or disclosure of such data. Infringement of the legislation entails administrative, civil and penal liability.However, the new legislation needs to be complemented by sectorial rules (digital networks, ISDN) in view of the liberalisation of all communication services in Greece, scheduled for 1 January 2001, and the competitive provision of liberalised services on alternative networks planned for early 1998.The introduction of this new law in Greece thus offers the opportunity to comply more closely with the ethical requirement to respect the individual's right to privacy while not impeding the freedom of access to information needed by clinicians involved in the delivery of health care.



	Copyright 1998 © EHTO All rights reserved This server is the only official EHTO WWW knowledge repository. Mail suggestions to: webmaster@ehto.org