Liability

Country Examples

In this section :
Electronic Patient Record case study

Name of case
National Electronic Patient Record

Short Description
NICTIZ is the abbreviation of the Dutch name for the National IT Institute for Healthcare. It is an impartial and neutral organization in which all parties involved in the healthcare process take part: providers of care (doctors, hospitals, etc.), recipients of care (patients and their organizations), health insurers and the government.

NICTIZ's task is to support the creation of a system which will allow an improved flow of information for and on behalf of the patient/client, making use of the potential of IT, with a view to raising the quality and effectiveness of healthcare. As an impartial and neutral organization, NICTIZ makes it possible for the various parties involved to exchange views and ideas, and it also stimulates initiatives and coordinates them where necessary.

The information system will be based on an Electronic Patient Record (EPR), which will allow healthcare professionals to access medical data on patients from any location and at any time. NICTIZ will be responsible for ensuring that the security of such medical data can be guaranteed. Alongside medical data, it is the intention that the EPR should also facilitate the exchange of logistic and administrative information. All the parties involved are therefore working to create a single standard and to link up the various existing information systems already in use by care professionals.

As a first step, the national roll-out of the e-medication record and the national electronic locum record for general practitioners is expected on 1 January 2007. It was originally scheduled to be introduced on 1 January 2006, but the introduction of a national information infrastructure took more time and questions were raised about the security of patients’ data in the EPR.

Web address
http://www.nictiz.nl/

Type
G-C, G-B, B-C

Communication
Two way communication

Sector
Health

Confidential data
Yes

Level of Government
National

Date of operation
1 January 2007

Types of integration
Both vertical and horizontal

Types of partnerships
Between public administration (Ministry of Health, Welfare, and Sport), private sector (health care providers, health insurance companies, it-industries) en non-profit (patients organizations)

Area

• Liability
• Privacy and data protection
• Authentication and identification

Legal framework

• Medical Contract Act (Wet geneeskundige behandelingsovereenkomst, WGBO)
• Personal Data Protection Act (Wet bescherming persoonsgegevens, WBP)
• Citizen Service Number in Healthcare Bill (wetsvoorstel BSN in de zorg)
• Temporary Decree on the Use of the Social Security Number for IT Experiments in Healthcare (het tijdelijke besluit sofi-nummer voor experimenten informatietechnologie zorg)

Description of specific barriers
Liability for patients’ data can consist of responsibility for the correctness of the data and liability for the misuse of patients’ data. To prevent patients’ data against unauthorized use and access, sufficient security measures must be taken to protect the patients’ data. With regard to the EPR different actors could be held liable: the healthcare provider is liable for the correctness of the patients’ data, and for safeguarding his medical secrecy; a hospital could be held liable for the proper functioning of the information system, and for the security measures to protect the data from unauthorized access.
Within the context of a research project in 2005, a team of information security companies succeeded in getting unauthorized access to three hospital information systems containing the medical data of about 1.2 million patients.

Has the barrier has been overcome?
The Ministry of Health, Welfare, and Sport is responsible for the policy on electronic interchange of patients’ data. In answering questions from members of parliament, asked as a result of the hospitals’ hack in 2005, the Dutch Minister of Health, Welfare, and Sport, announced that the introduction of the national Electronic Patients Record would be postponed for one year. He also announced the introduction of an Electronic Patient Record Bill. This Bill will prescribe that the security of the EPR should be based on NEN 7510: a technical standard for information security in health care from the Dutch standardization organization NEN.

Furthermore, the Citizen Service Number in Healthcare Bill is now pending in Dutch Parliament. This Bill forces healthcare organizations to use the Citizen Service Number. This obligation is expected to come into force on 1 January 2007, together with the introduction of the national EPR. The Citizen Service Number should contribute to the unique identification of patients and their medical data, and prevent accidents from happening.

Healthcare providers will also have a unique identifier: the Unique Healthcare providers Identification (UZI: Unieke Zorgverleners Identificatie). The UZI makes authentication possible of the health care provider who wants to have access to the EPR. The UZI consists of a smartcard with three certificates. The first certificate encrypts the data. The second one is the authentication itself: checking the health care providers’ data in the UZI-database, which is connected to the healthcare providers’ registration database (BIG-register). The third certificate is the electronic signature.

Countries involved
Netherlands