Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
An Implementation
         Framework for Trust
SALAR, SENA, ATNA, Elga, IZIP, DENA, Gematik,DKNA,ESNA, CATA,ANDA, GIPDMP,
...
National Contact Points
Legal and regulatory issues
           Zoi Kolitsi
      epSOS L&R WP Leader
Basic Assumption to be tested

   In epSOS we shall establish condition so that
   …

                                    ...
epSOS as Pilot

epSOS is a Large Scale Pilot
  must be of limited scope but comprehensive, robust
  and universally accept...
L&R Challenges
Main Issues                Legal Certainty


Data Protection and        sufficient        Pilot and beyond
...
Trust in epSOS -legal approach

Trust is built by
• elaboration of common epSOS “code of
  practice” around important issu...
epSOS Trusted Domain


        EU level- federating countries




                   National level- federating organisati...
epSOS Trusted Domain


        epSOS Practice Standards




                  National level- federating organisations
epSOS Trusted Domain


        epSOS Practice Standards




                    National level Agreements

               ...
National Agreements
   epSOS blue print

A Framework Agreement                             Security Policy

for the establ...
What is the epSOS NCP?
JANUS

Janus is the Roman god of gates and
doors (ianua), beginnings and endings,
and hence represented with a double-
fac...
JANUS and the epSOS NCP
A National Contact Point is…
• an organization delegated by each participating country to act as a
  bidirectional technic...
An epSOS NCP shall…


• General- Terms to be embodied in national
  contracts
• Duties and responsibilities to other NCPs
...
Legal Relationships
Part 2
        Patient Consent for
eHealth services across EU borders
Patient Consent in the
          epSOS trial
      Petra Wilson, Continua Health Alliance
on behalf of the Legal and Regul...
Patient Consent :
        Policy        (I)
Patient consent to the processing of health related data is
a legal requiremen...
Patient Consent :
   Policy               (II)

In addition national transpositions of the EU Directive
have clauses which...
Patient Consent :
    Policy              (III)
There will also be clauses which
    provide some exceptions to allow cer...
Patient Consent:
    epSOS       (I)
       epSOS does not create new uniform patient consent practices
        BUT epSOS...
Patient Consent:
 epSOS              (II)
NOTE:
  No special epSOS consent is needed for epSOS
   data collection in Coun...
Patient Consent:
epSOS            (III)

General epSOS consent with local confirmation:
   The consent confirmation given...
Patient Consent:
epSOS            (IV)

Specific epSOS consent at PoC
   Once the patient has been given epSOS informatio...
Patient Consent : process
General + Confirmation
Patient obtains epSOS background information in
Country A and provides a ...
Patient Consent : process
 consent provided at PoC
 Patient is identified at PoC in country B as
 epSOS eligible. ID shows...
Thank you!
Upcoming SlideShare
Loading in …5
×

An Implementation Framework for Trust: National Contact Points

1,375 views

Published on

An Implementation Framework for Trust: National Contact Points
Legal and regulatory issues. Wilson P. eHealth week 2010 (Barcelona: CCIB Convention Centre; 2010)

Published in: Health & Medicine
  • Be the first to comment

  • Be the first to like this

An Implementation Framework for Trust: National Contact Points

  1. 1. An Implementation Framework for Trust SALAR, SENA, ATNA, Elga, IZIP, DENA, Gematik,DKNA,ESNA, CATA,ANDA, GIPDMP, FRNA, LOMBARDY NLNA, NHIC, NHS, PHARMAXIS, Industry
  2. 2. National Contact Points Legal and regulatory issues Zoi Kolitsi epSOS L&R WP Leader
  3. 3. Basic Assumption to be tested In epSOS we shall establish condition so that … if a Member State (MS) already provides these ehealth services to its residents….. then it may also offer these services to them when they travel abroad to other epSOS Member States. 3
  4. 4. epSOS as Pilot epSOS is a Large Scale Pilot must be of limited scope but comprehensive, robust and universally accepted across MS, professions and cultures. long-term operation is out of scope of epSOS But will deliver practical guidance and recommendations on how to make the transition from the pilots to normal operation. 4
  5. 5. L&R Challenges Main Issues Legal Certainty Data Protection and sufficient Pilot and beyond Confidentiality Health Systems sufficient pilot Professional aspects and sufficient pilot social context Liability sufficient pilot Access to standards-IPR sufficient Pilot issues insufficient beyond
  6. 6. Trust in epSOS -legal approach Trust is built by • elaboration of common epSOS “code of practice” around important issues such as privacy and confidentiality, – Privacy and safety by design – application of common epSOS safeguards by all actors involved in the pilots • systematic audit – MS level (NCP) – epSOS Level (PSB) 6
  7. 7. epSOS Trusted Domain EU level- federating countries National level- federating organisations
  8. 8. epSOS Trusted Domain epSOS Practice Standards National level- federating organisations
  9. 9. epSOS Trusted Domain epSOS Practice Standards National level Agreements - To establish the NCP - To establish NCP-pilot partners relationships -
  10. 10. National Agreements epSOS blue print A Framework Agreement Security Policy for the establishment of an Pilot Strategy epSOS NCP Pilot sites - duties & responsibilities National Pilot Set-up and Deployment Guide FW AGREEMENT Annexes: Patient Consent Information to Patients and HCPs
  11. 11. What is the epSOS NCP?
  12. 12. JANUS Janus is the Roman god of gates and doors (ianua), beginnings and endings, and hence represented with a double- faced head, each looking in opposite directions. Janus was represented with two faces, originally one face was bearded while the other was not. Later both faces were bearded.
  13. 13. JANUS and the epSOS NCP
  14. 14. A National Contact Point is… • an organization delegated by each participating country to act as a bidirectional technical, organisational and legal interface between the existing different national functions and infrastructures. • legally competent to contract with other organisations in order to provide the necessary services which are needed to fulfil the business use cases and support services and processes. • identifiable in both the epSOS domain and in its national domain as a communication gateway and establishes a Circle of Trust amongst national Trusted Domains. • a mediator as far as the legal and regulatory aspects are concerned. • an active part of the epSOS environment if, and only if, it is compliant to normative epSOS interfaces in terms of structure, behaviour and security policies.
  15. 15. An epSOS NCP shall… • General- Terms to be embodied in national contracts • Duties and responsibilities to other NCPs • Duties for Patient Consent • Duties under the epSOS Security Policy • Relationships between NCP and other pilot partners
  16. 16. Legal Relationships
  17. 17. Part 2 Patient Consent for eHealth services across EU borders
  18. 18. Patient Consent in the epSOS trial Petra Wilson, Continua Health Alliance on behalf of the Legal and Regulation Workpackage
  19. 19. Patient Consent : Policy (I) Patient consent to the processing of health related data is a legal requirement in every EU country. It is defined as:  A Freely given specific and informed indication of the patient’s wishes by which s/he signifies his agreement to personal data relating to him being processed. ( Art 2(h) of the Data Protection Directive 1995/46/EC) This means:  Patient must be able to withhold consent without fear of getting less good healthcare.  Patient must be able to withdraw consent previously given  Patient must know who ( or what category) of person will process the data and why.  Patient must know which data will be processed and for what purpose.
  20. 20. Patient Consent : Policy (II) In addition national transpositions of the EU Directive have clauses which:  Limit access to patient data to accredited healthcare professionals and their support staff.  Require that access to data is only in the context of a care relationship.  Specify that only relevant information may be collected and stored.
  21. 21. Patient Consent : Policy (III) There will also be clauses which  provide some exceptions to allow certain data to be processed for running an efficient and effective health service. and  provide some exceptions to allow treating patients when it is impossible to obtain consent (incompetence or incapacity) Some countries may require additionally that consent is explicit and given in writing for all or certain categories of data . .
  22. 22. Patient Consent: epSOS (I)  epSOS does not create new uniform patient consent practices BUT epSOS must ensure that all European Data Protection duties are observed.  epSOS patients must be aware of the level of data protection assured in epSOS and must give informed consent for data access in that context. Two modes of epSOS consent for data access are envisaged: General epSOS consent for data access in any Country B given in the country of origin and confirmed in a specific Country B at the time of an encounter. or Specific epSOS consent given and documented at the time of the encounter in Country B at the time of the encounter.
  23. 23. Patient Consent: epSOS (II) NOTE:  No special epSOS consent is needed for epSOS data collection in Country A if the epSOS data are part of data already collected. If a new summary record is created specifically for epSOS normal country A rules will apply for obtaining consent for the creation of such a record.  No special epSOS consent is needed for data collection in Country B for the purpose of treatment in country B is outside the scope of epSOS, normal country B rules will apply
  24. 24. Patient Consent: epSOS (III) General epSOS consent with local confirmation:  The consent confirmation given at the PoC is valid for the given treatment eposide.  If a further access to the PS or eP is necessary the HCP will need to confirm consent again, by asking the patient again if data may be accessed and again ticking the box
  25. 25. Patient Consent: epSOS (IV) Specific epSOS consent at PoC  Once the patient has been given epSOS information at the first time of registering at a PoC, the patient is in the same position as the patient who has given a general consent in his/her home country  Therefore if a further access to PS or eP is necessary only the confirmation box will need to be completed  Note that this is valid only for the HCO which has document that epSOS information and general consent has been documented ( HCO may comprise several PoC)  If access to PS or eP is needed in another HCO in the same country B or in another country B the information will have to be given again.
  26. 26. Patient Consent : process General + Confirmation Patient obtains epSOS background information in Country A and provides a generalized prior consent. Country A stores record of general prior consent Patient is identified at PoC in country B as epSOS eligible. ID shows prior general Patient not consent exists able to confirm OR consent, HCP HCP at PoC confirms that patient is still happy ticks override for Country A record dot be accessed. Ticks box box in epSOS process to confirm. Patient is Some Country A given opportunity to revoke prior consent NCPs may not require further confirmation of HCP sends request to local NCP consent. In this case the confirmation box may be pre- poulated and a note attached HCP granted access to patient data stating that further confirmation is not required
  27. 27. Patient Consent : process consent provided at PoC Patient is identified at PoC in country B as epSOS eligible. ID shows no prior general consent exists HCP at PoC accesses relevant language and format information for patient, prints copy and asks patient sign if s/he consents Country B stores record of consent. This consent is valid only to the given HCO Patient not able to confirm Some Country A HCP at PoC ticks box in epSOS process to O consent, HCP confirm consent has been provided. Opportunity ticks override NCPs may not to revoke any prior consent. R box require written proof of consent, in this case a HCP sends request to local NCP further check box could indicate that the patient has been shown the HCP granted access to patient data information necessary for informed consent.
  28. 28. Thank you!

×