Insufficient Security of Electronic Patient Record as a Ground for Compensation
A discussion of the
judgment of the European Court of Human
Rights, I. versus Finland, 17 July 2008
A Finnish state hospital was sued in Finland by a former female
employee, who was also registered in the hospital as a patient.
From 1989 to 1994 the employee worked in the polyclinic for eye
diseases of the hospital, and was being treated for AIDS in the
polyclinic for infectious diseases of the same hospital. In 1992
there were indications that the colleagues in the polyclinic for
eye diseases had access, or had had access, to her record in the
polyclinic for infectious diseases. The information obtained from
the record appeared to have been a reason for the non-renewal of
the employee's employment contract. The hospital was not able
to investigate and prove who had consulted the data relating to the
employee. Only the five most recent consultations of the patient
file could be reproduced, but only at department level, not at
staff level. Furthermore, this information was always deleted as
soon as the file was returned to the archives.
The former employee claimed non-pecuniary and pecuniary damages
for the failure to keep medical information confidential. This
claim was denied both by the District Court and on appeal. The
appeal to the Supreme Court was also unsuccessful. The case was
then presented to the ECHR.
The ECHR found that the patient records in the hospital were not
adequately secured. This was not only in violation of national
privacy regulations, but also constituted a violation of the
fundamental right to privacy as enshrined in Article 8 of the
European Convention for the Protection of Human Rights. The ECHR
considered that the right to privacy is not just a right to avert
something, but that it may also require active interference by the
public authorities. The failure to implement sufficient security
measures may therefore constitute a violation of Article 8 of the
ECHR. Finland was ordered to pay compensation of €33,771.80.
The importance of this judgment is in the link that is
established between the active obligation to secure medical records
and the violation of the fundamental right to privacy. In this
case, a reliance on Article 8 of the ECHR could succeed because the
hospital was a state hospital.
The Netherlands is on the threshold of introducing the national
electronic patient record (Elektronisch Patiënt Dossier
"EPD"). The Minister of Health assumes that the EPD can
be rolled out in the fall of 2009. However, also in the Netherlands
the security of patient records is a cause for great concern. In
November 2008 the Dutch Data Protection Authority (College
Bescherming Persoonsgegevens, "CBP") published a
critical research report in cooperation with the Healthcare
Inspectorate (Inspectie voor de Gezondheidszorg,
"IGZ"). All 20 hospitals that were involved in the
research turned out not to have adequate information security.
Therefore a comparison with the situation in Finland forces itself
on us. Patient records are often too easily accessible to other
staff than just the direct nursing staff. In many cases, a group
account is used, making it impossible to trace which employee has
had access to the record.
With reference to the report the CBP and the IGZ demand that all
hospitals that were investigated must have a plan of approach to
put their security level in order before 1 February 2009.
A safe introduction of the national EPD in the Netherlands is
only possible if healthcare providers can guarantee the security of
patient files. As long as the security is not in order, there is a
risk that claims for damages will also be brought in the
Netherlands because of insufficient security of medical data.
In the Netherlands Article 8 of the ECHR has a horizontal
effect. This means that a claim for damages because of violation of
Article 8 of the ECHR also has a chance of success if a private
health care institution does not have its security in order, and a
data subject suffers damage as a result. However, an injured person
may also claim damages for insufficient security of his medical
personal data pursuant to the Personal Data Protection Act. Given
the significant developments and the projected swift introduction
of the EPD, this is an important point to consider.