Abstract
Objective:
The General Data Protection Regulation (GDPR), which became effective on May 25, 2016, underscored the significance of confidentiality across various economic and social domains. Within the medical sector, confidentiality of patient health information is meticulously governed by laws, e.g., no. 95/2006 and no. 46/2003. While these laws address numerous privacy aspects within the doctor-patient relationship, it becomes necessary to update them to align with the latest advancements in emerging technologies, particularly in the context of telemedicine.
Material and methods:
Upon reviewing the overview of rules pertaining to health data processing in Romania, as published by the European Data Protection Board (EDPB) in 2021, and comparing it with the current public health and research laws in Romania, it becomes apparent that there is a regulatory gap concerning the secondary use of health data.
Results:
This gap is particularly notable in terms of planning, managing and enhancing the healthcare system, as well as utilizing such data for scientific and historical research purposes, leading to the necessity of developing and regulating the European Health Data Space.
Conclusion:
Although steps have been taken to align the GDPR legislation in Romania, there is still a disproportionality in the regulation of privacy and cyber security with the implementation of new technologies that will collect, process and store sensitive medical data.
Keywords:GDPR, confidentiality, sensitive data, public health, GDPR compliance, medical education.
INTRODUCTION
The origins of confidentiality trace back to November 4, 1950, with the initial signing of the European Convention of Human Rights. The emphasis on privacy gained prominence in Convention 108, known as the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, signed in 1981. This convention was later adopted as Directive 95/46/CE, becoming a mandatory requirement for all European Union (EU) members or prospective members seeking EU accession.
Romania signed the Treaty of Accession to the EU in 2005 and officially became an EU member state in 2007. A crucial condition for membership was the adoption of a national law and the establishment of an agency to oversee all personal data processing activities. Consequently, Romania updated Law No. 677/2001, pertaining to data protection and the freedom of movement, and enacted Law No. 102/2005, which created the National Supervisory Authority for Personal Data Processing. This authority was later repealed by Law 129/2018. Furthermore, Law No. 677/2001 was replaced by (1) Law No. 190/2018, which implemented (2) the General Data Protection Regulation (679/2016) in Romania and introduced specific limitations and derogations. Some of these derogations faced criticism (3) from the President of the European Data Protection Board due to their granting political parties (private organizations) unrestricted access (4) to personal data without explicit consent. Notably, a significant derogation pertained to the freedom to process personal data for academic, research, journalistic, and filing purposes.
The GDPR introduced several enhancements, including technical measures such as pseudonymization, encryption, confidentiality, availability and resilience of processing. Another crucial aspect is the continuous testing, assessment and evaluation of the effectiveness of both technical and organizational measures taken to ensure processing security. Monitoring and testing all measures set forth by the GDPR impose an obligation to report any incidents within 72 hours of awareness, a requirement also stipulated by the NIS Directive, which came into force in December 2018.
MATERIAL AND METHODS
The progression of digitization and the adoption of new technologies have sparked concerns regarding the privacy implications of processing and transferring health data across various devices and servers that house comprehensive information. It is imperative for the Romanian Government to stay abreast of emerging technologies and align its legislation with EU regulations and directives. According to EU studies (5), Romania lags behind in implementing all privacy requirements, necessitating prompt action to address this disparity.
This analysis underscores the necessity for regulations pertaining to the secondary use of health data, particularly in the realms of planning, managing and enhancing the healthcare system, as well as leveraging data for scientific research purposes. Key regulations that require updating or elaboration include the utilization of health data and monitoring devices post-market introduction, the exchange of electronic health data for international medical procedures and the incorporation of all GDPR requirements into national laws. The latter is crucial to avoid confusion during GDPR implementation and to eliminate unnecessary data processing stipulated in outdated national laws.
The research methodology employed involves a documentary review, with the EU overview of regulations governing health data processing in Romania serving as the foundational point for analysis. This comprehensive overview was published by the European Commission on February 22, 2021, and subsequently updated to incorporate additional data processing regulations and laws that became effective until November 2023.
RESULTS
The EU overview identifies three primary purposes (6, 7) for processing health data in Romania: I) providing health and social care services; II) planning, managing and improving the healthcare system; and III) scientific or historical research.
The first purpose is well-regulated (8-12) and aligns with the GDPR standards. However, the secondary use of personal health information, which is crucial for the second and third purposes, presents a regulatory gap.
Upon correlating the existing national regulations and laws applied until November 2023 with the EU overview, three main differences emerged:
1) providing digital health services:
• Law No. 45/2019 (13), which amends Law 95/2006 (establishing the Electronic Health System)
• Government Decision 196/2020, regulating telemedicine (14)
• Order of the Health Minister no. 1584/2023 (15)
2) management and improvement of the healthcare system:
• Government Decision 11/2015, modifying Law 95/2006 (establishing and defining the role of the National Agency for Management and Quality in the Healthcare System)
• Law 185/2017, establishing the management of quality in the healthcare system (16)
• Law No. 134/2019, creating the National Agency for Medicine and Medical Devices in Romania (17)
• Order of the Health Minister No. 1466/2008, defining the control of transmissible diseases (18)
3) scientific research:
• Article 3 of Law No. 190/2018, restricting the use of health data for purposes other than public health.
In reviewing patient rights according to GDPR, it is evident that legal restrictions exist (19), which is limiting patients in exercising certain rights.
DISCUSSION
Romania, Cyprus and Belgium stand out as the only EU countries lacking specific legislation addressing the use of health data for the management and enhancement of healthcare quality. While Romania does have a national health quality management agency, it primarily focuses on evaluating and accrediting sanitary units. Notably, this agency also ensures GDPR compliance during its evaluation processes.
The EU overview indicates a widespread absence of regulation in most member states concerning the monitoring of medical device safety and pharmacovigilance. Furthermore (20), there is a significant gap in the regulation of the secondary use of health data for public and third-party research purposes across the EU. This gap is crucial for advancing medical technologies and treatments in the next generation.
In Romania, the monitoring of authorized medical devices in the healthcare system lacks specific regulation. Instead, patient consent, data privacy assessments (DPA) and approvals from ethics committees are relied upon for research purposes. With the introduction of two new rights under the GDPR – the right to erasure ("the right to be forgotten") and the portability right – there is a need for adopting new technical measures and procedures to ensure compliance with these rights.
While almost all EU countries, except Latvia, collect and process health data through automated means, the implementation of the portability right, as outlined in Article 20 of the GDPR, is typically initiated only upon patient request. Across 70% of the EU, the right to erasure faces challenges due to other national laws restricting the deletion of patient data.
In Romania, these challenges are addressed through the Electronic Health Record (DES), although it is not yet fully operational for all citizens. However, it has been designed to anonymize and export data. The portability of patient data is facilitated by the national healthcare system using the national health card, storing comprehensive personal health histories. Unfortunately, the data cannot be exported in an internationally standardized format, hindering a patient's ability to carry their complete digital medical history file when traveling abroad. Some steps were made in January 2023, a national legislation modification number 21/2023, included a Pilot-project to identify solution for mobile and digital transformation. In May 2023, Order of the Health Minister no. 1584/2023 was published (21), with benchmarking teleradiology and imposing privacy and security measures for protecting personal health data. At the end of the year 2023, Law no. 351 stated that Health Care Providers should keep secure the digital documents containing patient data.
Considering the global interest in the evolution of health technologies, regulatory frameworks should be established to encourage innovation through public-private research partnerships. The exchange of relevant health information is essential for testing, improving technologies, and developing superior medical devices.
CONCLUSION
This study underscores that while the Romanian healthcare system aligns with the GDPR, considerable strides are imperative to address the regulatory gaps concerning the secondary use of health data for the enhancement of the national medical system and scientific research. Despite the myriad benefits introduced by gadgets and smartphones into our daily lives, their capacity to collect extensive data on our routines and health parameters introduces a potential concern. The regulation of telemedicine and eHealth technologies in Romania is particularly noteworthy, bringing to light issues related to privacy and cybersecurity in the collection, processing, and storage of personal health information.
A significant challenge persisting across the EU is the establishment of an interoperability standard encompassing all member states. A robust health network capable of securely and swiftly transferring data to any healthcare provider is crucial to prevent each patient from becoming a potential cybersecurity target. This emphasizes the necessity for a comprehensive and secure data exchange infrastructure to safeguard patient privacy and data integrity across the European healthcare landscape. These studies highlighted the necessity of developing the European Health Data Space (EHDS) to secure share health data between member states and also support research and innovation (secondary use of data) in healthcare.
Conflicts of interest: none declared.
Financial support: This study was funded by “Carol Davila” University of Medicine and Pharmacy, Bucharest, Romania, through the institutional program “Publish not Perish”.
TABLE 1.
EU overview regarding the GDPR compliance of Romanian rules for processing health data
TABLE 2.
Patients rights according to GDPR and national laws
Contributor Information
Iulian NASTASA, Department of Management & Public Heath, “Carol Davila” University of Medicine and Pharmacy, Bucharest, Romania.
Florentina-Ligia FURTUNESCU, Department of Management & Public Heath, “Carol Davila” University of Medicine and Pharmacy, Bucharest, Romania.
Dana-Galieta MINCA, Department of Management & Public Heath, “Carol Davila” University of Medicine and Pharmacy, Bucharest, Romania.
References
- 1.European Commission. EU Member States’ rules on health data in the light of GDPR. Available from: https://ec.europa.eu/health/sites/default/ files/ehealth/docs/ms_rules_health-data_ annex_en.pdf, last accessed on 10.05.2023.
- 2.European Data Protection Board. Orientations and guidance regarding application development for COVID-19 [Internet]. 2020. Available from: https://edpb.europa.eu/sites/default/files/ files/file1/edpbletterecadvisecodivappguidance_ final_ro.pdf, last accessed on 10.05.2023.
- 3.European Data Protection Board. General Data Protection Regulation (GDPR) [Internet]. 2016. Available from: https://eur-lex.europa.eu/eli/reg/2016/679/ oj, last accessed on 11.05.2023.
- 4.European Data Protection Board. Guidance for privacy while using application for Covid-19 [Internet]. 2020. Available from: https://eur-lex.europa.eu/legal-content/ RO/TXT/PDF/?uri=CELEX:52020XC0417(0 8) and from=EN, last accessed on 10.05.2023.
- 5.Romanian Parliament. Law 95/2006,[Internet]. 2015. Available from: https://legislatie.just.ro/Public/DetaliiDocument/71139, last accessed on 10.05.2023.
- 6.Romanian Parliament. Law 46/2003 [Internet]. 2020. . Available from: https://legislatie.just.ro/Public/DetaliiDocument/41483, last accessed on 10.05.2023.
- 7.Romanian Parliament. Available from: https://legislatie.just.ro/Public/DetaliiDocument/37898, last accessed on 10.05.2023. Law 487/2002, [Internet]. 2012.
- 8.Romanian Government. Decision 355/2007 [Internet]. 2012. Available from: https://legislatie.just.ro/Public/ DetaliiDocument/82130, last accessed on 11.05.2023.
- 9.Romanian Government. Decision 1/2000 [Internet]. 2014. Available from: https://legislatie.just.ro/Public/ DetaliiDocument/20639, last accessed on 11.05.2023.
- 10.Romanian Parliament. Law 16/1996 [Internet]. 2014. Available from: https://legislatie.just.ro/Public/DetaliiDocument/7937, last accessed on 11.05.2023.
- 11.Health Minister. Decision no. 1410/2016 [Internet]. 2016. Available from: https://legislatie.just.ro/Public/DetaliiDocument/184664, last accessed on 11.05.2023.
- 12.Romanian Parliament. Law 45/2019 [Internet]. 2019. Available from: https://legislatie.just.ro/Public/DetaliiDocumentAfis/211755, last accessed on 12.05.2023.
- 14.Romanian Parliament. Law 185/2017 [Internet]. 2017. . Available from: https://legislatie.just.ro/Public/DetaliiDocument/191668, last accessed on 12.05.2003.
- 15.Romanian Parliament. Law 134/2019 [Internet]. 2019. Available from: https://legislatie.just.ro/Public/ DetaliiDocumentAfis/216129, last accessed on 14.05.2023.
- 16.Romanian Parliament. Law 190/2018 [Internet]. 2018. . Available from: https://legislatie.just.ro/Public/ DetaliiDocument/203151, last accessed on 14.05.2023.
- 17.Health Minister. Decision no. 1466/2008 [Internet]. 2008. Available from: https://insp.gov.ro/wpfb-file/ordin-1466- 2008-pentru-aprobarea-circuituluiinformational- al-fisei-unice-de-raportarea- bolilor-transmisibile-pdf/, last accessed on 15.05.2023.
- 18.Romanian Government. Decision 1414/2009 [Internet]. 2009. . Available from: https://insp.gov.ro/legislatie/, last accessed on 15.05.2023.
- 20.Busnatu Ș, Niculescu A-G, Bolocan A, et al. Clinical Applications of Artificial Intelligence—An Updated Overview. J Clin Med. 2022;19:298. doi: 10.3390/jcm11082265. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 20.Miller RE, Leary A, Scott CL, et al. Order of the Health Minister no. 1584/2023. Available from: https://legislatie.just.ro/Public/DetaliiDocumentAfis/270243, last accessed on 17.12.2023.