Electronic access to and copy of medical records: how can the healthcare provider meet its broader obligations under Dutch law as of 1 July 2020?

As of 1 July 2020, new legal provisions have come into force that create obligations for healthcare providers. This concerns the entry into force of a part of the Dutch Additional Provisions for the Processing of Personal Data in Healthcare Act (in Dutch: Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg; “Wabvpz”). With the partial entry into force of these types of provisions, healthcare providers can gradually prepare for the future, in which the electronic patient file is structured in such a way that clients / patients are increasingly in control of their personal data. What exactly is stipulated in the current Articles 15d and 15e Wabvpz? What is new, compared to the General Data Protection Regulation (“GDPR”) and the Medical Treatment Contracts Act (“WGBO”)? And how do you meet these obligations as a healthcare provider?

Electronic access and copy of the medical records

Article 15d Wabvpz (freely translated):

1. If the client requests inspection or a copy of the medical records of the client concerned, or of the data concerning this client that the healthcare provider makes available via an electronic exchange system, the inspection or copy will be provided at the client's request, at reasonable intervals, by the healthcare provider by electronic means.
2. When dispensing medicines by a pharmacist, the pharmacist will, upon request, provide the client with direct electronic access to his/her medication data. At the request of the client, information about the use of self-medication provided by the client will be made available by the pharmacist via the electronic exchange system.
3. The electronic inspection referred to in the first and second paragraphs, and the electronic copies referred to in the first paragraph, will be provided free of charge.

From now on, a client (or: patient) is entitled to free electronic access to and a copy of his (or: her) medical records and data that the healthcare provider makes available to the client via an electronic exchange system. This does not mean that the access and the copy must be made provided online. The law does not impose any requirements on the form of the electronic inspection and the electronic copy. However, this concerns medical data, qualified as being "special personal data", which must be (particularly) well secured. The Decree on electronic data exchange by healthcare providers stipulates that an electronic exchange system must comply with the NEN standards NEN7510 and NEN7512. If the healthcare provider cannot (yet) safely facilitate access and copies via an electronic exchange system, the provider will have to look for other ways. For example, the explanatory note from the Minister of Medical Care Van Rijn and a letter from the Minister of Medical Care Van Rijn mention the provision of a PDF file on a USB stick or a secured e-mail containing a link to a secured website where the information is made available, as an alternative (see also about recent emailing in healthcare in our recent article about this; in Dutch). In addition, paragraph 2 of Article 15d of the Wabvpz includes specific rules regarding the exchange of data for medication and self-medication. For example, at the request of the client, the pharmacist must provide access to the medication data electronically simultaneously with the delivery of the medication. At the request of the client, the pharmacist also makes data on the use of self-medication available via the electronic exchange system. This article also makes it possible for the client to have his data supplemented with information about self-medication if desired. This data becomes available for consultation through an electronic exchange system. The log data (see below re article 15e Wabvpz) makes it clear that this concerns data that has been entered by the pharmacist. It should therefore be clear that this does not concern information about a medicine prescribed by a healthcare provider, according to the Explanatory Memorandum.

“Logging”

Article 15e Wabvpz (freely translated): Without prejudice to the provisions of Article 15 of the General Data Protection Regulation, a copy as referred to in Article 15d, first paragraph, shall contain at the request of the client the following information:

1. who made certain information available through the electronic exchange system and on what date;
2. who has accessed or requested certain information and on what date.

This provision provides that the client can request an overview of who made available, viewed or requested certain information on what date. Keeping such information is also known as “logging”. The aforementioned Decree on electronic data exchange by healthcare providers determines the standard for this logging, namely the standard NEN7513. This standard provides prescriptions for healthcare providers and their system suppliers about what exactly should be “logged” in a patient record. Among other things, this standard obliges healthcare providers to make the logged data available in a form that is understandable to the client.

Wabvpz vs. GDPR and WGBO

The Wabvpz applies in addition to the GDPR and the Dutch Medical Treatment Contracts Act (“WGBO”). If the GDPR or WGBO offers more protection, these take precedence. What about these new provisions? What had already been arranged by the GDPR and WGBO? With regard to Article 15d Wabvpz, Article 15 paragraph 3 GDPR also regulates the right to obtain an electronic copy of processed personal data, but only if the data subject submits the request electronically. Article 15d of the Wabvpz states that the healthcare provider must provide an electronic copy and an electronic inspection, regardless of the form of the client's request. The WGBO also provides for such a right to inspect and copy the file (Article 7: 456 of the Dutch Civil Code; although with possible reasonable compensation for administration costs), but the WGBO does not apply to all healthcare providers, as the Wabvpz does. The second paragraph of Article 15d, about data exchange regarding (self-)medication by pharmacists, was not yet regulated in the GDPR or WGBO. The GDPR and the WGBO also have no explicit provisions on logging. It is true, however, that in many cases logging is (or was) already the most important security method for data processing under the GDPR; especially when it concerns health data.

What should you do as a healthcare provider?

These new articles in the Dutch Wabvpz provide clients (or patients) with additional rights compared to the rights under the GDPR. From now on, electronic access and copies of the medical records and the data made available through an electronic exchange system must be provided to the client free of charge. There is also the right to inspect and exchange data about (self-)medication upon delivery of the medication and the patient can request to include information about self-medication in his or her file. Finally, the healthcare provider must keep track of who made available, viewed or requested certain information and when (logging), and provide this information to the client upon request. As a healthcare provider, it is wise to ask your software supplier how these new obligations can be fulfilled. If it is not immediately possible to provide access and/or copies via an electronic exchange system, you as a healthcare provider are obliged to provide the requested information in another secure manner, such as a secured USB stick or a secured e-mail. Without software that can be of assistance in fulfilling the aforementioned obligations, this can be a time-consuming task. Please also make sure you enter into a sufficient agreement with your software provider, among other things, to guarantee the privacy of clients. Also check whether the software meets the applicable (NEN) standards and how the provider meets the criteria contained therein. We also advise to implement a control mechanism when logging, to verify compliance with regulations by your personnel, among others. It is also prudent to draw up protocols (e.g. regarding granting access to files, dealing with data breaches and unauthorized access, and to arrange the division of tasks and responsibilities within your organization in this regard), and checking (and when necessary: to update) these repeatedly. This also to comply with applicable (privacy) legislation.

Questions?

In case you would have any questions regarding these new provisions, the GDPR, specific legal obligations for healthcare providers or software providers under Dutch law, e.g. the drafting or updating of a data protection policy or a software agreement, you can of course contact our IT & Privacy team. We are always happy to think along with you. We also offer a privacy awareness training for your staff, with which we aim to contribute to continuously drawing attention to privacy aspects in healthcare within your organization. Please do not hesitate to contact us for more information: privacy@ploum.nl.