The most frequent infringements were: processing of data without protection or without a request for consent, omitted or unsuitable information to the interested party, failure to adopt the minimum security measures
Thursday, 09 October 2014 – Doctor33
The Guardia di Finanza is planning inspections, requested by the Privacy Guarantor, in practices of family doctors and paediatricians to verify how sensitive data relating to the health and sex life of patients are managed and archived. In the first half of 2014, by inspecting various health facilities, the yellow flames imposed fines of approximately 2 million euros and sent 24 reports to the judicial authorities. As the September Guarantor's Newsletter indicates, from inspections and disputes, the most frequent infringements were:
• processing of data without protection or without a request for consent: 6-18 month imprisonment but if the fact integrates the communication/dissemination of the data, this rises to 24 months
• omitted or unsuitable information to the data subject (article 161, fine of up to 36,000 euros),
• failure to adopt the minimum security measures due to failure to comply with the rulesannex B of the Privacy Code: article 169 of the Code provides for imprisonment of up to 24 months and the obligation to pay compensation in the event of damage to the patient.
After the departure of the programmatic document on security, suppressed by law decree 5 of 9/2/2012 art 45, annex B has not remained an empty shell. The measures reported by the Dps, relating to the types of data processed in the study, data controllers responsible and persons in charge, risks, training, or aimed at separating sensitive data from personal data, must in any case be taken, as recent guidelines of the Italian Telemedicine Society coordinated by the 'lawyer Chiara Rabbito (currently SIT representative at the European conference on e-Health, organized by the Ministry of Health during the semester of the Italian EU presidency), «to avoid omissions or oversights which could then translate into penalties provided for by law»
In addition to these measures, other rules in the Privacy Code must be observed (legislative decree 196/2003), including: calling assisted persons by arrival number and never by name so that no bystander links a state of health to an identity; no one in the room during the visit except health professionals and collaborators; collection of the patient's consent to the processing of his personal data with annotation of the answer, to be repeated if the single doctor passes into a group and other colleagues can call up the patient's data on the management system. Instead, patient data should no longer be hidden on the prescription because it is no longer done on paper but there is electronic dispatch in the Sogei or regional reception system.
Finally, the procedures for saving sensitive and personal patient data should be activated every week, the password changed every three months (and it must be "strong", i.e. made up of letters and numbers with a composition of at least eight characters) the protection programs antiviruses updated every six months and every year, the functions attributed to those in charge should be verified, with written rules (for example on the conservation of supports, disks, etc. and on what to do in the absence of the collaborator).
Mauro Miserendino
