Out-Law Analysis 8 min. read
29 Sep 2023, 10:38 am
Legislation under consideration by the Irish government would introduce an integrated approach to patient data across healthcare services in Ireland for the first time – with far-reaching consequences for patients, professionals, providers and public health.
Ireland’s current health information system lags behind comparable countries, and reform is pushed both at domestic and EU level. The Health Information Bill 2023 – the General Scheme of which was approved by the government in April – is a crucial turning point for the healthcare sector, giving Ireland a chance to catch up and keep up, in the interests of all patients, clinicians, healthcare institutions and the health of the population as a whole.
This week, the Irish government confirmed the Bill's inclusion on its list of priorities for the Dáil in the coming legislative session, so we can expect publication of a full draft in the coming months. The update also confirmed that pre-legislative scrutiny of the provisions is complete.
There is currently no integrated approach to patient data in Ireland. Individual providers and organisations collect and store their own patient data, and all take different approaches. Most public hospitals still use physical paper records. Clinicians typically have no direct access to key patient information collected in another setting. They are frequently in the dark about medical histories, allergies and recent procedures if that information is stored in another practice or hospital.
This has long presented problems for care delivery, as well as broader purposes like research and health service planning.
Similarly, Ireland has no comprehensive data on population health: how many people are suffering from chronic illnesses; trends in GP visits; reasons for admissions to emergency departments; or types and volumes of medicines prescribed in various healthcare settings. In particular, the explanatory notes to the General Scheme of the Bill identify the private healthcare sector as an information “black hole”. This is having a chilling effect on research, with knock on effects for innovation and improvements to care.
Overall, the disjointed and scattered nature of health data in Ireland is undermining efforts to manage and plan for the population’s changing healthcare needs. Creating a modern health information system is a key tenet of Sláintecare – Ireland’s ten-year action plan to reform its healthcare system – and will be necessary to meet the demands of the new European health data space, an EU wide initiative to link health data sets across member states.
The Bill proposes a new legislative framework for the collection, storage, sharing and use of patient data in all healthcare settings, including:
One of the most important new proposals is the creation of a national register of electronic patient summaries called summary care records. These will contain a digital summary of an individual’s key medical history and current health status including allergies, recent procedures and underlying conditions. This will allow healthcare professionals will be able to access a patient’s most important health information at the point of care.
The creation of accessible electronic health summaries is the first step to linking patient health data across healthcare settings in Ireland, and mirrors systems already implemented across the UK and much of Europe.
The shared care record is a more ambitious proposal that will enable health service providers to share full patient records for the purpose of treatment across different healthcare settings and locations. Unlike the summary care record, shared records will remain the responsibility of the provider who created them, but with a direct mechanism to share them with another provider treating the patient in another setting. In short, each clinician treating the patient maintains their own records but will have read only access – via an electronic platform – to records existing elsewhere, like another GP practice or hospital.
By putting reforms on a statutory footing with dedicated national leadership, it is hoped that this new legislation will accelerate progress [on integrated access to electronic patient health information] across the board
The primary objective hers the same as the summary care record – using information technology to enable those providing care to have better access to relevant and necessary patient information. What’s different is that the shared care record involves detailed medical records and intends to work on a decentralised model of storage – essentially a viewing platform hosted by the Health Service Executive to link scattered datasets rather than a centralised database. Clinicians will need patient consent to use the platform to view records stored elsewhere.
It is envisaged that, in time, the shared care record will evolve into an Electronic Health Record (EHR). Instead of patient information being accessible to view in separate records held by individual providers, all records will be held in one central place. Individual providers such as GPs and hospitals will share access and be able to input into the EHR in real time. It is anticipated that these records will initially focus on information held by GPs, hospital, and pharmacies, but in time, expand to a wider range of healthcare providers like opticians, dentists and specialist clinics.
Sitting alongside these proposals is a new ‘duty to share’, requiring healthcare providers to share relevant health information with others involved in the care of a particular patient. This new duty addresses the current reality that healthcare providers are generally reluctant to share data for many reasons, but particularly due to perceived data protection concerns.
The General Scheme’s drafting notes emphasise the need for more effective, dedicated national leadership on the use of healthcare information in Ireland. It acknowledges various options for that role, including reliance on existing institutions or the creation of a new statutory body.
For drafting purposes, the General Scheme creates a new body, the National Health Information Authority, but this position is likely to evolve as the legislation progresses and it is likely that some or all of the responsibilities of this new body may be assigned to or become shared across existing institutions.
The Authority will have the power to require healthcare providers to provide health data for “relevant purposes” that promote the goals of the health service, such as:
This is one of the most important powers in the legislation as it facilitates, for the first time, the mandatory collection of health data on a mass scale for ‘secondary’ purposes beyond the care and treatment of individuals.
Built into the Authority’s powers are mechanisms to facilitate information sharing with third parties with legitimate interests – for example, researchers. The provisions have been drafted to align with the proposed EU Regulation on the European Health Data Space, which intends to bring together European health datasets on similar terms.
It is hoped that these functions will facilitate a better understanding of population health and inform better planning and development of health services in Ireland, as well as addressing the information gap in the research sector and aligning our health information system more closely with European standards.
Data protection concerns have been at the forefront of the conversation around our health information system and will continue to inform this legislation as it moves through the drafting process. Importantly, health data is “special category” data under the EU General Data Protection Regulation (GDPR), and so afforded a heightened level of protection with more stringent rules.
The collection and storage of health data, particularly in a centralised way, can create considerable risk. The HSE ransomware attack in 2021 – commonly understood to be the largest known cyber attack against a health information system – reminded institutions in Ireland of the possible consequences of failing to meet that risk.
It is clear from the General Scheme that the proposals around the collection, use and sharing of health data have been informed by substantial engagement with the Data Protection Commission, which will likely continue over the coming months. The result is extensive consideration, throughout the General Scheme, of the legal bases for the processing of health data across healthcare providers, state institutions and third parties. Built into the provisions are a wide range of data safeguarding measures including transparency and data minimisation requirements, robust security arrangements, and various restrictions on how data can be used.
A new advisory position, the National Health Information Guardian, will guide the government and industry stakeholders on data confidentiality, security and safeguarding issues going forward.
Patient autonomy is at the forefront of several proposals. The Bill establishes a legislative basis for processing health data contained in the summary care record based on the public interest rather than consent of the data subjects. This is a population-inclusive approach that facilitates the creation of summary care records without individual patient consent. However, consent will be required for a given provider to access the summary care record, giving patients autonomy over their data and the opportunity to opt-out at the point of care. Practitioners will similarly require patient consent to view an individual’s health information via the EHR and shared care record.
In all circumstances, use of records will only be permitted by the provider who accesses it for the care and treatment of the relevant individual, and not for purposes such as research without explicit consent. Health information made available to the Authority for secondary purposes is subject to pseudonymisation, anonymisation and transparency requirements.
The General Scheme also proposes new measures to ensure that an individual can access their summary care record electronically. In particular, the HSE will be required to put in place measures to enable accessibility where an individual requires assistance, for example due to age or lack of capacity.
Under the current system, gaps in electronic record keeping and variation in approaches taken by different providers create a range of obstacles to access. According to the Health and Information Quality Authority, Ireland is one of just two countries in the EU without a system that provides patient access to electronic records. This proposal is the first step to allowing patients better access to their own medical records, in line with the objectives of Sláintecare and evolving European policy.
The glaring question is whether Ireland’s current healthcare infrastructure can adapt to meet the demands of this new framework. Significant infrastructure is required to create and run the centralised database required for the summary care record and the technology necessary to facilitate the shared care record, among the rest of the Bill’s proposals.
Before we get there, most individual providers will need to undergo extensive modernisation. The reality is that many healthcare settings – notably most public hospitals – still rely on paper record keeping and serious initial investment in infrastructure, personnel and training will be required to move to digital ways of working.
This process has already been initiated by various stakeholders and pushed, in particular, by the implementation of Sláintecare. However, change has been criticised as too slow. By putting reforms on a statutory footing with dedicated national leadership, it is hoped that this new legislation will accelerate progress across the board.
Co-written by Charlotte Bowen of Pinsent Masons
30 Sep 2022