In addition to the regulations concerning secrecy and duty of confidentiality in health and medical care that follow from the Public Access to Information and Secrecy Act (2009:400) and the Patient Safety Act (2010:659), the Patient Data Act (2008:355) contains explicit provisions to prevent unauthorised dissemination by electronic means of data relating to patients undergoing treatment. The Swedish Data Protection Authority has in a supervision project scrutinised all county councils and regions with respect to the provisions of the Patient Data Act. Within the framework of the supervision project the Swedish Data Protection Authority both identified good practices and issued decisions on improvement measures. Our experiences from the project are summarised in the following.
Need and risk analysis
A care provider is to limit users' authorisation to what is needed for the user to be able to carryout their tasks in health and medical care and to what is necessary to provide good, safe care. The care provider's decisions concerning assignment of authorisation must be preceded by a need and risk analysis.
The need and risk analysis is of crucial importance for a well-considered assignment of authorisation. If a care provider has not carried out these analyses before assigning authorisation, the care provider risks having a too extensive and coarse-meshed or even inappropriate assignment of authorisation, leading to unauthorised dissemination of patient information.
General provisions concerning security when processing personal data can be found in Article 32 of the General Data Protection Regulation. Chapter 4 of the Patient Data Act contains fundamental provisions concerning so-called inner secrecy and electronic access within care providers' activities. The explicit requirement that the care provider is to assign each user individual authorisation for access to patient data and that this must be preceded by a need and risk analysis can be found in Chapter 4 Section 2 of the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40). Regarding authorisation to read information within health and medical care, it is important to also comply with relevant secrecy regulations in the Public Access to Information and Secrecy Act, but, as stated in the introduction, nether that act nor the Patient Safety Act is taken up further in this context.
Against this background, it is the Swedish Data Protection Authority's opinion that it is not sufficient for a care provider to be satisfied with stating in general terms, for example in different policy documents, that need and risk analyses are to be carried out. The care provider has instead a responsibility to ensure that structured need and risk analyses are actually carried out. As a basis for individual assignment of authorisation the care provider must therefore carry out and decide on a need and risk analysis on the basis of the patient data in the information system as such and not merely be satisfied with basing authorisation on what professional category a certain employee belongs to or that everyone with a certain type of medical licence is to have one and the same authorisation profile in the information system.
One of the care providers examined has described the basics of a need and risk analysis in an excellent way as follows.
[...]It is not permitted to give care staff access to all information in the care information systems but authorisation is to be based on the need that each professional category has within each care unit. The scope of the authorisation is to be based on a need and risk analysis with the care unit's tasks as the point of departure. The results of the need and risk analysis then form the basis for the authorisation profile that is used in the assignment of authorisation for employees at the care unit[...] The need and risk analysis is to [...] identify and list the care unit's tasks, the different professional categories who work at the unit and the tasks that the staff have at the unit. [...] Risks that arise if staff at the unit do not have access to relevant patient information are to be identified and listed in the need and risk analysis and evaluated according to the current risk analysis procedure [...]. Risks related to broad/generous access to care information are also to be identified and listed in the need and risk analysis in the same way as the above-mentioned risks.[...]The need and risk analysis is used to ensure that the authorisation profiles that exist for each area of activity are correct.[...]
A further good practice is a need and risk analysis that is carried out according to an appointment calendar in the main record system. The document in question reports an analysis of the need for and the risks associated with access to the appointment calendar, both within and outside the unit's own area of responsibility. The following section is an example.
[...]The need for access to other units' appointment calendars is judged to be small. Some members of staff may, however, work in countywide activities and need to see the appointment calendar for different areas of medical responsibility for the purposes of coordination and joint booking of appointments. Problems can arise here. This needs to be investigated further.[...]
General comments and recommendations
The Swedish Data Protection Authority has found that there are misconceptions with regard to what a care provider's obligation to limit authorisation to what is needed for the employee to be able to carry out his or her tasks in health and medical care involves. Compliance with rules in other areas does not mean that the care provider can refrain from making such limitations.
That a care provider for example trains the staff in when they may see patient information in accordance with inner secrecy (and perhaps also allows the staff to sign secrecy undertakings), gives them instructions in the form of policy documents, guidelines or other information material, or provides information about and carries out log checks does not mean that the care provider does not need to comply with the requirement that assignment of authorisation is to be preceded by a substantial need and risk analysis. Nor does patients having a statutory right to block access to information relating to them free a care provider from the requirement to conduct a need and risk analysis.
The Swedish Data Protection Authority gives a few examples of considerations that are appropriate for inclusion in a need and risk analysis below.
- The care provider needs to make clear and concretise staff's different assignments in scope and content, where the three following perspectives should be taken into account.
- Define different categories of staff on the basis of the employee's professional category, specific tasks, work procedures and workplace.
- The basis for this should be the actual tasks that are carried out or are to be assigned to the employee. If all health and medical care staff are stated to need general access to patient data to be able to carryout their tasks, no individual assignment of authorisation has been made. Nor is basing authorisation on type of medical licence sufficient to satisfy the requirement for individual assignment of authorisation.
- Establish need to access patient information in different kinds of care activities on the basis of work methods, scope and assignment.
- Assess whether there exists patient data or patient groups that needs special protection on the basis of care/diagnosis, the patient him- or herself such as for example in the case of protected personal data and on the basis of care unit or medical specialty.
- Ask: When can need for patient-related information be satisfied through information that can only indirectly be traced to patients?
The care provider also needs to apply the above considerations with regard to all employees who see patient information, that is to say also those who work with overall follow-ups, preparation of statistics, central financial administration, technical operation and other tasks not primarily related to the care of patients.
In addition to these points, the care provider also needs to analyse what can be required on the basis of the special circumstances of each individual case.
Investigation of unauthorised access in connection with access control
A care provider is to ensure that access to such data relating to patients that is registered partly or entirely by automated means is documented and that it can be checked. The care provider shall also make systematic recurrent checks of whether any person accesses such information without authorisation. The rules in the Patient Data Act concerning checks of access to patient data are made clear in Chapter 4 Section 9 of HSLF-FS 2016:40. The Swedish Data Protection Authority has drawn up a checklist for systematic log follow-ups (dated October 2010) to support care providers. These recommendations complement the checklist.
In the Swedish Data Protection Authority's opinion, log follow-ups are ineffective unless the care provider has issued guidelines to the staff who make assessments in connection with the log checks concerning what may constitute unauthorised electronic access under the regulations on inner secrecy. Should such guidelines not exist, care providers risk inner secrecy being disregarded. The Swedish Data Protection Authority has therefore in the supervision project looked for the care providers' guidelines for supporting the staff who conduct the log checks.
The supervision project showed that most care providers have no or inadequate guidelines for the staff who conduct the log checks but there are also some care providers who have given staff good guidance. There are for example guidance documents that describe different circumstances to which particular attention should be paid during the checks. Below follow points that constitute good practice on the part of care providers.
- Unusual pattern/pattern that breaks the normal pattern/ frequency/routine (the Swedish Data Protection Authority considers however that the care provider has a method or procedure to put unusual patterns in relation to what the care provider considers to be normal patterns).
- Name/kinship that may indicated private affinity.
- Persons of media interest.
- Patient with a diagnosis that may attract particular interest.
- Local knowledge of a person that indicates or gives reason to suspect interest in information that extends beyond permitted purposes.
- Has read own, husband's, wife's, or child's/children's records.
- Lex Maria-reports.
- Persons with protected personal data.
Some care providers supplement their guidelines with questions that the person conducting the log check should ask the employee who is the subject of the log check. The following are examples of questions that may be asked.
- Why did the employee seek information about this patient?
- Does the employee know the patient or does he or she have another connection to the patient?
- What information was used and for what purpose?
- Is the employee aware of the regulations laid down in the Patient Data Act?
In the Swedish Data Protection Authority's opinion, the combination of circumstances to pay particular attention to and a number of questions to be answered gives a good basis for a member of staff who is to investigate whether an occurrence of access was unauthorised.
General comments and recommendations
The care provider should provide clear guidance to members of staff who conduct log checks in order for them to be able to accomplish effective log checks methodically and consistently. The care provider's procedures for checking logs should be able to provide answers to whether the access to patient information under scrutiny was justified or not considering the assignment of the care unit in question, work methods and organisation, and taking into account the tasks that the care provider has assigned to the employee.
The care providers use terms such as for example 'unusual pattern', 'illicit access', 'unauthorised access' and similar expressions to a great extent without explaining them further. The care providers need to be clearer about what such expressions refer to. It is important that members of staff who conduct log checks have common points of departure regarding what constitutes unauthorised access in the eyes of the care provider. The care providers should also be clearer about how investigative work is to be carried out, for example by drawing up a number of questions to be answered during the check as described above. The access also needs to be put in relation to the tasks assigned to the employee by the care provider.
To summarise, the care provider is responsible for ensuring that the log checks are carried out in a systematic fashion regardless of what member of staff performs the log check. Each care provider is responsible for ensuring that consensus exists within the organisation on what is to be checked, how and when this is to be done, and what is to be deemed to be unauthorised accessing of patient data.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.