Skip to main content
SpringerLink
Log in
Book cover

eHealth: Legal, Ethical and Governance Challenges pp 25–56Cite as

Legal Regulation of Electronic Health Records: A Comparative Analysis of Europe and the US

  • Chapter
  • First Online:

Abstract

This chapter critically analyses the legal and regulatory framework for electronic health records in Europe and the US. In both parts of the world, the development of electronic health records is evolving quickly. Various approaches have proven to be possible and they have resulted in different electronic health record solutions and regulatory instruments. In Europe governmental bodies have been the driving force behind the development and implementation of electronic health records. Consequently many European countries established a new legal framework simultaneously with the roll-out of government-initiated eHealth structures. In the US the driving force was—up to now—not so much the government, but rather the private sector, in particular insurance companies and healthcare organisations. This resulted in a strong focus on personal health records. In 2009 however, the US government issued the largest stimulus package ever in order to encourage the adoption of electronic health record solutions.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    McCarthy (2010).

  2. 2.

    European Council (2000), Presidency Conclusions. Lisbon European Council. 23–24 March, 2000.

  3. 3.

    Communication from the Commission, e-Health—making healthcare better for European citizens: An action plan for a European e-Health Area, 2004 http://ec.europa.eu/information_society/doc/qualif/health/COM_2004_0356_F_EN_ACTE.pdf (last accessed 9 April 2012).

  4. 4.

    A digital agenda for Europe, 26 August 2010, COM(2010) 245; EUROPE 2020—A strategy for smart, sustainable and inclusive growth, COM (2010) 2020.

  5. 5.

    For more information on the planned actions, see: http://ec.europa.eu/information_society/digital-agenda/index_en.htm (last accessed 9 April 2012).

  6. 6.

    The European working group Member States’ Data Protection Authorities.

  7. 7.

    Working Paper nr 131, 17: with regard to the third alternative, the Art. 29 Working Party refers to the French system.

  8. 8.

    Nat’l Alliance for Health Info. Tech. (2008) Defining Key Health Information Technology Terms 6 http://healthit.hhs.gov (last accessed 9 April 2012).

  9. 9.

    Carl (2010).

  10. 10.

    Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).

  11. 11.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: http://ec.europa.eu/justice_home/fsj/privacy (last accessed 9 April 2012) and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm (last accessed 9 April 2012); Kuner (2007).

  12. 12.

    An overview of the status of implementation of the Directive 95/46/EC is available from the European Commission’s website: http://ec.europa.eu/justice_home/fsj/privacy (last accessed 9 April 2012).

  13. 13.

    Korff (2001); European Commission, First report on the implementation of the Data Protection Directive (95/46/EC), COM(2003)265final, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52003DC0265:EN:NOT (last accessed 9 April 2012); Dumortier (2009).

  14. 14.

    http://www.notisum.se/rnp/SLS/lag/19980204.HTM (text of the new law in Swedish, last accessed 9 April 2012); A short summary of the governmental proposal is available in English at http://www.sweden.gov.se/content/1/c6/01/55/42/24980a18.pdf (last accessed 9 April 2012).

  15. 15.

    Article 29 Data Protection Working Party, WP 136, Opinion 4/2007 on the concept of personal data http://ec.europa.eu/justice_home/fsj/privacy (last accessed 9 April 2012).

  16. 16.

    Example 12 in Opinion 4/2007 on the concept of personal data.

  17. 17.

    The requirement of a “written” consent (instead of an “explicit” consent as required in Art. 8.2 a) of the European Directive) is probably not compliant with the Directive. In its judgment of 6 November 2003 in Case C-101/01 (Lindqvist), the European Court of Justice, on the question “Can a Member State provide more extensive protection for personal data or give it a wider scope than the directive”, decided “that measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it”.

  18. 18.

    Processing of Personal Data Protection of the Person Law of 2001.

  19. 19.

    See art 1, par 2, n°1 as opposed to n°2 Bundesdatenschutzgesetz I 1977, 201; See also Beier B (1982) Prototype of the realization of data protection measures in the field of medicine. IEEE.

  20. 20.

    Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—“A comprehensive approach on personal data protection in the European Union”, 18 January 2011, available online at: http://www.edps.europa.eu/EDPSWEB/edps/cache/off/EDPS/Publications (last accessed 9 April 2012).

  21. 21.

    Art 16 Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, as ratified on 1 December 2009.

  22. 22.

    Nys and Goffin (2008); Dumortier (2009).

  23. 23.

    Finnish Act on Status and Rights of the Patients 1992/785.

  24. 24.

    Law Concerning Medical Treatment, WGBO in Dutch, consisting of artt 7:446-7:468 NBW.

  25. 25.

    Nys and Goffin (2008); For more details see http://europatientrights.eu/general_overview_patient_rights_legislation.html?LAN=E (last accessed 9 April 2012).

  26. 26.

    Nys and Goffin (2008).

  27. 27.

    381 U.S. 479, 484.

  28. 28.

    539 U.S. 558.

  29. 29.

    497 U.S. 261.

  30. 30.

    See Whalen vs Roe, 429 U.S. 589, 599 of 1977 and United States vs Westinghouse Elec. Corp., 638 F.2d 570, 577 (3rd Cir. 1980).

  31. 31.

    Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information, Office of the National Coordination of Health Information Technology U.S. Department of Health and Human Services, 15 December 2008, 2–3.

  32. 32.

    Executive director of the World Privacy Form, a US based nonprofit public interest research group, more information is available on their website: http://www.worldprivacyforum.org/ (last accessed 9 April 2012).

  33. 33.

    Hobson (2009).

  34. 34.

    HIPAA of 1996, 42 U.S.C. §1302d; 45 C.F.R. §146.103.

  35. 35.

    McCarthy (2010).

  36. 36.

    45 C.F.R. §160.102.

  37. 37.

    Beaver and Herold (2004), pp. 50–51.

  38. 38.

    Philips (2010).

  39. 39.

    McCarthy (2010).

  40. 40.

    Caldarella (2010).

  41. 41.

    Federal Trade Commission, Enforcing Privacy Promises: Section 5 of the FTC Act, 15 U.S.C. §45, 2006.

  42. 42.

    See for example CVS Caremark Corp., F.T.C. File No. 072-3119, Comp., 18 February 2009.

  43. 43.

    McCarthy (2010).

  44. 44.

    Google decided to end the Google Health application in 2011.

  45. 45.

    Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, 15 December 2008, preamble.

  46. 46.

    Law of 21 August 2008 establishing and organizing the eHealth-platform, Moniteur belge (Official Gazette) of 13 October 2008.

  47. 47.

    Verhenneman (2011); F. Robben, “De extramurale zorgkluis”presentation at Interministeriële Conferentie Volksgezondheid, 6 juni 2011, available online in Dutch: http://www.law.kuleuven.be/icri/frobben/wp/index.php/presentations (last accessed 9 April 2012).

  48. 48.

    Robben (2010a).

  49. 49.

    Empfehlungen zur ärztlichen Schweigepflicht, Datenschutz und Datenverarbeitung in der Arztpraxis, published in 105 Deutsches Ärzteblatt (DtÄBl.) 19, p. A1026 of May, 9th 2008, available at http://www.bundesaerztekammer.de/downloads/Empfehlung_Schweigepflicht_Datenschutz.pdf (last accessed 9 April 2012) and technical attachment Technische Anlage, available at http://www.aerzteblatt.de/v4/plus/down.asp?typ=PDF%26;id=2316 (last accessed 9 April 2012).

  50. 50.

    art. 291a SGB V.

  51. 51.

    http://www.heise.de/newsticker/Elektronische-Gesundheitskarte-Befreites-Dokument-wirft-Fragen-auf--/meldung/81575 (last accessed 9 April 2012).

  52. 52.

    article 68 of SGB V.

  53. 53.

    So does BKK Bertelsmann.

  54. 54.

    So does KKH.

  55. 55.

    Client Data Act 2007/159.

  56. 56.

    More information about the eHealth Foundation can be found at: http://www.e-tervis.ee (last accessed 9 April 2012).

  57. 57.

    adopted by the Parliament on 20.12.2007 and entered into force on 01.09.2008.

  58. 58.

    Healthcare Insurance Act n°2004-810 of 13 August 2004.

  59. 59.

    Article L. 161-36-1 of the Social Security Code.

  60. 60.

    The CNIL is the French Data Protection Authority, for the advice see: http://www.cnil.fr/index.php?id=2212; http://www.sante-jeunesse-sports.gouv.fr/IMG//pdf/Rapport_DMP_mission_Gagneux.pdf (last accessed 9 April 2012).

  61. 61.

    eSanté France, “The DMP: a project that is structuring the development of e-health in France”, http://esante.gouv.fr (last accessed 9 April 2012); CNIL, “La CNIL authorise le déploiement du dossier médical personnel sur l’ensemple du territoire”, http://www.cnil.fr; France2, “Le Dossier médical personnel lancé jeudi”, 15 December 2010, http://info.france2.fr/france/le-dossier-medical-personnel-lance-jeudi-66405648.html (last accessed 9 April 2012); for more information see: http://esante.gouv.fr.

  62. 62.

    Robben (2010b).

  63. 63.

    The Citizens Service Number is the unique personal number used by citizens in their contacts with government agencies.

  64. 64.

    AORTA is the nationwide information system for the safe and reliable electronic exchange of medical data in the Netherlands, see Nictiz, “eHealth in the Netherlands”, available at: http://www.nictiz.nl/page/Home/English (last accessed 9 April 2012).

  65. 65.

    See for example: Ashish et al. (2009); Halamka et al. (2008); DesRoches et al. (2008); eHealth Initiative, The State of Health Information Exchange in 2010: Connecting the Nation to Achieve Meaningful Use, www.ehealthinitiative.org (last accessed 9 April 2012).

  66. 66.

    Woodcock (2010).

  67. 67.

    Treumann (2010).

  68. 68.

    Woodcock (2010).

  69. 69.

    Health Information Technology: Initial Set of Standards, Implementation, Specifications and Certification Criteria for Electronic Health Record Technology, Final rule, 2010, available at http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf (last accessed 9 April 2012).

  70. 70.

    Woodcock (2010).

  71. 71.

    American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, 123 Stat. 115, § 13402 (2009).

  72. 72.

    June 2005.

  73. 73.

    dd 29 May 2008.

  74. 74.

    Article 20 of Healthcare Act.

  75. 75.

    Commission Recommendation on Cross-border interoperability of electronic health record systems, 2 July 2008, COM(2008)3282.

  76. 76.

    like CEN, CENELEC, and ETSI.

  77. 77.

    Mandate M/403, for more details see: http://www.ehealth-interop.nen.nl/publicaties/2860 (last accessed 9 April 2012).

  78. 78.

    NHS Scotland (2006) Your Emergency Care Summary. Available online at: http://www.scotland.gov.uk/Resource/Doc/143714/0036499.pdf (last accessed 9 April 2012).

  79. 79.

    Health Information and Self Care Advice for Scotland, www.nhs24.com.

  80. 80.

    Saluse et al. (2010).

  81. 81.

    Health Services Organization Act and Associated Acts Amendment Act, 20 December 2007.

  82. 82.

    Commission Recommendation on Cross-border interoperability of electronic health record systems, 2 July 2008, COM(2008)3282.

  83. 83.

    Communication from the Commission of the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, “A comprehensive approach on personal data protection in the European Union”, 4 November 2010, COM(2010)609.

  84. 84.

    Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—“A comprehensive approach on personal data protection in the European Union”, 18 January 2011, available online at: http://www.edps.europa.eu/EDPSWEB/edps/cache/off/EDPS/Publications (last accessed 9 April 2012).

  85. 85.

    www.epsos.eu.

  86. 86.

    Kroes (2011).

  87. 87.

    Carl (2010).

  88. 88.

    Annulis (2009).

  89. 89.

    American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, §13402 (a) and (b), 123 Stat. 115, 260.

  90. 90.

    Carl (2010).

  91. 91.

    McCarthy (2010).

  92. 92.

    Federal Trade Commission, Health Breach Notification Rule, 16 C.F.R. §318.1, 2009.

  93. 93.

    Annulis (2009).

  94. 94.

    ARRA, §13405 (a) (1) (A); 45 C.F.R. § 164.514(e) (2).

  95. 95.

    A limited data set is a set of protected health information from which personal identifiers are removed.

  96. 96.

    Carl (2010).

  97. 97.

    Kaler (2010).

  98. 98.

    ARRA, § 13405 (d) (1).

  99. 99.

    Kaler (2010).

  100. 100.

    Annulis (2009).

  101. 101.

    Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—“A comprehensive approach on personal data protection in the European Union”, 18 January 2011, available online at: http://www.edps.europa.eu/EDPSWEB/edps/cache/off/EDPS/Publications (last accessed 9 April 2012).

  102. 102.

    Digital Agenda: Commission signs eHealth agreement with US Department of Health, 17 December 2010, IP/10/1744.

  103. 103.

    Kroes (2011).

  104. 104.

    Digital Agenda: Commission signs eHealth agreement with US Department of Health, 17 December 2010, IP/10/1744.

References

Documents

Download references

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Law and ICT, Katholieke Universiteit Leuven, Sint-Michielsstraat 6, b 3443, 3000, Leuven, Belgium

    Jos Dumortier & Griet Verhenneman

Authors
  1. Jos Dumortier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Griet Verhenneman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jos Dumortier .

Editor information

Editors and Affiliations

  1. , School of Science and Technology, Middlesex University, The Burroughs, London, NW4 4BT, United Kingdom

    Carlisle George

  2. The Castlegate Consultancy, 27, Castlegate, Malton, North Yorkshire, YO17 7DP, United Kingdom

    Diane Whitehouse

  3. , School of Science and Technology, Middlesex University, The Burroughs, London, NW4 4BT, United Kingdom

    Penny Duquenoy

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Dumortier, J., Verhenneman, G. (2013). Legal Regulation of Electronic Health Records: A Comparative Analysis of Europe and the US. In: George, C., Whitehouse, D., Duquenoy, P. (eds) eHealth: Legal, Ethical and Governance Challenges. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22474-4_2

Download citation

Publish with us

Policies and ethics

Search

Navigation