the Swedish data Inspection board conducted Wednesday determinations in relation to eligibility and access in journalsystemet at the Karolinska. The authority has commenced a major review of how eight health care providers regulates user access to data in the huvudjournalsystemen which Karolinska is.
” We inspect the access and documentation in the logs. There are two of the most important building blocks in the journalsystemet relating to the protection of individual privacy. It’s all about who can see what and why, as well as what is documented in the logs, ” says Maria Bergdahl at the data Inspection board, which is leading the review.
of , the so-called internal confidentiality. This means that staff, according to the patient data act, just to access the patient data needed to be able to perform their duties. But according to the Swedish data Inspection board shows the most recent years of audits that health care providers often have access to a majority of the patients ‘data, but that there is a need, and that patients’ privacy therefore cannot be guaranteed.
the Karolinska is one of the three hospitals included in the audit.
– Large, health care providers Karolinska handles a lot of medical records. To see if the handling is correct, and if patient data is adequately protected should the healthcare provider do a balance of the needs and risk analysis before the staff are assigned access.
over the data protection regulation, the GDPR, and the patient data act, and shall, inter alia, check that the healthcare providers had done enough to protect sensitive personal data.
Karolinskas board of directors has simultaneously launched a comprehensive review of the hospital’s handling of patient data, to ensure that the hospital lives up to the GDPR. This after DN revealed that the hospital build a new diagnosbaserad database with the so-called digital scorecard, where data from patients ‘ medical records together with medical records from other systems that operationsdatabasen, population registers, and the hospital’s accounting system. Styrkortsarbetet performed separately from the care on the hospital’s strategic staff SSVP, as part of the hospital’s work with value-based care. Control cards to the measuring tool in order to be able to make comparisons in real-time and measure the quality of care linked to costs, and the development work has initially been done with consulting help from the Boston Consulting Group, which sold in and implemented vårdmodellen at the Karolinska. Karolinska has 1.6 million patient visits per year, and all patients recorded in the control cards without the patients informed. According to experts, it stands in violation of the dataskyddsförordningens requirements on information and transparency to the data subject about how the data is used and processed.
Lawyer Caroline Olstedt Carlström, an expert on the GDPR has also stated that for the DN that it should be investigated if the control cards, where the patient data are reported diagnosvis on the level of the group, constitute a regional quality registers. The hospital has only stated that it is not about personal data, but then changed its tune, and announced that the data are psedonymiserade, and that the patients therefore do not need to be informed.
, a member of the board of directors vårdutskott, says that greater transparency is a ”delicate task”, and that the work that started in January is more extensive than expected. Asplund stresses that the analysis is about the handling of personal information at the hospital.
” Among other things, thanks to the media so the work has now set the speed, operations for the activities reviewed, the scorecard for the scorecard. The lawyers go through this point by point, and I guess that they find a part that may need to be addressed, ” says Kjell Asplund and says that the board has connected to the hospital’s lawyers at work.
Previously the hospital’s dataskyddsombud indicated to the DN to the format of the control cards have already been reconciled with the hospital’s lawyers, and that further investigation or documentation is not necessary. Any documentation on the legal, reflections have not been presented.
” If it’s not recognized any documentation, so it is because it does not exist, has dataskyddsombudet Lisa Gellerhed van Duin said to DN.
a different assessment.
” We have made the assessment that it needed a more in-depth and detailed analysis. It started with the attention in the media about the control cards, but now we have put the hospital’s lawyers to go through all the activities. It is also about the right of patients to get information. It really is incredibly important that we hold ourselves to the laws and regulations of the GDPR, ” says Kjell Asplund.
the Hospital has refuted that it would move on the registers. Kjell Asplund, who is a leader for quality register riks-stroke, want to let it be unsaid.
” I have my opinion, but I hold for myself. I don’t want to be lawyers, ” says Asplund.
at the same time the rest of issues that the patient data is now collected centrally in the hospital and managed by officials and consultants separate from the treatment itself. According to the hospital has qualified personnel on staff access to medical records and other relevant systems.
the Management of patient data at the hospital have also been affected by the hospital’s clinics have been suspended and that the hospital’s it-systems and master data does not reflect the new organisation.
Maria Bergdahl says that the Swedish data Inspection board, under its supervision, at the hospital in the last week been informed that the hospital switched to a thematic organization.
“We received the information that it has transferred to a thematic organization, but that the management meant about the same as before,” says Maria Bergdahl.
the Swedish data Inspection board is compiling now a protocol from the supervision which the hospital has the opportunity to comment before the authority takes a decision.
the Board’s review.
” It is great for when additional legal expertise that we can get help from.
in Addition to the Karolinska reviewed Norrland university Hospital, Sahlgrenska, university Hospital, Linköping, Aleris Healthcare AB, Capio St Göran’s hospital, Praktikertjänst N. Ä.R.A. AB and nätläkaren Tee of the Swedish data Inspection board.
Read more: Experts: Karolinskas management of patient data can break the law