As DN told merged patient data at the hospital from the health records with other records, including registers and personuppgiftsregistret and the hospital’s accounting system. The aim is to build up a diagnosbaserad database with the so-called digital scorecard, which is central to the hospital’s new organization with value-based care. Control cards to the measuring tool in order to be able to make comparisons in real-time and measure the quality of care linked to cost. The hospital has 1.6 million patient visits, and the intention is that all patients should be included in the new register.
Of the scorecard as a DN taken note of the shows that individual data is input from the records every night.
for the DN that the hospital does not live up to the EU’s new dataskyddsförordning GDPR, when patients are not informed about the personuppgiftsbehandlingen has the hospital’s board of directors called to get more information on the management of patient data. The board of directors, which is the data controller, has, in 2018, had a review of the enforcement of the GDPR, but to control cards to the affected.
” We must take seriously if the experts say that this is not true. We shall, of course, follow both patient data act and the GDPR, the chairman of the board Håkan Sörman previously said to DN.
Karolinskas chairman of the board Håkan Sörman requires that the board receive more information on how patient data is handled. Photo: Stina Stjernkvist/TT
According to the GDPR, which entered into force in may 2018, the public sector, the obligation to appoint a dataskyddsombud who will defend the rights of data subjects privacy, in this case, the patient, and ensure that the processing of personal data.
, who is also a lawyer at the Karolinska, said that there is legal support for patientdatahanteringen in the digital control cards and refers to the patient data act, which provides space for the processing of personal data without consent in connection with the development and record-keeping in health care.
– You can read on our website about how we handle personal information.
On the website are, inter alia, that the hospital deals with personal information in order to provide health care and at the journaling. Patients can turn to the hospital to get a copy of the personuppgiftsbehandlingar made, and may in some cases have their data deleted. However, it is not clear which processing of personal data made in connection with the new database with the control cards are built up.
also of the Swedish data Inspection board, do not think Gellerhed van Duin that there is a need for an in-depth investigation.
” My legal assessment is that the hospital has the support to develop and secure business operations by the digital control cards.
Lisa Gellerhed van Duin says that she has no idea of how extensive personuppgiftsbehandlingen in the control cards.
– dataskyddsombud, I cannot possibly have detailed knowledge of any privacy practices that occur in the hospital. In my role I give to the operations instructions and guidance in order to comply with the applicable legislation.
expert on the GDPR, has given to the DN that it should be looked into legal on the database, which patient data are reported diagnosvis on the level of the group, constitute a regional quality registers. In this case, it means that patients have the right to oppose personuppgiftsbehandlingen.
the Model for the work with value-based care, which is marketed by Boston Consulting Group, is the Swedish quality registers and the consulting company has been hired for styrkortsarbetet.
Lisa Gellerhed van Duin do not believe that it would be about registers.
” My legal analysis is that the control cards are an it system to systematically develop the quality of operations.
, which is responsible for the control cards, have indicated to the DN that the purpose of the term is to be able to compare the treatment outcomes with other care providers.
“I can’t answer for the control cards exactly, for I can not the systems,” says Gellerhed van Duin.
” I have been very little involved directly.
a possible investigation and impact assessment – which according to the expertise of the DN shall be made and be well documented – before any work with the control cards to put in the time, but have not received any such.
in response to the request said the hospital card, and good to Karolinska follows the GDPR and that the documentation is not necessary.
– If you have not received some documents, it is probably that it does not exist, ” says Lisa Gellerhed van Duin.
She refers to the work with the control cards began long before she took up her post in may 2018, and, therefore, she lacks the knowledge about the preparatory work.
” I have no documents. But we have a legal basis for it. We have a policy that means that we constantly follow all the laws, regulations, patient data act and the GDPR.
Karolinska scored a total of five million sek in research funding paid from the Stockholm county council, for research on value-based care, to identify patient flows, utfallsmått and measure the development of quality. Any ethical permission, the hospital has not been able to present.
– If you are pursuing systematic quality work so you do not have ethical review board permission.
the DN could recently tell me that the S:t Eriks eye hospital and the Sahlgrenska university hospital according to the two investigations is deemed to have violated the ethical review act, which regulates research on people, then hospitals participating in a research study and provided patient data to the american company Ichom without ethical permission. The prison is in the scale of punishment. The case has now been turned over to prosecutors.
the data were handled in the control cards were not personal data, and to GDPR, therefore, was not applicable. Now informs the hospital on the website if on the contrary, it is personal data and, moreover, that they are not completely anonymised, but pseudonymiserade, so that it is possible to link the data to an individual. GDPR is very clear in the requirement for information on how personal data is processed.
” From a legal perspective, it’s clearly about personal data and medical records. They are not anonymised, but pseudonymiserade, then there is a key, ” says Lisa Gellerhed van Duin.
in the control cards is encrypted, and that only a few persons the hospital’s patientområdesansvariga have access to non-encrypted data.
the Database is built up of a central unit separate from the treatment itself. Recently, the hospital has indicated that competent staff in the department have access to medical records and other relevant systems.
” The important thing for us is that we give a good and safe care and that we comply with the provisions in the patient data act. It can patients feel confident with.
Read more: Experts: Karolinskas management of patient data can break the law
