Datainspektionen - DI-2019-3840
| Datainspektionen - DI-2019-3840 | |
|---|---|
 | |
| Authority: | Datainspektionen (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24 GDPR Article 32(1) GDPR Article 32(2) GDPR Article 58(2) GDPR Article 83 GDPR Chapter 4, 2 § of the Patient Data Act Chapter 6, 7 § of the Patient Data Act Chapter 4, 2 § of HSLF-FS 2016:40 Chapter 4, 9 § of HSLF-FS 2016:40 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.12.2020 |
| Published: | 03.12.2020 |
| Fine: | 3500000 SEK |
| Parties: | Sahlgrenska University Hospital, Board of directors |
| National Case Number/Name: | DI-2019-3840 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | Datainspektionen (in SV) |
| Initial Contributor: | Kave Noori |
Swedish DPA (Datainspektionen) imposed a fine of approximately €342000 on a university hospital for providing employees broader access to medical records than they needed to do their job.
English Summary
Facts
In April 2019, the DPA carried out an on-site inspection at The Sahlgrenska University Hospital (Sahlgrenska universitetssjukhuset). The hospital is part of the region of Västra Götaland. Four years earlier, the DPA had issued a supervisory decision concluding that the hospital had failed to carry out a necessity and risk analysis according to legal requirements.
The hospital keeps the medical records of about 900 000 patients. There are about 25 000 user accounts with access to the medical records system, although the hospital only has about 18000 employees. The hospital cooperates with other branches of the region of Västra Götaland, but outside the health care system of which it is a part, and assumes that the employees in those divisions that it cooperates with to have a legitimate need for direct access to the medical records. For the purposes of Chapter 4(1) of the Swedish Patient Data Act, the hospital considers this information to be lawfully shared within the same inner private zone (inre sekretess zon).
All health care workers, including medical secretaries, have general access to all medical records, including those outside their department. If the patient has restricted access to his or her file, only those who work in that department can view the file. Doctors and nurses have general and emergency access. This means that in a situation where the patient is unable to give consent, they can access restricted medical records outside their department.
The hospital also keeps a log when a medical record is accessed. The log includes the name of the healthcare professional, the part of the record that was accessed, and the date and time of the last access.
Dispute
1. Has the hospital taken appropriate technical and organizational measures to protect personal data in the medical records?
a. Has the hospital conducted a proper necessity and risk analysis?
b. Has the hospital correctly assigned authorizations?
c. Is the hospital a data controller regarding medical records kept by other caregivers?
d. Does the hospital keep adequate records of access?
2. Sanction fee?
Holding
Has the hospital broken the law by not taking sufficient technical and organizational measures?
The DPA considered that the hospital had failed to implement adequate organizational and technical measures to protect medical records
Lack of risk and necessity analysis
In Sweden, sector-specific legislation consists of the Patient Data Act and the National Board of Health and Welfare's rules and general guidelines on the keeping of medical records and the processing of personal data in the health care system (Socialstyrelsens föreskrifter och allmänna råd om journalföring och behandling av personuppgifter i hälso- och sjukvården, HSLF-FS 2016:40).
Chapter 4(2) HSLF-FS 2016:40 requires that the hospital, as a care institution, carries out a so-called risk and necessity analysis before giving its staff access to different parts of the system for keeping medical records. In addition, Chapter 4(2) of the Patient Data Act stipulates that the hospital (caregiver) must limit employee access to the extent necessary for the performance of their duties. The Patient Data Act also permits the so-called coherent keeping of medical records, which means that a caregiver has direct access to the medical records of another caregiver. Before the caregiver grants his or her employees access to a coherent medical record, it must carry out a risk and necessity analysis.
The DPA considered that the hospital's current risk and necessity analysis was fit for the purpose of IT - security with a focus on the employee - which is a different form of risk analysis from that required by HSLF-FS 2016:40. The DPA was looking for a risk analysis that would assess the risks to patients as data subjects. For example, if patients who are famous, have a protected identity, or have a special diagnosis, are at risk of harm if access authorization is too relaxed. In addition, the DPA held that the hospital had not properly evaluated how permissions should be defined so that employees only have access to the information they need to do their jobs.
Access rights to medical records were too extensive
The DPA recalled that the risk and necessity analysis should determine how the caregiving institution assigns health care workers permission to access medical records. In this case, about 25 000 people had access to medical records, although the hospital only had about 18 000 employees. The hospital assigned permissions in such a way that health care workers, regardless of which department they worked in, could access the medical records of all departments within the hospital, except one. On this basis, the DPA concluded that the majority of the hospital's employees had access to more medical records than they needed to do their jobs. The DPA did not take a positive view of the fact that the hospital gave direct access to medical records to persons working in other governmental branches of the region of Västra Götaland.
Is the hospital a data controller regadring medical records it retrieves from other caregivers?
The Swedish Patient Data Act states that a caregiver is the data controller for the medical records that it creates. The hospital therefore did not consider itself a data controller of medical records that are retrieved from other caregivers through the coherent medical record system. However, the DPA considered that the hospital is a data controller for the specific data it retrieves in relation to an individual patient from a medical file kept by another caregiver.
Based on this finding, the DPA concluded that the hospital had once again failed to conduct a risk and necessity analysis and had not properly limited the permissions regarding access to the system for coherent medical records
Access logs
The DPA considered the current level of logging when an employee accesses a medical record to be insufficient. The DPA clarified that the purpose of the logging is not only to check for unauthorized access to the medical record. The log is also used to trace which actions were performed in connection with access to the medical record, such as printing, copying, or deleting personal data.
Sanction fee
The Swedish law provides that public bodies that violate the GDPR can be fined up to SEK 10 million. The DPA imposed a sanction fee of SEK 3.5 million on the hospital.
Firstly, the hospital processes a large amount of sensitive personal data of many affected patients (approximately 900 000).
Secondly, the hospital did not have a sufficiently granular access control system: health care staff could easily access documents from other departments. Also, the hospital had granted direct access to medical records to a large number of people working in other governmental branches of the region of Västra Götaland (outside the health care system).
Thirdly, the DPA considered that the hospital had not carried out a proper needs and risk analysis, as required by the DPA decision of 27 March 2015. According to the DPA, the hospital had been aware for several years that it was not complying with the law and deliberately decided not to take corrective measures.
Commands for making changes
Finally, the DPA instructed the hospital to take the following measures:
- Properly analyze the risk to the patients and analyze what access each employee needs.
- Assign each employee an individual access tailored to what he or she needs to do his or her job.
- To extend the logging of access to medical records to include information on what actions an employee has taken in relation to access to them.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
