Legal aspects regarding the use and integration of electronic medical records for epidemiological purposes with focus on the Italian situation

摘要

The "Observational Studies" working group of the Italian Association of Medical Statistics and Clinical Epidemiology (SISMEC) has undertaken to study the impact of recent healthcare sector regulations on the legal and organisational aspects of managing all EMR databases with emphasis on Legislative Decree No. 196/2003 (the Italian Personal Data Protection Law). This paper examines six issues relating to theirs legal implications. The first section, “Confidentiality”, provides definitions and the regulatory context for the terms "confidentiality" and "personal data". In the second, “Nature of data held in electronic medical record archives”, we discuss the problem of sensitive data and procedures to make the identification code anonymous. In “Data ownership” we highlight the difference between the data controller and the database controller. The fourth section, “Conditions for processing”, discusses problems associated with using research data from one study in other investigations. In the fifth, “Patient consent”, we address the problems related to patient consent. Finally in “Penalties” we outline the main civil and criminal liability issues applied in case of non-compliance with the provisions of the Personal Data Protection Code. Where possible, we provide suggestions on how to comply with the legal requirements of managing medical record archives in order to make it easier for researchers to remain in compliance with the relevant provisions.