Legal regulation of the transmission of health-related data: Balance of public interests and individual rights in the context of cross-border health care

At the same time there is quite a long period for giving a response about the possibility or impossibility of familiarization with medical documentation; moreover, in view of the period of sending/receiving a request and response, any rapid transfer of information without the use of electronic means of communication is not possible.

Based on the above, in this case there is a gap in the legislation. As a result, it is necessary to supplement order No. 425нwith provisions about the possibility of sending a request for provision of medical documents for review in electronic form.

The amendments made to part 5 of article 22 of the Law No. 323-FZ clearly show the orientation of the legislator to digitalization of medical documentation. Thus, in particular, it is established that the request for provision of medical documents (copies) and extracts from them, reflecting the patient's state of health, can be sent in electronic form.

However, to date, the procedure and terms for provision of medical documents (copies) and extracts were not approved by the authorized federal executive body of Russia (Part 5 of article 22 of Law No. 323-FZ). It should be noted that the Order of the Ministry of healthcare and social development of Russia of 02.05.2012 No. 441нapproved the procedure for issuing certificates and medical reports.

The Draft Order of the Ministry of healthcare of the Russian Federation “On approval of the procedure and terms for provision of medical documents (copies) and extracts from them” Draft Order of the Ministry of healthcare of the Russian Federation “On approval of the procedure and terms for provision of medical documents (copies) and extracts from them”.. This Draft provides that a request for information may be sent using an amplified qualified electronic signature or a simple electronic signature through the use of a single system of identification and authentication. The deadline for submission of the requested information is 30 calendar days.

The draft regulatory act that submission of copies of medical documents and extracts from them in the form of electronic documents is allowed only under the following conditions: information about the authorized responsible employee of the medical organization (who sends the specified documents with use of the amplified qualified electronic signature) shall be entered into the federal register of medical employees, on the condition of registration of the relevant medical organizations in the federal register of medical organizations of the unified state information system in the field of healthcare Resolution of the Government of the Russian Federation of May 5, 2018 No. 555 “On the unified state information system in the field of healthcare”..

Also, the draft defines a list of medical documents that are not provided in the original to the patient or their legal representative (only their copy or extracts from them), for example, the history of a child's development, the history of childbirth, the medical card of a dental patient, etc. (paragraph 4 of the Project).

Thus, the citizen (their legal representative) has the right to receive duly certified medical documents (both in paper and electronic form), copies of medical documents or extracts from them in the manner prescribed by the law.

Nevertheless, we would like to emphasize the rather long-term process of providing the required information (its request, response to the request and actual receipt); moreover, there are nuances in the transfer of information in electronic form. We would also like to note that the grounds for refusal to provide documents are not defined, thus, the powers of the medical organization are quite broad. For example, a medical organization has the right to refuse to provide medical information if it has doubts on authenticity of the signature of the personal data subject The Ruling on the appeal of the Investigative committee for civil cases of the Krasnoyarsk regional

court of October 1, 2014, case No. 33-9443/2014..

Therefore, we believe that the legal act should establish a specific list of grounds for refusal to provide medical information, since in this case, the medical organization is given an opportunity to make a decision at its discretion.

As already mentioned, in the Russian Federation most medical data is presented in paper form, but there is a trend towards further digitalization of the data. In particular, the Russian Federation has adopted and implemented GOST R 52636-2006 Electronic medical records. General provisions (amended) GOST R 52636-2006 Electronic medical history. General provisions (amended). Accessed June 2, 2019. http://docs.cntd.ru/document/1200048924..

This document defines such concepts as personal medical record, electronic medical history, electronic personal medical record, electronic medical archive.

It defines the life cycle (maintenance and subsequent archiving) of electronic personal health records (further -- EPHR). Regarding the transfer of medical record copies using electronic communication channels, it states that this action is allowed, however the “Security policy” of the medical organization should state the following:

— the procedure for transmission of electronic copies of EPHR to patients, the method of registration of transfer of copies and notification of patients about the rules of confidentiality of personal medical data; the recommendation says that it is necessary to develop a checklist for patients on how to use electronic copies of EPHR;

— the procedure for transfer of electronic copies of EPHR to independent and parent organizations, requests for copies, the method of registration of transfer of copies and documents being the basis for such transfer.

It is established that a cover letter to the document containing EPHR should be instructions on how to access EPHR.

Thus, most of the information that should be stated in the “Security policy” of the medical organization is left to the discretion of the organization. This results in a lack of uniform rules and, in some organizations, a complete lack of them.

In our opinion, the “Standard security policy” of a medical organization should be developed, which should reflect key stages of medical data transmission.

Transition to electronic document management, of course, simplifies the process of personal data processing. However, in practice, there are often difficulties with the transfer of medical data to medical organizations abroad.

Article 12 of Law 152-FZ establishes that cross-border transfer of personal data is possible if:

— the parties are parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Made in Strasbourg on 28.01.1981). 2014. April. Bulletin of international treaties 4: 1-9. -- ratification of this Convention by the parties involved in the personal data processing;

— the state where it is planned to transfer personal data to provides an adequate protection of the rights of personal data subjects, which is carried out in accordance with Law 152-FZ.

What is the difficulty?

First, prior to the transfer of personal data, the operator (the person transferring personal data) must ensure that the rights of personal data subjects are adequately protected in the foreign state to which the transfer of personal data is planned.

The procedure for verification of adequate protection of the rights of personal data subjects remains uncertain.

On the one hand, accession to the Convention on protection of natural persons at the automated processing of personal data essentially means that the state provides data protection from a formal point of view.

On the other hand, the list of foreign states that are not parties to the Convention of the Council of Europe on the protection of individuals in the automated processing of personal data, but which provide adequate protection of the rights of personal data subjects, is approved by the decree of Roskomnadzor dated 15.03.2013 No. 274 Decree of Roskomnadzor (Federal Service for Supervision of Communication, Information Technology and Mass Media) of 15.03.2013 No. 274 “On approval of the list of the foreign states which are not parties to the Convention of the Council of Europe on protection of physical persons at the automated processing of personal data and providing adequate protection of the rights of personal data subjects”..

According to the explanations of Roskomnadzor, for the purpose of inclusion of the state into this list it is necessary to comply with the following conditions in a foreign country: presence of a normative legal act regulating the sphere of personal data, the presence of an authorized body for protection of the rights of personal data subjects and a system of sanctions provided for violation of the legal requirements in this field “Updated list of countries providing adequate protection of the rights of personal data subjects” 2019. Roskomnadzor. Accessed June 8, 2019. https://rkn.gov.ru/news/rsoc/news65616.htm. (In Russian).

Thus, before the transfer of personal data, the operator should make sure that the country to which the transfer of personal data is planned is included in these two lists.

Part 4 of article 12 of Law 152-FZ defines the cases when the transfer of personal data can also be carried out to other persons who do not provide adequate protection of personal data. In particular, such a transfer is possible with the written consent of the personal data subject, performance of the contract to which the personal data subject is a party, as well as for the protection of life, health and other vital interests of personal data subjects, in case of the impossibility of obtaining consent in writing.

Some authors say that there is a problem of insecurity of the rights of the personal data subject when sending their personal data to a state in which there is no adequate protection of personal data, if the subject is a party to the contract (Kucherenko 2009). This is explained by the fact that according to article 430 of the Civil code, the contract can be concluded for a third party (personal data subject).

We would also like to consider such a case of processing of special personal data provided for in paragraph 4 of part 2 of article 10 of Law No. 152-FZ as the processing of personal data for medical and preventive purposes. Data is processed in order to establish a medical diagnosis, the provision of medical and medical and social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to maintain medical secrecy.

In this case, special requirements for the person processing personal data are established: professional medical activity and obligation to maintain medical secrecy in accordance with the legislation of the Russian Federation. At the same time, article 12 of

Law No. 323-FZ establishes a fairly wide list of persons who are obliged to keep medical confidentiality: these are the persons, who received the information at training, execution of labor duties, office duties, job duties and other responsibilities. However, Law No. 323- FZ regulates legal relations arising in the sphere of public health protection in the Russian Federation. In the vast majority of countries, persons engaged in professional medical activities are obliged by their national legislation to maintain medical secrecy. We believe that the rules provided for in paragraph 4 of part 2 of article 10 of Law No. 152-FZ apply only to the primary processing of personal data, which is carried out by a Russian medical organization, since the internal legislation of the state operates exclusively in the territory of this state and does not apply to non-residents of the state who are in the territory of another state.

Thus, there are no special restrictions on the cross-border transfer of personal data (including medical data) in Law 152-FZ; in the case of written consent or a contract to which the personal data subject is a party, personal data may be sent to a foreign state that does not provide protection of personal data (there are no advantages and no simplified procedure for transferring data to countries that provide adequate protection of personal data). That is, in fact, the transfer of personal data is allowed to any country of the world.

Second, in any case, the operator is obliged to notify the body authorized for the protection of the rights of personal data subjects (Roskomnadzor) on the cross-border transfer of personal data (Article 22 of Law 152-FZ).

In paragraph 3.1.11 of the Order of Roskomnadzor dated 30.05.2017 No. 94 “On approval of methodological recommendations on notification of the authorized body on the beginning of processing of personal data and on amendments to the previously submitted information”, it is stated that the notification on processing of personal data should indicate the specific state to which the transfer of personal data will be carried out.

In addition to notifying Roskomnadzor, the operator is also required to notify the subject of personal data about such a transfer.

Third, also, in the case of transferring personal data via the Internet, the operator can use only encryption facilities certified by the Russian Federal security service (and data of encryption facilities should only be of domestic production, there are features of the turnover of such means, which do not simplify the process of transferring personal data). The operator is obliged to provide protection to the data transmission channel. That is, for example, the transfer of medical personal data via e-mail without the use of cryptographic protection of information will be a fact of disclosure of personal data and a violation of the requirements for personal data protection.

Fourth, the procedure for cross-border transfer of personal data should also be stated in the local legal acts of the data operator, as mentioned earlier.

The following provision set out in the work entitled “Safety of storage and transfer of medical (personal) data in the multilateral exchange of medical information” for the “International Space Station” program is particularly interesting: “one of the forms of regulation of cross-border transfer of personal data is an existence of a written agreement containing the requirements agreed by the parties for the purpose of protection of personal data at their cross-border transfer” (Shulenin, Skorokhodov, Kantemirova 2012). The presence of such a document would significantly simplify the procedure of cross-border transfer of personal data, but such agreements only seem appropriate in the presence of personalized and permanent participants of cross-border transfer of personal data. In our case, a medical organization often acts as an intermediary between a patient and a foreign medical organization.

Thus, the mechanism of cross-border transfer of personal data is quite complicated, and yet it should protect the transferred personal data from intruders.

In part, this issue was also addressed in a number of other works (Serafimov 2018; Sokolova 2019; Kheifets, Kheifets 2020; Hartley 2014; Horspool, Humphreys, Wells-Greco 2018).

Also, after adoption of the Federal law of 21.07.2014 No. 242-FZ “On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing of personal data in information and telecommunication networks” (hereinafter -- Law No. 242-FZ), one of the topical issues was the question of the possibility of cross-border transfer of personal data, since the above-mentioned law establishes the obligation of the data operator to process personal data using databases located on the territory of the Russian Federation (and cross-border data transfer involves the transfer of data to the territory of a foreign state, whose databases are not in Russia).

An answer to this question was provided in the explanations of the Ministry of digital development, communications and mass media of the Russian Federation²¹, which states that the adoption of Law No. 242-FZ in no way affected the cross-border transfer of data, since personal data before the transfer to a foreign person is initially entered into a database located on the territory of Russia (“primary database”), and then transferred to a foreign person for inclusion into a “secondary database”.

As already mentioned, the main international document containing legally binding rules for Russia in the field of cross-border transfer of personal data is the Convention on the protection of individuals in the automated processing of personal data (hereinafter -- the Convention).

Article 14 of the Convention is noteworthy as it states that if a person is a citizen of another state, permanently residing in the territory of a foreign state, they have the right to request the required information through the authorized body in the state in which he lives, from the state of which he is a citizen. The body to which the request for such information is sent must assist in obtaining it (refusal is only possible in the circumstances defined in article 16 of the Convention, for example, if the execution of the request would violate the sovereignty, security of the state). Article 17 stipulates that the forms, procedures and languages used in cross-border transfers shall be determined directly between the states concerned. However, such agreements between the Russian Federation and another state were not found during the analysis. At the same time, the status of persons who temporarily reside in the territory of a foreign state are not defined in the Convention.

It should be noted that there is a tendency to develop international legal acts by participants of various international associations.

The Resolution of the Interparliamentary Assembly of Member Nations of the Commonwealth of Independent States (hereinafter -- CIS) of November 25, 2016 No. 4513 “On the model law `On cross-border information exchange of electronic documents'” (hereinafter -- the model law) serves as the basis for legal support in the cross-border exchange of information by CIS members and the harmonization of national legislation (Part 4 of article 1 of the model law). Part 2 of article 3 of the model law defines that the ^{21 Processing and storage of personal data in the Russian Federation. Amendments since September 2015. Accessed June 9, 2019.} https://digital.gov.ru/ru/personaldata.

CIS Member Nations create an interstate coordinating body, which defines the rules and requirements for documentation in cross-border information exchange. At the same time, part 3 of article 4 of the model law states that the cross-border transfer of personal data is regulated by the national legislation of the states. This document establishes the need to develop a cross-border space of trust (Article 11 of the model law).

Similar rules on the creation of a cross-border space of trust are stated in part 1 of article 23 of the Treaty on Eurasian Economic Union Treaty on Eurasian Economic Union (Signed in Astana on 29.05.2014). Accessed June 9, 2019. https://www.un.org/en/ga/sixth/70/docs/treaty_on_eeu.pdf. -- another international organization.

In its turn, the requirements for creation, development and operation of the crossborder space of trust are determined by the decision of the Council of the Eurasian Economic Commission dated 05.12.2018 No. 96 “On the requirements for creation, development and operation of the cross-border space of trust”.

Thus, there is an active development of the regulatory framework for cross-border data transfer, including the transfer of medical data. However, only basic documents that define the main provisions of cross-border data transmission are being created, while there is no detailed regulation in specific areas of public life.

The experience of another international association -- the European Union -- also seems relevant. In June 2019, the first session of the trans-border transfer of medical data was held, information about this was published on the website of the European Commis- sion “Daily News 21/06/2019”. 2019. European Commission. Accessed June 23, 2019. http://europa.eu/ rapid/press-release_MEX-19-3351_en.htm.. Information provided states that now a doctor from Luxembourg can obtain the electronic medical history of a traveler who came from the Czech Republic, in particular about allergies, surgical operations, etc. This is information that may be needed in case emergency medical care and it is now available in electronic form. Also, in the framework of eHealth there is a system of the electronic exchange of prescriptions, for example, now citizens of the Republic of Finland can get medicines from Croatia that they were prescribed by a Finnish doctor.

In the Russian Federation and partner countries (CIS, Eurasian Union), the specified legal framework is just beginning to be developed. Work on this is of a general nature and not divided into certain areas (which is likely to happen in the future).

In view of the dynamic development of the legal framework of the Russian Federation in terms of digitalization of healthcare, we believe that after the completion of the formation of a state system in the field of healthcare, it will be necessary to amend the decree of the Government of the Russian Federation of May 5, 2018 No. 555 “On the unified state information system in the field of healthcare” in order to regulate the implementation of cross-border transfer of medical data.

The active legal regulation of cross-border data transmission and accompanying development and creation of information systems will allow for inter-state data transmission, fundamentally transform social institutions, simplify many procedures for ordinary citizens, which will provide better health services, and ultimately lead to better lives for many people, regardless of their place of residence and citizenship.

Conclusions

As a result of the analysis, it can be concluded that within the framework of European and Russian legislation at this stage there is comparability in the protection of medical data in the context of digital medicine. Also, there are certain differences in approaches to the regulation of rights of health data subjects in the framework of the national e-health systems. However, these differences are not final as the Russian legal regulation is still in the stage of dynamic formation, and its final form is unknown at the moment. Nevertheless, the Russian legislator has already determined the vector for development of legal regulation, and it is unlikely to change.

In regard to legal regulation of health data transfer to third countries, both the Russian Federation and the European Union have chosen the way of severe restrictive regulation and introduction of a closed list of grounds for overcoming the ban on cross-border transfer. The restrictive approach can be justified both by the public interest and the need to ensure the observance of individual rights of citizens to privacy, while the ratio of individualization of situations where the transfer of medical data is permissible, as a rule, lies in significant public interest that can prevail over individual risks of violation of the rights of data subjects. However, both in the EU and in the Russian Federation data transmission is legally permitted in cases where it is necessary to save the life or health of individuals, as well as in situations where the data subjects themselves give informed consent to their transfer. At this stage the states permitting the transfer decline all responsibility for what happens further, both with respect to the de facto execution of the data exchange procedure and its timing, and with respect to the further handling of the transferred data if the transfer, as such, has taken place.

In this regard, it seems timely and extremely urgent to provide for the possibility of concluding an international agreement on the exchange of medical data in digital format, the participants of which potentially should be, first of all, the EU member states, the EAEU, China, and the countries of the American continent.

The supranational system formed within the framework of this agreement should solve the following tasks:

— ensure compatibility of national and international digital healthcare systems;

— provide legal and technical mechanisms for transmission and protection of health data;

— provide conditions for international cooperation on issues of electronic data security and combating cybercrime.

At the same time, the basis for the obligation to request and provide access to information, respectively, should be the principles of the maximum enforcement of the right to life and health, the right to private life, the principle of individual autonomy, as well as public interests in the field of public health, such as the threat of infectious diseases spreading, etc.

Accordingly, the proposed supranational system should essentially represent a legal and technical basis covering the maximum possible geographical space. In other words, the system should be a permanent mechanism in stand-by mode, whose individual links should be included and interact only on clearly defined grounds:

— threat to the life or health of the data subject or other persons if the consent of the data subject cannot be obtained;

— informed consent of the data subject or its representative;

— public interests in the field of public health in the threat of infectious diseases spreading, mass poisoning and damage;

— international cooperation in the fight against crime;

— additional grounds, in our view, could be included within the framework of bilateral agreements between the states and organizations.

Also, in light of potential expansion of the number of states that accede to the proposed agreement and, as a consequence, the potential for a significant difference in the constitutional structure of the states concerned and in the different approaches to the application of international normative regulation, the proposed agreement on international electronic cooperation in the field of healthcare should provide for provisions binding the signatory and acceding states to implement the provisions of the agreement into national legislation. The agreement should also provide in national systems of law the rules of legal responsibility of natural and legal persons for violation of the provisions of the proposed agreement.

References

1. Cataleta, Anna, Alessandro Longo, Raffaella Natale. 2020. “GDPR, tutto cio che cи da sapere per essere in regola”. Digital 360. Accessed May 26, 2018. https://www.agendadigitale.eu/cittadinanza-digitale/ gdpr-tutto-cio-che-ce-da-sapere-per-essere-preparati.

2. Hartley, Trevor. 2014. The Foundations of European Union Law: An Introduction to the Constitutional and Administrative Law of European Union. New York, Oxford University Press.

3. Horspool, Margot, Matthew Humphreys, Michael Wells-Greco. 2018. European Union Law.10th ed. Oxford, Oxford University Press.

4. Kheifets, Nikolay E., Evgeny N. Kheifets. 2020. “Human rights in the aspect of doctor-patient relations in the era of e-health. Part 1. European practice of legal regulation of relations related to the handling of special personal data”. Voprosy organizatsii i informatizatsii zdravookhraneniia 1 (102): 10-29. (In Russian) Kucherenko, Anna V. 2009. “On guarantees of the rights of subjects at implementation of cross-border transfer of personal data”. Information law 3: 14-17. (In Russian)

5. Serafimov, Victor. 2018. “Extraterritorial application of the EU general DATA protection regulation”. Kutafin University Law Review 5 (2) (10): 469-479. https://doi.org/10.17803/2313-5395.2018.2.10.469-479. Shulenin, Anatoly P., Skorokhodov Anton V., Kantemirova Ekaterina V 2012. “Security storage and transmission of medical (personal) data for the multilateral exchange of medical information in frame of the program `The International Space Station'”. Trudy 14-i Vserossiiskoi nauchnoi konferentsii “Elek- tronnye biblioteki: perspektivnye metody i tekhnologii, elektronnye kollektsii” -- RCDL-2012, Pereslavl'- Zalesskii, Rossiia, 15-18 oktiabria 2012 g. Accessed June 6, 2019. http://ceur-ws.org/Vol-934/paper50. pdf. (In Russian)

6. Sokolova, Marianna E. 2019. “Between business interests and security: American it giants and personal data protection”. Rossiia i Amerika v XXI veke 2: 6. https://doi.org/10.18254/S207054760006015-3. (In Russian)

Размещено на Allbest.ru