Result card

  • LEG5: Do laws/ binding rules require appropriate measures for securing patient data?
No adaptation help available for this domain

Do laws/ binding rules require appropriate measures for securing patient data?

Authors: Ingrid Wilbacher, Valentina Prevolnik Rupel

Internal reviewers: Ingrid Rosian

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Recommendation R (97) 5 of the Committee of Ministers to Member States on the protection of medical data.

Structured telephone support provides a special topic for data security. The usual telephone line is usually not privacy protected.

Data networks and data communication between providers of tele-healthcare and patients have to secure and protect data sources according to legal data protection regulations.

There is an existing data protection regulation on EU-level {9}, which is already adapted and integrated in all of the countries in EU, Norway, Switzerland. {7} There are two additional recommendations for data protection of medical data {10} and protection of private data within telecommunication services {11} which have to be taken into account when implementing a telemonitoring service with STS.

There are clear regulations in data protection on EU level {9} which are adapted accordingly in the members states

  • Directive (2011/24/EU) on Patients' Rights in Cross-border Healthcare states {7}: “(d) patients who seek to receive or do receive cross-border healthcare have remote access to or have at least a copy of their medical records, in conformity with, and subject to, national measures implementing Union provisions on the protection of personal data, in particular Directives 95/46/EC and 2002/58/EC.”



  • Recommendation R (97) 5 of the Committee of Ministers to Member States on the protection of medical data {10}:

Recalling the general principles on data protection in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (European Treaty Series, No. 108) and in particular its Article 6 which stipulates that personal data concerning health may not be processed automatically unless domestic law provides appropriate safeguards;

Aware of the increasing use of automatic processing of medical data by information systems, not only for medical care, medical research, hospital management and public health but also outside the health-care sector;”

The recommendation gives clear advice how to understand and act regarding to the protection of medical data.


Within the use of structured telephone support it is relatively easy to ask the patients’ agreement for data transmission and intended use.

  • Recommendation No.R (95) 4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services {11}:

“2. Respect for privacy

2.1. Telecommunications services, and in particular telephone services which are being developed, should be offered with due respect for the privacy of users, the secrecy of the correspondence and the freedom of communication.

2.2. Network operators, service providers and equipment and software suppliers should exploit information technology for constructing and operating networks, equipment and software, in a way which ensures the privacy of users. Anonymous means of accessing the telecommunications network and services should be made available.

2.3. Unless authorised for technical storage or message transmission or for other legitimate purposes, or for the execution of a service contract with the subscriber, any interference by network operators or service providers with the content of communications should be prohibited. Subject to Principle 4.2 the data pertaining to the content of messages collected during any such interference should not be communicated to third parties.

2.4. Interference by public authorities with the content of a communication, including the use of listening or tapping devices or other means of surveillance or interception of communications, must be carried out only when this is provided for by law and constitutes a necessary measure in a democratic society in the interests of:

a. protecting state security, public safety, the monetary interests of the state or the suppression of criminal offences;

b. protecting the data subject or the rights and freedoms of others”


“4. Communication of data

4.1. Personal data collected and processed by network operators or service providers should not be communicated, unless the subscriber concerned has given in writing his express and informed consent and the information communicated does not make it possible to identify called parties. The subscriber may revoke his consent at any time but without retroactive effect.”


“6.1. Network operators and service providers should take all appropriate technical and organisational measures to ensure the physical and logical security of the network, services and the data which they collect and process, and to prevent unauthorised interference with, or interception of, communications.

6.2. Subscribers to telecommunications services should be informed about network security risks and methods for subscribers to reduce the security risks of their messages.”


“7.20. When providing and operating a mobile telephone service, network operators and service providers should inform subscribers of the risks for secrecy of correspondence which may accompany the use of mobile telephone networks, in particular in the absence of encryption of radiocommunications. Means of offering encryption possibilities or equivalent safeguards to subscribers to mobile telephone networks should be found.”

Theoretically, in case if no data security takes place, what were the consequences of unprotected data for the patient?

  • Harm in dignity: propably no. Heart failure is usually not stigmatized
  • Social harm: probably no. No one else will be directly affected by the heart failure of the patient
  • Harm as decreased chances on market: Jobmarket - propably not for Persons aged 65+. Privat (health) insurance market - (higher contributions, refusal of contract) propably not in the age above 65
  • Potential of misuse from the provider according to civil law (like purchased life annuity)


Theoretically, in case of too much data security or incompetent (no availability of results for other provider, i.e. the patients’ local GP) use of documented data, what are the consequences for the patient?

  • results or suspicions are not available for other health care provider with could mean double examinations for the patient and/or missed information (i.e. overseen deterioration)
  • missed advantages of provider-networking
Wilbacher I, Rupel V Result Card LEG5 In: Wilbacher I, Rupel V Legal aspects In: Jefferson T, Cerbo M, Vicari N [eds.]. Structured telephone support (STS) for adult patients with chronic heart failure [Core HTA], Agenas - Agenzia nazionale per i servizi sanitari regionali ; 2015. [cited 3 October 2022]. Available from: