12th May 2009

Outstanding issues arise when considering the international health data exchange scenario, the following being a non-exhaustive list: data transfer abroad (relationship between data controller(s) allocated in country A (of affiliation) and in country B (other EU country of treatment); legal competence to access to patient’s medical record by foreign medical staff; security measures to protect personal data at all time of communication; trustworthiness for the updating of a medical record by foreign health professionals; and e) trustworthiness for the authorization of foreign health professionals.

An in-depth analysis of these issues associated with the epSOS use cases was performed by the epSOS legal team in project domain 2. The overarching objective was to reach an understanding of how the existing legal and regulatory systems in the 12 member states involved in epSOS address such issues. An analysis of EU and national situations lead to the determination of potential constraints and hence a set of recommendations on how epSOS should best deal with them.

The main challenge faced by the epSOS legal experts is to explore the interoperability of legal and regulatory systems without attempting to intervene in the existing legal frameworks of the 12 participating countries. As an analogue to the technical domain, a “legal interoperability layer” or a ‘Trust Network’ is suggested at the EU level, incorporating standard legal requirements and audit mechanisms.

The approach to be taken in epSOS is to establish a National Contact Point (NCP) by each participating country. The NCP acts as a bridge between the existing different national IT infrastructures and the common European infrastructure, created in the project. At this phase of the project, it is suggested that the NCP takes care of all external and internal national communication in epSOS and the semantic mapping between information on either side. The NCPs will be furthermore responsible towards all member states that are partners in epSOS for securing that the needed processes are properly implemented at their own networks (typically, points where care is delivered ). It is therefore at this level where the epSOS Trust Framework is envisaged. It is anticipated that requirements for data protection and confidentiality will be largely driven by EU legislation transposed into national laws. This area will be the one of greatest epSOS influence which will later materialize in a set of Standard Contract Terms, to be developed by the legal team at the level of the NCPs network. Health care systems are not to be influenced and the role of the project is understood as work with what is already available, especially in areas where transposition of EU directives has taken place. There are, however, aspects of fundamental legislation issues that are not regulated at the EU level, e.g. regulations on medicines in each country that will need to be dealt with on a case by case basis.

Regarding legislation as a facilitator and based on a robust methodology, the legal team is now entering into the Specification and Implementation phase of the project, where the preconditions for field testing will be further reviewed and detailed, in close cooperation with the other epSOS work packages and important stakeholders represented in the Calliope network.