eHealth: Belgian approach with specific attention to research support 27/05/2014 Frank Robben General manager of the eHealth platform Quai de Willebroeck 38 B-1000 Brussels Website eHealth platform Personal website:

Overview overview of the eHealth platform multidisciplinary data sharing and value-added services in the pharmaceutical sector privacy legislation - processing of health data for research purposes 2 27/05/2014

Overall objectives of the eHealth platform how? – through a well-organised, mutual electronic service and information exchange between all actors in health care – by providing the necessary guarantees with regard to information security, privacy protection and professional secrecy what? – optimisation of health care quality and continuity – optimisation of patient safety – reduction of administrative burden for all actors in health care – thorough support of health care policy and research 27/05/2014 3

eHealth platform In practice The patient consults his doctor Administrative advantages Possibility to register therapeutic relationships and informed consent 4 27/05/2014

Medical advantages eHealth platform In practice Laboratory results Look up medical history through the SumEHR Medication schedule Online advice and guidelines Electronic medical referral form Electronic prescriptions 5 27/05/2014

Adminis- trative advantages eHealth platform In practice Tarification, billing Create and send certificates Update SumEHR, medication schedule,... Send a report to the GMF owner Registrations 6 27/05/2014

Basic services eHealth platform Network Basic architecture 27/05/2014 Patients, health care providers and health care institutions VASVASVAS Suppliers Users Overall objectives of the eHealth platform Overall objectives of the eHealth platform Health portal Health portal AVS Software health care institution Software health care institution AVS MyCareNet AVS Software health care provider Software health care provider AVS Site NIHDI Site NIHDI AVS VASVASVAS 7

10 missions 1.development of a vision and a strategy with regard to eHealth 2.organisation of collaboration between other government agencies charged with coordinating electronic services 3.acting as a key driver for the necessary changes in order to carry out the vision and strategy with regard to eHealth 4.establishing the functional and technical norms, standards and specifications and the basic ICT architecture 5.registration of software for management of electronic patient files 27/05/2014 8

10 missions 6.creation, development and management of a cooperative platform for safe electronic data exchange with the corresponding basic services 7.to agree on task division and quality standards with regard to information storage, and to verify whether these standards are complied with 8.as an independent trusted third party (TTP), being in charge of the coding and anonymisation of personal health data for the benefit of specific agencies, as established by law, in order to support scientific research and policy 9.promoting and coordinating the development of programs and projects 10.managing and coordinating the ICT aspects of data exchange within the framework of electronic patient files and electronic medical prescriptions 27/05/2014 9

10 basic services 27/05/ integrated user and access management 2.orchestration of electronic subprocesses 3.portal environment ( 4.logging management 5.system for end-to-end encryption 6.personal electronic mailbox for each health care provider (eHealthBox) 7.timestamping 8.coding and anonymisation 9.consultation of the National Register and of the Crossroads Bank Registers 10.reference directory (metahub) 10

Value-added services 65 value-added services in production  40 value-added services under study Some general examples of value-added services : registration in and consultation of the Cancer registry, the registry of hip and knee prostheses (Orthopride), the registries of care provided for heart implants (Qermid), the shared electronic arthritis file, including electronic processes for the reimbursement of anti- TNF medication (Safe) PROCARE RX allows radiologists to upload and send anonymous X-rays and information to experts for review or a second opinion reports on MUG interventions Resident Assessment Instrument (BelRAI) electronic medical card for people without documents (eCarmed) consultation of living wills regarding euthanasia electronic registration and consultation of the medical evaluation of disabled people electronic birth registration – eBirth 27/05/

Cornerstone: Multidisciplinary data sharing 1.data transmission – snapshot of the data – sender chooses recipient – sender is responsible for sending the data only to recipients who are entitled to have access to these data 2.data sharing – evolutive data – the source does not know in advance who will consult the data (e.g. on-call GP) – necessity of clarifying which people are entitled to have access to the data 27/05/

Data transfer: eHealthBox: sending of messages to "actors in health care" – based on national Register number NIHDI number CBE number – through web application or integrated into the medical file – with (or without) encryption based on eHealth certificates/ eHealth keys – other functionalities receipt, publication and reading confirmation reply & forward check multiple mailboxes priority level auto delete – an average of 2.4 million messages sent per month to the eHealthBox (multiple recipients) – an average of 2.2 million messages downloaded per month through the eHealthBox 27/05/

eHealthBox: currently 14 27/05/2014

eHealthBox: in future 15 27/05/2014

Multidisciplinary data sharing 1.data from hospitals – sharing of documents between hospitals and doctors – “hubs and metahub system” 2.extramural data – sharing of structured data between first-line health care providers and other extramural health care providers – “extramural vaults” – shared pharmaceutical file 3.coupled and interoperable – standards – informed consent – therapeutic relationship/ health care relationship 27/05/

Hubs & Metahub system: Creation of the "hubs" 5 hubs 3 technical implementations 98 % of Belgian hospitals (have signed the 2012 protocol) 27/05/

Hub-metahub: currently 18 27/05/2014

Hub-metahub: in future A C B 1: Where can we find data? 3. Retrieve data from hub A 3: Retrieve data from hub C 4: All data available 2: In hub A and C 19 27/05/2014

Extramural data 1/2 supporting the development of data exchange platforms for all sorts of extramural health care providers (GPs, dentists, pharmacists, physiotherapists, home nurses, dietitians, psychologists,...) – in cooperation with Communities (first-line health care conference in Flanders, the Intermed initiative in Wallonia) – for the disclosure of data via the hub/metahub system between local information systems of extramural health care providers and between these systems and the information systems of health care/welfare organizations – for the interaction with extramural vaults awaiting development – by reusing the basic services of the eHealth platform and by making use of several achievements of the developed data sharing platform between hospitals and GPs/doctors 27/05/

Extramural data 2/2 A C B Inter- Med 21 27/05/2014

Data sharing Each actor keeps their own file up to date However, they can decide to share parts of the file with other actors Examples: medication schedule SUMEHR parameters journal … 22 27/05/2014

Access for health care providers having a "health care relationship" depending on their role No access for IT administrators, hoster,.. eHealth platform authorities without the active cooperation of the owner of the 2 nd key Vault Governance Archiving Management Vault data Authentication...Authorisation Data quality Encryption Decryption Authentication Vault connector Treshold decryptie Trusted 3rd party Vault core 23 27/05/2014

24 Shared pharmaceutical file

Informed consent & therapeutic relationship content of informed consent – for registration in the reference directory (as required by the eHealth law) – for the electronic exchange of health data between health care providers within the framework of patient health care, as long as the following conditions are met: approval by the Sectoral Committee therapeutic relationship required only relevant data the patient decides, in consultation with the health care provider, which data will be shared health care providers may be excluded by name possibility of a posteriori verification of the granted access consent may be revoked at any given time 27/05/

registration of informed consent – patient is informed about the system – specific procedure approved by the Board of Directors and the Sectoral Committee – consent can be registered through eHealth consent either by the concerned person themselves or by a doctor, a pharmacist, a hospital or a health insurance fund – ligne/ehealthconsent therapeutic relationship – only health care providers who have a therapeutic relationship with the patient (1) can access the information they need to perform their task (2) (1) proof of therapeutic relationship determines which patient the health care provider has access to (2) role determines which type of data the health care provider has access to Informed consent & therapeutic relationship 26 27/05/2014

Value-added services some specific examples of value-added services in the pharmaceutical sector : – simplification of Chapter IV requests: optimized electronic processes to obtain access to reimbursement of certain healthcare costs: complex programme with several stakeholders – system for electronic prescriptions for pharmaceutical products 27 27/05/2014

Chapter IV requests: former paper flow A couple of days After many days Sickness fund medical advisor Prescriber Pharmacy 27/05/

Chapter IV requests: currently A few seconds Prescriber Sickness fund medical advisor A few seconds Pharmacy 27/05/

27/05/ Recip-E: currently

Recip-E: in future 27/05/

27/05/ Privacy Legislation European Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Transposition in Belgium : – Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data (hereafter 'Privacy Act') – Royal Decree of 13 February 2001 implementing the Act of 1992 on the protection of privacy in relation to the processing of personal data

Processing of health data for research purposes qualitative support of health care policy and health care research can only be based on authentic sources complying with quality and availability requirements 33 27/05/2014

Processing of health data for research purposes Article 8 Directive / Article 7 Privacy Act : prohibition to process health-related data exceptions: – explicit (written) consent of the data subject – exemptions of substantial public interest laid down by national law or decision of supervisory authority and subject to provision of suitable safeguards: necessary for the promotion and protection of public health, including medical screening of the population obligation by or by virtue of a law, decree or ordinance for reasons of important public interest necessary for scientific research 34 27/05/2014

Further processing of health data for research purposes proportionality cascade: anonymous data, encoded personal data, non-encoded personal data – encoding can be carried out by: controller (of initial processing) or processor appointed by him independent intermediary organization (compulsory in case data are obtained from multiple controllers) transparency - duty to inform - consent – non-encoded personal (health) data: in principle – duty to inform with regard to data source – explicit consent (opt in) necessary except for: – impossibility or disproportionate effort – data disclosed by data subject 35 27/05/2014

Further processing of health data for research purposes transparency - duty to inform - consent – encoded personal (health) data in principle: – duty to inform with regard to data source – right to object (opt out) except for: – impossibility or disproportionate effort – intermediary organization in charge of encoding is administrative government in charge of encoding by law coding and anonymization (basic service of the eHealth platform) – makes it possible to hide the identity of individuals behind a code, so that the useful data of these individuals can be used without infringing on their privacy – makes it possible to anonymize data by replacing patients’ detailed characteristics with generalised characteristics. These encoded or anonymised data preserve their usefulness, but without allowing the direct or indirect identification of the person 36 27/05/2014

Trusted Third Party (TTP) Use Case : A university wants to study the impact of a medical treatment on patients by crossing medical informations from multiple sources (hospitals, cancer registry, insurance, …)  Most of these medical information is confidential and highly sensitive  Warranty must be provided that privacy, professional secrecy and patient rights are not violated when medical data are communicated 27/05/

Trusted Third Party (TTP) Solution : – eHealth platform assumes the role of « trusted third party » (go-between organization) between instances identified by the law – eHealth platform, by coding patient ID’s such as SSIN (Social Security Inscription Number), ensures that a patient cannot be identified directly or indirectly and thus that privacy, medical secret and patient rights are well respected – this role is executed under the supervision of a Sectoral Committee 27/05/

In practice eHealth platform doesn’t perform consolidation or small cell risk analysis > this role must be assigned to a Data Manager 27/05/ By this way only eHealth platform can relate patientID’s with the code and separation between data sources and researchers is guaranteed reidentification of a patient can thus only be performed via eHealth platform medical data (=MD) must normally be encrypted by the source > by this way eHealth platform has only access to the patientID in most cases, this process can be automated by using the eHealthBox Researcher

Useful links all information concerning eHealth platform TTP service is available at the eHealth portal (FR) (NL) information requests can be submitted by mail at the address: 27/05/

THANK YOU! /05/2014