PRIVACY REGULATIONS FOR THE BRUSSELS HEALTH NETWORK REGARDING THE EXCHANGE OF DATA BETWEEN HEALTH PROVIDERS
1. Some definitions
- Brussels Health Network: the medical data-sharing network established by the Association Bruxelloise de Télématique Médicale [Brussels Association for Medical Telematics] (Abrumet asbl, a non-profit association).
- EPR or electronic patient record: computerised file containing all of the data regarding the management of the patient. The EPR is composed of the medical notes and record, nursing care record and the administrative file .
- Treatment relationship: the care relationship entered into between a professional practitioner and a patient.
- Care-related relationship: link established between a care provider and a patient.
- GDPR: General Data Protection Regulation on the processing of personal data and the free movement of such data.
- Patient Rights Act: Act of 22 August 2002 relative to patient rights.
- Healthcare providers: the care dispensers (doctors, nurses, physiotherapists, etc.) and care institutions where they work.
- Care provider: any person or party providing care to a patient.
- Medical profile: medical field in which the care provider works (surgery, general medicine, physiotherapy, etc.).
- Item of data: any information relative to the patient. An item of data may also consist of a whole document.
- Publication: viewing via the Brussels Health Network of an item of data.
- Legal representative: person designated pursuant to an applicable piece of legislation for the purpose of representing and defending the interests of the patient. The legal representative acts in the name and on behalf of the patient.
- Unique identifier: unique sector-specific personal identification number in the health field stated in article 7, §3 of the decree relative to the platform for exchanging health data.
- Health data: item of data processed in the context of the care dispensed.
- Data safe: a service for hosting the details of health providers without an appropriate IT infrastructure, in the aim of enabling them to participate in the health data-sharing system 24/7.
2. What is the Brussels Health Network?
Managed by the non-profit association Abrumet asbl, the Brussels Health Network is a network for sharing medical data. It links all Brussels and Belgian hospitals with care providers registered on the Brussels Health Network and makes it possible to list patient data (examination results, medical reports, letters, etc.) shared by healthcare providers.
The network’s main mission is to strengthen communication between healthcare providers with the constant aim of improving the quality of care dispensed to patients.
Participating in the Brussels Health Network is voluntary. As a result, the Brussels Health Network can never guarantee the exhaustive nature of the patient’s data. Publication of the Sumehr (Summarised Emergency File) by the general practitioner is desirable, but not mandatory.
3. Is access to your data protected?
We apply a strict data access policy and only healthcare providers have access to said data under 3 conditions:
- The patient must have consented to the electronic sharing of his or her data for the continuity of care.
- The healthcare provider has to access the patient’s data in order to provide care or advise the patient (he or she therefore does not have the right to access said data for occupational medicine purposes, for instance).
- The healthcare provider must have a treatment or care relationship with the patient who consents thereto. The notion of treatment or care relationship encompasses any healthcare provider who is involved in the continuity of a patient’s care, including medical analysis or imaging specialists.
Any action carried out on data in the Brussels Health Network is traced:
- Overall trace of accesses: This is the list of care providers who have accessed the patient’s data. For each of them, the Brussels Health Network has a record of the days on which access was recorded.
- Detailed trace of accesses: This is the detailed list of all accesses to all data for a patient. For each access, the Brussels Health Network has details of the identity of the person connecting, the exact time the data were viewed, the institution from which the call came, and the identification of the document viewed.
4. Who is the controller of the processing of your health data?
The healthcare providers remain responsible for the processing of the patient’s data.
The Brussels Health Network is a subcontractor of the healthcare providers in the sense of the GDPR in terms of the exchange of personal health data via the network.
It acts both as a network and as a data safe:
- As a network, it allows access to data that continue to be hosted in connected medical institutions.
- As a data safe, it hosts securely the data of private practitioners.
The Brussels Health Network is responsible for the processing which consists of creating the unique patient identifier necessary for exchanging health data within the network.
5. What are the limits of liability?
The website and the “private space” or “personal health portal” contain hyperlinks to other websites as well as references to other sources of information such as other health networks in the country. These are placed at the user’s disposal for information only. The Brussels Health Network declines all liability for any damage that may result from viewing information contained on other sources of information in general, to which the user is redirected by the “private space” application.
6. Which data are processed by the Brussels Health Network?
The Brussels Health Network processes the data required for its proper operation and which are used to validate requests for action, both from patients and healthcare providers.
These data consist of:
- Identification of patients,
- Memorisation of their informed consent for sharing health data in the context of continuity of care,
- Memorisation of their membership,
- The references to decentralised medical records,
- Access logs,
Concerning healthcare providers:
- Identification of healthcare providers,
- Memorisation of their membership,
- References to decentralised medical data,
- Access logs,
- Number of consultations per GP,
- Number of Sumehrs published per GP,
- Number of patients registered per GP,
- Number of Sumehrs linked to the number of patients,
- E-mail address to be used for all communication in the event of a security breach
7. Where are your data hosted?
Your health data published by healthcare providers are hosted and stored on the servers of said healthcare providers (hospitals and medical laboratories) or in the secure data safe provided by Abrumet.
8. Who has access to which document on the Brussels Healthcare Network?
8.1 Conditions of access by a care provider
The aim is to define whether a care provider has permission (i.e. may or may not) carry out an action (e.g. to view) on an item of data for a specific patient, based on a particular context (attending physician or on-call doctor, for example).
For permission to be granted:
- The patient must have consented explicitly to the sharing of his or her data (= informed consent)
- The care provider must have explicitly agreed to these regulations, which imply consent to the connection contract of the Brussels Health Network.
- The healthcare provider must have declared the item of data to be relevant for an exchange.
- This declaration must not be accompanied by a general or specific exclusion of the care provider.
- The care provider must have the right to carry out the action (view) for this type of data. Specific rights are required to enable different types of care provider to access different categories of health data. It should be remembered that these are “default” access rules and that there are also access variation mechanisms at the level of each document. Cf. access matrix, page 6 of the General Privacy Regulations.
- The care provider must have declared a care-related or treatment relationship with the patient (attending physician or on-call doctor, for example). When a care professional refers his or her patient to another care professional, he or she can declare a treatment relationship between his or her patient and this other health professional with the informed consent of his or her patient or at his or her patient’s request.
8.2 Conditions of access by a patient
Patients registered with the Brussels Health Network can manage their access rights through their “private space” as set out in Article 9 below.
9. What are your rights as a patient and how can you exercise them?
9.1 How can you participate in this sharing of data by and between healthcare providers?
Health data in the Brussels Health Network may not be shared without the prior, explicit and informed consent of the patient.
The patient’s informed consent for the sharing of his or her health data can be declared either by the patient or his or her legal representative, or by a healthcare provider, a pharmacist or mutual insurance company.
Consent given by the patient for the sharing of data within the Health Network also applies for the federal portal at http://masante.belgique.be. To be clear, the data published on the Brussels Health Network will also be accessible via the federal portal at http://masante.belgique.be in compliance with the rules set out in these regulations.
Registration of consent can be made via various channels, including the federal portal at http://masante.belgique.be or through one of the Belgian health networks (hub). As a hub, the Brussels Health Network is part of the policy of national consent registrations, using the means set out in the next point.
9.2 How to become an active user of the Brussels Health Network
The patient becomes an active user of the Brussels Health Network when he/she registers with one of the hubs on the (federal) e-Health platform. This registration process includes the recording of the consent mentioned above, if it has not been given elsewhere.
The patient must be 16 or older to register with the Brussels Health Network and be able to access his or her shared health file. Patients under 16 have to be registered by their legal representative.
This registration allows access to the private space on the Brussels Health Network website through authentication with the user’s electronic identity card or “itsme” app.
Registration can be made:
- Directly by the patient on the website using his or her Belgian eID or ITSME
- By the Brussels Health Network administrative office, based on written requests from patients, accompanied by a front/back copy of the patient’s identity card. In the case of legal representation, the request must be accompanied by a front/back copy of the legal representative’s identity card, as well as a document proving the identity of the patient represented and the status of the representative.
9.3 How to cancel a reference to an item of data / delete a medical document?
Deleting a medical document in your health file is also referred to as dereferencing or deleting the reference of this health document.
Data or their reference can be deactivated in the event of an error or at the request of the patient by the professional who published this information.
9.4 How to withdraw your consent to the electronic sharing of your data
If you withdraw your consent, neither you nor any doctor will have access to documents shared via the health network. Please note that your GP can still receive your medical documents through other communication channels (post office, secure e-mail box, etc.).
You can withdraw your consent at any time in the same way that you granted it, i.e.:
- Directly via your “private space” on the Brussels Health Network website; or
- Via the attending physician; or
- Via the hospital; or
- By sending a signed revocation request to the Data Protection Officer of the Brussels Health Network (email@example.com). This request must be accompanied by a front/back copy of the identity card of the person making the request. Revocation only becomes effective when it has been processed by the Brussels Health Network.
The system will soon enable the patient’s death to be registered, which will modify access to his/her records, in accordance with the applicable legislation, including the Act of 22.08.2002 to patient rights and the GDPR.
9.5 How to manage the data access rights
The way in which access rights are opened to care providers is set by these regulations
Via his or her “private space” on the Brussels Health Network website, the patient can access the list of care providers who have accessed the patient’s records. Patients can also obtain this list, or more detailed information from the Data Protection Officer at the Brussels Health Network (firstname.lastname@example.org) by sending a signed written request or electronically signed e-mail, accompanied by a front/back copy of the patient’s identity card or, if the patient is declared represented on the Brussels Health Network, his her representative’s identity card.
The patient can block access to his or her data for one or more care providers, either directly via his or her “private space” on the Brussels Health Network website, or by sending a signed written request or electronically signed e-mail, accompanied by a front/back copy of the patient’s identity card or, if the patient is declared represented on the Brussels Health Network, his or her representative’s identity card to the Data Protection Officer (email@example.com) of the Brussels Health Network. This action can also be taken, although only by the patient, using the federal eHealthConsent (https://www.ehealth.fgov.be/idp/Authn/Profile) app. Exclusions of providers made at a federal level and at the level of the Brussels Health Network are valid everywhere in Belgium.
In the same way, the patient can block the publication of one or more items of data relating to him/her by contacting the author of the document directly.
9.6 How can the patient access health data?
9.6.1 Private space
The Brussels Health Network gives the registered patient access to its “private space” application via its website. By using the “private space” application of the Brussels Health Network, the user fully and unconditionally accepts the privacy regulations and undertakes to comply with them. If the user refuses, he/she will be required to refrain from using the “private space” application of the Brussels Health Network.
9.6.2 Children under 16
The legal representative has access to the shared file of a child under 12 registered with the Brussels Health Network, provided that he or she is declared as the representative of this child.
For children aged 12 to 16 years, only healthcare providers with a treatment relationship with the child have access to his or her computerised health file to the exclusion of any other person, including the legal representative, who may always exercise the rights of the minor via the healthcare provider in accordance with the Patient Rights Act 22 of August 2020.
9.6.3 Accessible functions
Via his or her private space, the patient has access to the following functions detailed in the regulations:
- Revocation of the patient’s registration; (9.4)
- Rules for accessing data via the Brussels Health Network; (9.4,9.5)
- Exclusion of a professional practitioner from accessing shared data; (9.5)
- Control of access to shared documents; (8.1, and 8.2)
- Access to the contents of shared data by the patient; (9.5)
- Registration of a person of trust and a representative; (9.7. and 9.8 )
9.6.4 What documents do you have access to?
Subject to the exceptions stated in the applicable legislation, including the Act of 22.08.2002 relative to patient rights and the special terms set by the health providers in the best interests of patients, the patient can access the contents of health data shared once it has been posted on the Brussels Health Network by the care providers who are the authors of the data.
Any care provider who is the author of the information can decide not to make all or part of the health data accessible to the patient, albeit while complying with the applicable legislation, including the Act of 22.08.2002 relative to patient rights and the GDPR. If the patient does not have access to his or her data via the health portal, he or she must ask the author of the document or the institution in which the latter works (hospital or laboratory, for example).
9.7 Can the patient designate a person of trust?
Yes, the patient can designate a person of trust of his or her choice, who will guide him or her and take his or her place for consulting the patient’s data shared via the Brussels Health Network. The identity of this person can be recorded in the Brussels Health Network (an area is provided for this purpose in the patient’s “profile”).
A person of trust can be registered with the Brussels Health Service
- Either by the patient, by entering the details of the person of trust’s identity via the secure portal of the Brussels Health Network;
- Or via a care institution or through the administrative manager based on a form signed by the patient and the person of trust. This request must be accompanied by a front/back copy of the identity card of the patient and of the patient’s person of trust.
9.8 What happens if the patient is not able to exercise his or her rights? (legal representative and minors)
When a patient is not able to exercise his or her rights (as in the case of an underage person (minor) who is unable to fully understand his or her interests, or an adult who is unable to express what he or she wants, etc.), his or her representative (legal representative, representative designated by the patient, or representative designated pursuant to the Patient Rights Act, administrator acting for the person) will exercise his/her rights in accordance with articles 12 to 14 of the Patient Rights Act.
This representative, called the “Legal trustee”, can be registered in the patient’s details in the Brussels Health Network. Any request for information must be made in the exclusive interests of the patient. The professional practitioner can refuse access to the patient’s data pursuant to protection of the patient’s privacy under article 15 of the Patient Rights Act.
Registration of the legal trustee with the Brussels Health Network can be carried out:
- either via a hospital, or
- by the administrative manager at Abrumet, based on the form signed by the legal trustee and the supporting documents confirming this role.
9.9 How can you assert your rights laid down by the GDPR (right of access, right of correction, etc.)
Any request relating to the exercise of the data subject’s rights set by the GDPR (right of access, right of correction, etc.) must be addressed to the controller, i.e. the healthcare provider. For these rights to be exercised effectively, however, the request may be addressed to the Data Protection Officer of the Brussels Health Network (firstname.lastname@example.org) who will forward it to the competent controller as soon as possible for appropriate action.
Subject to what is stated in these regulations, any request relative to the exercise of the rights of the person in question, as set by the GDPR, must be sent to the data controller, i.e. the health provider. To enable the effective exercise of these rights, the request can also be sent to the Data Protection Officer of the Brussels Health Network (email@example.com), who will pass the request on as soon as possible to the relevant data controller to follow up.
10. Who is responsible for the quality of information?
The data available via the “private space” of the Brussels Health Network is deemed correct at the time of its publication by care providers or hospitals, although it may have become inaccurate or out of date at the time the data is viewed. As a result, no guarantee can be given regarding the quality, accuracy or exhaustive nature of each item of information viewed in the “private space” application via the Brussels Health Network website.
The contents of the Brussels Health Network website and the “private space” application (including links) may be adjusted, modified or added to at any time without notice or communication.
11. Who is responsible for the use of the data?
The Brussels Health Network declines all liability for damage that may result from the use of information obtained through the “private space” application. This includes, without limitation, all indirect damage, losses, interruption to work, damage to programs or data on the IT system, hardware, software, etc. of the patient. It is the responsibility of the patient to take all precautions to ensure that what he or she selects for his or her use is free of any virus, worm, Trojan horse and other elements that may damage the patient’s data or hardware.
As a result, the patient is entirely responsible for any use that he/she makes of the information obtained via the “private space” application.
12. Who to contact with a complaint
A Data Protection Officer (DP) has been designated by the Brussels Health Network, in line with articles 37 and following of the GDPR.
The DPO may be contacted for all questions or complaints relating to these regulations (firstname.lastname@example.org).
However, for all requests that do not come under its remit, such as requests linked to the exercise of a right granted by the Patient Rights Act, the DPO may pass on the question or complaint to the data controller, which is the only party able to follow it up.
You can also file a request for mediation or lodge a complaint with the Data Protection Authority (https://autoriteprotectiondonnees.be/citoyen)