Information on patients’ health disclosed remotely
The law in Poland is quite precise about who can be given information about a family member’s health, and in what situations. But when contacted by a family member by phone, how can the healthcare provider verify the caller’s identity? And can a hospital in principle refuse to provide information by phone?
In connection with the epidemic and the accompanying limitations on exercise of patients’ rights to information, alternatives for providing information about patients’ health to authorised persons are coming to the fore. Under a cooperation agreement between the Patients’ Rights Advocate and the President of the Personal Data Protection Office signed on 21 July 2020, the guidelines for exercise of the right to information by authorised persons at a distance cover how to do this in practice. The guidelines contain recommended solutions enabling authorised persons to obtain information about a patient’s health remotely, taking into account the patient’s rights as well as data protection rules.
No provisions of the Act on Patient Rights and the Patients’ Rights Advocate prohibit remote communication. However, health data is a category requiring special care and safeguards associated with the remote form. The guidelines address the rules for remote contact with an authorised person by a conscious patient, but also with a family member whom the patient, due to his or her health condition, was unable to authorise to obtain information about his or her health.
Legally, a family member (literally a “close person”) means:
- Relatives up to the second degree (the patient’s parents, grandparents, children and grandchildren)
- Relatives by affinity up to the second degree in a direct line (spouse, parents-in-law)
- Cohabiting persons
- Persons authorised by the patient.
Under the guidelines, healthcare entities should create appropriate technical and organisational conditions so that patients can easily communicate. However, a data protection risk analysis of this communication is also necessary. It is only through this analysis that detailed rules of conduct can be defined. The guidelines provide recommendations that will allow facilities to implement patients’ right to information in compliance with privacy laws, both during and after the COVID-19 epidemic.
Special care must be taken when providing data remotely, as it is very easy to make a mistake which may result in data being disclosed to an unauthorised person. Therefore, the guidelines recommend drafting internal procedures and interview scripts to allow for proper verification and to prevent excessive data capture. They also point to the need to provide conditions allowing for confidentiality and security of connections.
Obtaining information about a family member’s health condition in practice
From the point of view of a family member, even learning where the patient is hospitalised can be problematic. According to the current provisions, if a patient is isolated in a hospital or if there is a ban on visits to a facility, a doctor may provide information about the patient’s health condition to a family member by phone, if previously authorised and the doctor checks the person’s identity over the phone.
But what if no such authorisation exists?
The problem is that the issue of informing third parties of the health condition of a hospitalised patient over the phone is not regulated by law.
Pursuant to Art. 31(2) of the Medical Profession Act, a doctor may provide information on a patient’s health condition to others with the consent of the patient or the patient’s statutory representative. Such a person is indicated by the patient by providing the person’s details and usually a telephone number. However, if the patient is under age 16 or is unconscious or unable to understand the information, then, regardless, the doctor has a duty to provide information about the patient’s health condition to a family member of the patient. This also follows from the Medical Profession Act.
Additionally, Art. 28(2) of the Medical Activity Act states: “At the request of the police, an entity running medical activity shall provide information that a missing person has been admitted.” Thus the law does not expressly require the doctor to provide information about the patient’s health condition over the phone, but this possibility has not been ruled out.
Certainly, it is unacceptable to proceed on the basis of a flat refusal to provide information on the patient’s health condition, including his or her stay at a medical facility, without any attempt to consider the request individually and verify the caller. If the caller states that they are a legal representative of the patient, or has otherwise verified their identity (for example, by providing their PESEL number, date of birth or middle name), the healthcare facility should share information with the caller on whether the family member is in the hospital and what his or her condition is. If hospital calls are recorded, such verification provides sufficient assurance that the healthcare provider has exercised due diligence in verifying the caller. If calls are not recorded, a hospital staff member should prepare a staff memo documenting the call.
Family members yes, police no
While a doctor may provide information over the phone to a person authorised by the patient (subject to verification), the same information cannot be shared with a police officer. Information on the fact that a patient has been hospitalised may only be given by a person authorised to speak on behalf of the healthcare provider.
A doctor who provides such information could be liable for breach of the General Data Protection Regulation, medical confidentiality, or the patient’s right to medical data confidentiality. The potential sanctions could be severe.
Małgorzata Sokołowska, attorney-at-law, Life Science & Healthcare Practice, Wardyński & Partners