Health Professional Information Notice (HPIN) about MyHealth@EU services

From NCPeH CY
Revision as of 13:55, 10 October 2024 by Mchris44 (talk | contribs)
Jump to navigation Jump to search

(I) General information about MyHealth@EU

What is MyHealth@EU?

MyHealth@EU, also called the eHealth Digital Service Infrastructure (eHDSI) enables the safe processing of your personal data, related to your role as a healthcare professional involved in the treatment of patients and the provision of medicines. This is done by electronic means through secure gateways provided by National Contact Points for eHealth (NCPeH) designated by each country. Each country identifies which organization assumes the responsibility as a data controller for the processing of your data, as this is subject to the country's legislation. See the last page for information specific to this country.

Which categories of your data are exchanged?

1) Patient summary – the most important information about your health is collected from the country where it is stored, such as your home country, in order to use it for treatment in another country. The patient summary includes relevant information needed for identifying the health professional that is treating the patient:

  • Name of the health professional - Name of the Health Professional that has been treating or taking responsibility for the patient,
  • Role of the health professional - The health professional's role in the organisation (i.e., healthcare provider),
  • Health professional's organisation - Name of the health professional's organisation (i.e., healthcare provider),
  • Telephone no. - telephone number of the health professional at the organisation (i.e., healthcare provider),
  • Email - Email of the health professional or organisation (i.e., healthcare provider),
  • Network affiliation - the health professional's organization that is affiliated with a European network, e.g., the European Reference Networks (ERN),
  • Related with - Identification of the entry or entries of this Patient Summary for which the health professional is the preferred contact.

2) Electronic prescription and dispensation - the patient can get a prescription for medicine from a healthcare provider in one country and receive medication through a pharmacy in another EU country. The electronic prescription contains essentially the same information as a regular paper prescription, i.e. identification of the prescriber, the patient and the medicine prescribed. The electronic dispensation includes information about the medicine dispensed. This information will be sent by the pharmacy back to the country that issued the prescription. ePrescribing is defined as prescribing medicines through the support of software by a health professional who is legally authorised to do so, so that the medicine can be dispensed by a pharmacy, and eDispensation (eDispensing) is defined as the act of electronically retrieving a prescription and reporting on the dispensation of the medicine to the patient as indicated in the corresponding ePrescription. Hence, the following information is included: a) data used to identify the health professional who is entitled (according to national law) to prescribe medicinal products, and b) data used to identify the health professionals/health care providers who are entitled (according to national law) to dispense medicinal products.

To identify the prescribing health professional, the following information is processed:

  • Family name - The family name/surname/last name of the prescriber. This enables the prescriber to be traced in the event of questions or emergencies,
  • Given name - The given name/first name of the prescriber. This enables the prescriber to be traced in the event of questions or emergencies,
  • Professional qualifications - The professional title of the prescribing health professional, which may be used to prove the authority of the prescriber,
  • Details for direct contact - Details for direct contact could be an email address and/or phone/fax number of the prescriber in order for the dispenser and/or patient to contact the prescriber. This might be necessary if problems arise with dosage, allergies, reimbursement etc.,
  • Work address - This is the address of the hospital or the practice, etc. where the health professional normally works, meets patients and prescribes medication. Minimally, the country is specified,
  • Signature - Digital signature or token as proof of the authenticity of the prescriber,
  • Health care provider identifier - A unique number or code issued for the purpose of identifying a health care provider [ISO/TS 27527:2010]; this may be a license or registration number which can be used to trace the prescriber and to check whether a medicinal product was prescribed by the right person according to the law of the prescribing country.

3) Original clinical documents – documents containing your health information, such as laboratory results, hospital discharge letters, and medical images. This personal data is available in so far as it is already recorded in electronic form in your home country. The source(s) of this data varies from country to country. See the last page for information specific to this country.

What is the legal basis for the use of your personal data?

The MyHealth@EU services will become available for you depending on the conditions set individually by each country. When the patient receives treatment or medicine abroad, your data will be recorded in the country of treatment (or medicine dispensation) according to the EU General Data Protection Regulation, the national legislation of that country and the internal rules of the particular healthcare provider. Emergency situations may justify the use of your data for the treatment of the patient without the patient’s consent. See the last page for information specific to this country.

What is the purpose of the processing?

The primary purpose for processing your data is the medical treatment of your patient or the provision of medicine. However, due to the national legislation of each Member State, there may be additional purposes. See the last page to check if such additional purposes are applicable to this country.

Who processes and has access to this data? (recipients of personal data)

Your personal data will be accessible by the National Contact Points for eHealth, i.e., entities that process your data to ensure its secure transmission to and from the specific healthcare organization or pharmacy, logging, or other related activities. The list of data processors is indicated on the last page.

Where and for how long is the personal data stored?

The collected personal data may be stored in the information systems of the health institutions both in your home country and the country of treatment or dispensation of medicine. The data shall be stored for no longer than is necessary for the purpose for which your personal data is processed. The storage period(s) in this Member State is indicated on the last page.

What are your rights and how to exercise them?

You have the right to access your personal data. Apart from that, you can exercise the rights of rectification, erasure, restriction of the processing and data portability. In order to exercise your rights, you may contact us. Contact details are available on the last page. Also, you have the right to lodge a complaint before the supervisory data protection authority.
The list of the national supervisory authorities can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

(II Summary of Member State-specific information)

Member State CYPRUS
Service(s) provided by country
  • Patient Summary.
  • Electronic prescription and dispensation.
Data that is exchanged Patient Summary:
  • Identification of the patient/subject (National healthcare patient ID, Family name/surname, Given name, Date of birth, gender, Country of affiliation),
  • Contact information (Patient address),
  • Preferred HP to contact,
  • Contact person/ Legal guardian,
  • Insurance information,
  • Document data,
  • Author and Organisation (Author organisation, Legal authenticator),
  • Additional information / Knowledge resources (External reference, Related with),
  • Allergy, Medical alert information, Medical history (Vaccination/ Prophylaxis information, Resolved, closed or inactive problems, Medical history),
  • Medical problems (Current problems, Medical devices and implants, Procedures, Functional status),
  • Medication summary (Current and relevant past medicines),
  • Social history,
  • Pregnancy history (Current pregnancy status, History of previous pregnancies),
  • Patient provided data,
  • Results,
  • Plan of Care.

Electronic prescription and dispensation:

  • Patient administrative data (Family name/surname, Given name, Date of birth, Personal identifier, gender, Native language),
  • Authentication of the prescription (Identifier of the Prescription, Issue date),
  • Identification of the prescribing health professional (Family name, Given name, Professional qualifications, Details for direct contact, Work address, signature, Health care provider identifier),
  • Identification of the prescribed product (Name of the medicinal product, Identifier of the medicinal product, Identifier(s) of the pharmaceutical product, Identifier(s) of the packaged medicinal product, Marketing authorisation holder, Active substance(s), Strength of the active substance(s), Product classification, Pharmaceutical dose form(s), Unit of presentation(s), Package type, Pack size),
  • Prescription information (Quantity of prescribed product, Dose regimen, Number of units per intake, Frequency of intakes, Route of administration, Duration of treatment, Starting date of therapy, Directions for use, Prescription expiry date, Repeats, Reason for prescription, Substitution),
  • Dispensation information (Identifier of the dispenser, Family name of the dispenser, Given name of the dispenser, Identifier of the pharmacy, Address of the pharmacy, Details of direct contact, Identifier of the prescription, Medicinal product, Dispensed quantity, Dispensation date, Substitution).
Role of the Country in the data exchange
  • Accessing personal data from your home country.

(in case of electronic prescription, will also send dispensation details back to your home country).

  • Providing access to your data to other health professionals in other countries.
Legal basis
  • Your consent is needed before the service can be provided to you.
  • In case of an emergency to the patient, access to your data may be available also without the consent of the patient.

Applicable law(s):

Ο περί Ηλεκτρονικής Υγείας Νόμος του 2019 (neha.org.cy)

Ο περί Εφαρμογής των Δικαιωμάτων των Ασθενών στο πλαίσιο της Διασυνοριακής Υγειονομικής Περίθαλψης Νόμος του 2013 (cylaw.org)

Ο Περί Επεξεργασίας Δεδομένων Προσωπικού Χαρακτήρα (Προστασία του Ατόμου) Νόμος του 2001 - 138(I)/2001 (cylaw.org)

Restriction of access to specific data
  • You may restrict access to specific data.

Narcotic Drugs and Psychotropic Substances Regulations (Regulation 12).
More information about the restrictions you may set:

Cross-border prescriptions | Pharmaceutical Services | (moh.gov.cy)

Purpose of use
  • Treatment purposes.
  • Dispensation of medicinal products.
  • Research, policy-making, and other secondary uses.

https://www.neha.org.cy/en/national-contact-point/

Storage of data Your data will be stored for:

1) PSA data will be stored for 15 years from the last reviewing. 2) PSB data will not be stored. 3) Log data will be stored forever.

  • Data will be stored also for additional purposes.

Purpose: secondary use (anonymized databases).
Storage period: will be deleted upon the receipt of patient’s request.
Any restrictions that apply to the storage period: for secondary use all the data must be anonymized, all the data (for primary & secondary use) are stored encrypted.
Conditions under which the data can be erased ("right to be forgotten"), e.g., the right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. The right is not absolute and only applies in certain circumstances.

Data Controller(s)

(You may need to contact the data controller for example in order to exercise your data protection rights)

Name: Rafael Michael
Address: 67Α Limassol Avenue, Aglantzia, 2121, Nicosia, Cyprus
Email: rafael.michael@neha.org.cy
Phone: +357 22436004

Data Processor(s)

Name: Vanthia Toumpouri
Address: 67Α Limassol Avenue, Aglantzia, 2121, Nicosia, Cyprus
Email: vanthia.toumpouri@neha.org.cy
Phone: +357 22436031

Data Protection Officer

(You may need to contact the data protection officer for example in order to lodge a complaint)

Name: Office of the Commissioner for Personal Data Protection.
Address: 15, Kypranoros Street, 1061 Nicosia, P.O. Box. 23378, 1682, Nicosia.
Email: commissioner@dataprotection.gov.cy
Phone: +357 22818456