# GDPR and OpenEhr.

**Category:** [Technical (archive)](https://discourse.openehr.org/c/technical-archive/156)
**Created:** 2018-09-01 13:52 UTC
**Views:** 9
**Replies:** 28
**URL:** https://discourse.openehr.org/t/gdpr-and-openehr/15711

---

## Post #1 by @system

OpenEhr does not really allow to delete data, only logical deletion (mark as deleted), but GDPR demands the right of the patient to be forgotten.

Is there some change expected in the specs for compliance to GDPR, or was this already implemented?

We had this discussion, slightly different, about ten months ago but no conclusion if I recall well

Sorry if I missed a message about this.

Thanks
Bert Verhees

---

## Post #2 by @system

Hi Bert,

There are certainly some implementations that allow for hard-deletes of compositions and Ehrs. This is a complex area as GDPR does not confer an absolute right for medical info to be forgotten (as I understand it). It does allow for copies of the record to be retained for medico-legal purposes.

However, in our cloud-provider setting, we absolutely need to be able to hard delete Ehrs, as people may simply want to switch CDR providers. As a data processor, we have no right to keep t record, as long as it is available via another provider.

Ian

---

## Post #3 by @Karsten_Hilbert

The latter reason for retention would have a hard limit of 30
years in Germany\.

Karsten

---

## Post #4 by @yampeku

If a patient uses a private health provider then he has the right of taking all that information and move to another provider. In that case he will want a hard-delete of data. And I hope private health providers are also able to use openEHR ;D

I think we should also review the "consent" mechanisms we have, as they probably should also be tweaked to comply with GDPR.

---

## Post #5 by @Karsten_Hilbert

Indeed they will want that, but there is no absolute right
for a hard\-delete \(not that I personally like that fact\)\. As
I said, in Germany, that right currently only takes effect
after 30 years \(that absolute right\)\. In the meantime,
however, there&#39;s a right for sealing against access\.

Karsten

---

## Post #6 by @system

I continue to wonder what will happen when a cancer patient (perhaps in a moment of depression or disaffection with care) asks for the hard delete, gets better, then has a recurrence a few years later. What does the health system do when *all the notes are really gone*?

I think a better solution is to create a digital locked room when such EHRs are put, one-way encrypted with a giant key provided by the patient. Then when they have regrets, they can ask - nicely - for their record to come out of cold storage.

Another argument against total deletion is that a) the state has invested in helping sick patients and b) other citizens have a potential interest in health records belonging to those in the same major disease cohort, i.e. diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are certainly going to compromise research that looks at longitudinal Dx v treatments v outcomes. Perhaps perhaps permanent anonymisation is a better solution in this case, with the original patient being given the new EHR id.

I think GDPR has some way to go yet in healthcare...

- thomas

---

## Post #7 by @yampeku

There is in fact that right, the "right to be forgotten" [https://gdpr-info.eu/art-17-gdpr/](https://gdpr-info.eu/art-17-gdpr/)
The requirement you say about Germany is backed by sections 3 (b) and (c)
These exceptions do not apply to private providers, so we have the legal need to support that kind of delete operations to allow openEHR systems to be GDPR compliant

---

## Post #8 by @yampeku

Supporting hard delete doesn't mean mandate hard delete :)

---

## Post #9 by @Karsten_Hilbert

Whether we like it or not \(I do not like it, personally, as a
patient, but do like it, professionally, as a GP\): in Germany
there is the right to keep a record &quot;as long as there is
suspicion you might be sued such that you can exercise your
right to defend yourself&quot;\. 30 years is the latest you can be
sued in Germany\. So that&#39;s when a hard delete can be
requested \(arguably it even becomes mandatory\)\. Period\.

However, the provider is legally bound to make sure the
record is not used after the patient requests that \(there&#39;s
other time limits for other things, but that&#39;s the most a
patient can \*request\* after those other deadlines have
passed and before 30 years are over\)\.

It doesn&#39;t matter what anyone thinks\. That is the legal
situation ATM\.

Karsten

---

## Post #10 by @yampeku

Permanent annonimisation is allowed under some prerequisites (see the other reply, point 3 of art 17). This is a patient right to be exercised with all consequences. Data will never be lost as the patient has the right of obtaining a copy of all the information a provider has about him in an electronic standard when available. Luckily we can provide also that.

---

## Post #11 by @yampeku

And as I said this is covered by the exemptions to hard delete on that law article, no need for German providers to delete nothing their national law doesn't allow for.

---

## Post #12 by @Karsten_Hilbert

Indeed\. I agree with that\.

Karsten

---

## Post #13 by @system

There are good arguments in the discussion. I take this message to reply to because it is the last for this subject at the moment.

I am thinking of following situation. This week, Microsoft, Google, Amazon and IBM agreed that there must be a health data platform which exposes itself in FHIR and API. Apple will certainly connect too. What will run below is not specified. It could well be OpenEhr. Their might also be smaller parties which will be health data provider.

The idea is that the patient (or better, consumer) becomes the owner of the data. A connected PHR. He gives the healthcare providers access to his data. The healthcare data company is a tech company and the consumer choose it like he chooses his telephone provider.. Maybe it is a combined service.

GDPR supports this new market idea. But when the user switches provider, he must be sure that all his data are removed from the old provider.

This is the intention from the tech companies, and it is a good intention.

Of course the Google's of this earth will be leading, but it is an open market so small parties can also enter and compete on price or special features in context of mhealth or sport-support or support for special conditions.

Anyway, I have read about this this week in a journal, and it seems very promising. That was my thought about asking.

I am now writing this from my phone, but tomorrow after 1200 km driving, I can come back to this.

Best regards
Bert

Verzonden vanaf mijn Xperia™ van Sony-smartphone

---- Karsten Hilbert schreef ----

---

## Post #14 by @system

I promised to come back to some contributions.

So, on medico-legal purposes as Ian and Karsten and maybe others referred to, a patient, if he maintains his own PHR, and he likes to delete it, he can never sue a clinician, because, he, himself, destroyed important evidence. For that reason, it is for a clinician not necessary to maintain data-copies from the patient (besides this should not be allowed either), because the patient has an external service which takes care for that. It is not anymore a clinician's business.

If it comes to a medico-legal procedure, the clinician, or his lawyer, should have access to all evidence which is important in context of this procedure. This does not differ from other legal procedures.

If the clinician needs access to the data, for example, to prepare for a visit next day, he can ask the patient to allow access to the PHR the day before the visit, but these are al infrastructural details, for which solutions can be found.

Bert

---

## Post #15 by @system

It would be a bad thing to let all patients be restricted in their rights because one patient, suffering in the past from depression and having a recurring cancer can get into problems. Some people are emotionally unstable, they need protection. I don't know the best way, but I would think of something as the digital locked room. (mentioned here below), but this should not default happen for all patients.
It is, btw, possible to switch digital locked rooms also when switching data to a new PHR provider. So that all data remain to be maintained at the company the patient chooses.

For research purpose, the must also be solutions. People can allow voluntary access to their data by researchers, this is how it works now. So in the PHR situation, researchers go to the PHR providers instead of the clinicians. Not many people will delete all their data without transporting them to a new PHR provider (if someone wants to do, you can build a net of safety measures, confirmation time, etc), and for those two or three who still destroy all, researchers will not have data.

Bert

---

## Post #16 by @Jan-Marc_Verlinden

Think the GDPR already provides many answers...:-), see at [https://gdpr-info.eu/art-17-gdpr/](https://gdpr-info.eu/art-17-gdpr/)

In the case of a person ("data subject") not being able to take control; normally another person is appointed to do so on behalf of the "data subject". So the same law applies..

Cheers, Jan-Marc

---

## Post #17 by @Karsten_Hilbert

> So, on medico\-legal purposes as Ian and Karsten and maybe others referred
> to, a patient, if he maintains his own PHR, and he likes to delete it, he
> can never sue a clinician, because, he, himself, destroyed important
> evidence\.

That is certainly not true, and also not what I intended to say\.

> For that reason, it is for a clinician not necessary to maintain
> data\-copies from the patient

What ?   Even sub\-legal practice law mandates keeping a record :\-\)

I am sure I misunderstand what you are saying\.

> If the clinician needs access to the data, for example, to prepare for a
> visit next day, he can ask the patient to allow access to the PHR the day
> before the visit, but these are al infrastructural details, for which
> solutions can be found\.

Not in the real world today\.

Karsten

---

## Post #18 by @Jan-Marc_Verlinden

Normal process in healthcare:
- The patient comes in and signs an informed consent. This is the place where the Hospital states it has to keep the records for a zillion years. Check [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)
- Then after a while the patient thinks "let's delete my data at the Hospital" :-), so the next chapter pops in at [https://gdpr-info.eu/art-17-gdpr/](https://gdpr-info.eu/art-17-gdpr/)

Now the Hospital says look dear "data subject" you have signed the informed consent and we have the law that stated we have to keep the data. Check Art 6 bullet 3: Paragraphs 1 and 2 shall not apply to the extent that processing is necessary, therefore check [https://gdpr-info.eu/art-9-gdpr/](https://gdpr-info.eu/art-9-gdpr/).

Think it's all there.. :-)

---

## Post #19 by @system

Dear colleagues,

GDPR as I understand it and apply in the Netherlands gives consumers/patients several rights: inspect, change, to be forgotten.
An other important topic is: the goal binding of data. Only absolutely necessary data needed to execute a specified task can be collected.

With respect to the discussion:
The EHR serves several purposes: documentation of the actions of the author/health care provider, the documentation of the state of (un-)health of the patient, input for billing and input for other processing such as research.
The right to be forgotten does NOT imply that all the data needs to be removed. Removing is an impossibility when data is archived on for instance a DvD/CD.

In my opinion when the patient asks to be forgotten then this applies to the Clinical/health context, only.
In all other contexts the patient can never be forgotten or deleted. Any legal transaction is subject to archiving laws. For tax purposes the time period is 5 years in the Netherlands, I think. Only after these periods as defined by law the transactions can/must be deleted.

In the case of the EHR (13606 / OpenEHR) there is a need to ‘obscure' the patient in the clinical context. But allow the patient to be found for medico-legal purposes, research, etc.
This functionality is executed in the Patient-Index Service and NOT the Patient Health Record.

All my reasoning is true in the local, and iCloud, wat of processing/storing data.

Gerard Freriks
+31 620347088
[gfrer@luna.nl](mailto:gfrer@luna.nl)

Kattensingel 20
2801 CA Gouda
the Netherlands

---

## Post #20 by @system

Karsten, you are right, a clinician, in the most countries is obliged to keep an EHR. But the law does mostly not say he must keep it at his own office. So if it is kept at Google or Microsoft, or some smaller PHR provider, I think this is fine according to the law, but still some law-changes may be needed.

The fact that the largest five companies in the world agreed to a common interface/message format and defined dataset must have a good reason. The reason will be that they want to offer a PHR service, and that in compliance with GDPR, because 500 million people live in jurisdiction of GDPR. The tech-companies are getting their part from the multi-billion market, and they are right, according to their capabilities.

This agreement is not made to be the next EPIC in line and begging at hospital-doors to implement their software. This service is meant to be transmural in many ways.

That in some countries, there will be laws to have copies at clinicians availability can be true, what I wanted to indicate was that it is not necessary for good healthcare, and also not for medico-legal procedures. But reality changes slower then possible, and that may be a good thing also.

I think there will not be a PHR service which is to use by clinicians for coming five years, but the pressure is high. It is, in my opinion, the most optimal solution for worldwide interoperability regarding to efficiency, safety and privacy. And it breaks open a new market for appliances which use data from several sources, it empowers the patients (ehhh.... healthcare-consumers).

It really brings healthcare to a new level. GDPR is restrictive but also gives chances, it makes more possible then was possible before, but in another way.

Bert

---

## Post #21 by @Karsten_Hilbert

I think we agree\.

Karsten

---

## Post #22 by @system

> In all other contexts the patient can never be forgotten or deleted. Any legal transaction is subject to archiving laws. For tax purposes the time period is 5 years in the Netherlands, I think. Only after these periods as defined by law the transactions can/must be deleted.

It is true that there are laws which make it necessary to keep certain data, good example, taxes. I business owner must keep a record of all financial transactions. I think the GDPR excludes this from its effect, because laws may not contradict each other.

Thanks for this remark

Bert

---

## Post #23 by @system

Dear all,

I published recently an attempt to "systematyse" the relation between openehr and gdpr.

Hope it is useful to you.

Link: [http://ebooks.iospress.nl/publication/48760](http://ebooks.iospress.nl/publication/48760)

Regards,

---

## Post #24 by @yampeku

Really useful resource Ricardo!

---

## Post #25 by @system

Thanks very much for sharing, I am sure that the chapter OpenEhr and GDPR is not yet to be closed, there is quite some work to do. Although I have difficulties estimating the consequences, because of the concise wording. I hope that the community shall find its way. OpenEhr must be able to run under jurisdiction of the GDPR, and of course also many other jurisdictions Bert

---

## Post #26 by @system

In my view, GDPR is a huge opportunity for openEHR.

Issues like versioning of templates and compositions allow security aligned with GDPR.

---

## Post #27 by @system

Thomas,

The record can stay where it was.
Only the connection of identifying patient data and the Record-ID needs to be encrypted.
De-encryption can take place using a key owned and provided by a notary public.

All must be handled by the Patient-ID server and an official functionary that is equipped to manage keys in a trusted way.

Gerard Freriks
+31 620347088
[gfrer@luna.nl](mailto:gfrer@luna.nl)

Kattensingel 20
2801 CA Gouda
the Netherlands

---

## Post #28 by @system

I don't think that is enough, Gerard, if the record contains DNA material, or other identifying material.

---

## Post #29 by @system

Lets be clear.
Each record of a patient is a unique traversal of the health and care system over time and therefor very much identifying the patient.

What we talk about is: the right to be forgotten and the circumstance that after a legal period the medical data must be destroyed in some countries.
The EHR 13606 is designed based on a set of medical-legal requirements.
I’m of the opinion that that set does not need an update because of the new privacy law.
When I’m mistaken I would like to be pointed at those missing requirements.

Gerard Freriks
+31 620347088
[gfrer@luna.nl](mailto:gfrer@luna.nl)

Kattensingel 20
2801 CA Gouda
the Netherlands

---


**Canonical:** https://discourse.openehr.org/t/gdpr-and-openehr/15711
**Original content:** https://discourse.openehr.org/t/gdpr-and-openehr/15711