A review of EHR authorisations in Dutch hospitals after the introduction of the GDPR

(1)

A review of EHR authorisations in Dutch hospitals after

the introduction of the GDPR

Maikel Sing, BSc.

1

_{Master Medical Informatics, Amsterdam University Medical Centers, location}

AMC, University of Amsterdam

(2)

Master Thesis

A review of EHR authorisations in Dutch hospitals after the introduction of the GDPR

Author

M.L.C. Sing (Maikel), BSc.

Department Medical Informatics, University of Amsterdam Meibergdreef 9, 1105 AZ Amsterdam

Supervisor

Dr. D. Sent (Danielle)

Department Medical Informatics, University of Amsterdam Meibergdreef 9 1105 AZ Amsterdam Mentor R. Piening (Remco), MSc. Furore Bos en Lommerplein 280 1055 RW Amsterdam SRP Duration: December 2018 – June 2019 SRP Location: Furore Bos en Lommerplein 280 1055 RW Amsterdam

(3)

Preface

This thesis is my final assignment for the Master Medical Informatics at the University of Amster-dam. I worked on my thesis at Furore in Amsterdam and at the Amsterdam University Medical Center (location Amsterdam Medical Center). The scientific research project, where this thesis is based on, was a fantastic and educational journey. I developed not only scientific but also practical skills that could help me in my future work in the field of medical informatics.

I would like to thank everybody who made it possible that I can say: “I am graduated”. I would like to sincerely thank my supervisor Danielle Sent for her support throughout this scientific research project. She was a fantastic supervisor who always available to answer my question and provide guidance though the primeval forest that we call science.

Second, I would like to especially thank Remco Piening for his support and feedback. He en-couraged me to think critically and helped me to develop my professional skills. Furthermore, I would like to thank Kenneth Davids who was a my project leader throughout this period. I would like to thank him for his confidence and enthusiasm. I would like to thank Laura Keemink as well for her help in transcribing and coding the interviews as second coder. Finally, I would like to thank everybody at Furore. Everybody was willing to help and I had a fantastic time working with you. Besides, I would like to thank everybody who actively participated in this research by filling in questionnaires, providing me feedback, listen to my lament or were willing to contribute in the interviews.

Of course I would like to thank my family for their support and interest in my research. Finally I would especially thank my girlfriend Maartje for her inexhaustible support and positivity.

(6)

Abstract

Introduction:

After the introduction of the General Data Protection Regulation (GDPR) on the 25th of May 2016, the emphasis on privacy increases. Natural persons get more rights to protect their own pri-vacy. The GDPR is also applicable in healthcare and it is expected that the GDPR will influence the policies in the hospital and the authorisation settings of electronic health records. It is already known that authorisations could be a problem area in electronic patient records. In this research the current state of the GDPR in healthcare is evaluated and it will also focus on the implemented authorisations in the electronic health record.

Methods:

First, a literature research was executed to find previous studies that investigated the impact of the GDPR in healthcare. Second, different problem areas concerning authorisations were investigated using a developed tool. The underlying factors of these problems, will be found using interviews based on Grounded Theory. Finally a flowchart will be developed in order to present a more optimal workflow. The flowcharts should solve the majority of the problems and their underlying factors.

Results:

There is little to none scientific studies that investigate the impact of the GDPR on healthcare. The developed scan shows that the two included hospitals both have authorisations problems that could cause potential problems. The underlying factors differ between the hospitals, although there are underlying factors which are present in both hospitals. Two flowcharts could be developed to decrease the number of authorisation problems.

Discussion:

Problems concerning authorisations occur frequently and should be solved. However, it is hard to determine if the found problems are contrary to the GDPR. The GDPR is not unambiguous about how the settings of a system should be implemented. To solve all the problems concerning the authorisations not only technical, but also organisational and behavioural changes are unavoidable. These factors could complicate altering authorisations.

(7)

Samenvatting:

Introductie:

Door de invoering van de Algemene verordening gegevensbescherming (AVG) op 25 mei 2016 is er meer nadruk komen te liggen op privacy en hebben personen meer rechten om hun privacy te kunnen waarbor-gen. De AVG is ook van toepassing in de gezondheidszorg en naar verwachting zal dit invloed hebben op het beleid van het ziekenhuis en de instellingen in het elektronisch patiënten dossier. Op dit moment is al bekend dat autorisaties in het elektronisch patiënten dossier een probleemgebied kan zijn. Dit onderzoek richt zich op het inventariseren van de huidige status van de AVG in de gezondheidszorg en de ingestelde autorisaties in het elektronisch patiënten dossier.

Methode:

Eerst werd door middel van een literatuuronderzoek gekeken naar eerdere onderzoeken naar de invloed van de AVG op de gezondheidszorg. Vervolgens werd met behulp van een ontwikkelde tool verschillende bekende probleemgebieden omtrent autorisaties in kaart gebracht. De onderliggende oorzaak van deze problemen zijn onderzocht door middel van interviews gebaseerd op de Grounded Theory. Tot slot werden flowcharts gemaakt van een geoptimaliseerde werkwijze waarmee de grootste problemen opgelost zouden moeten worden.

Resultaten:

Er is geen tot weinig wetenschappelijk onderzoek gedaan naar de huidige invloeden van de AVG op de gezondheidszorg. De autorisatiescan laat zien dat in de twee ziekenhuizen die geïncludeerd konden worden de autorisaties voor problemen zorgen. De onderliggende redenen zijn in de beide ziekenhuizen verschillend, maar hebben ook overeenkomstige punten. Er zijn twee flowcharts ontwikkeld die de autorisatieproblemen kunnen verminderen.

Discussie:

Problemen met autorisaties zijn veelvoorkomend en zullen moeten worden opgelost. Echter is het niet eenvoudig om te bepalen of de problemen die zijn gevonden in strijd zijn met de AVG. De AVG geeft geen eenduidigheid over specifieke instellingen in het systeem. Voor het oplossen van de problemen zijn niet alleen technische, maar ook organisatorische en gedragsmatige veranderingen noodzakelijk. Dit kan het verbeteren van de autorisaties vermoeilijken.

(8)

(9)

Patients should provide a variety personal (health) data with their healthcare professional to receive cor-rect diagnoses and care [1]. This systematically processing of data, information and knowledge is relevant for the increase of quality and efficiency of healthcare [2]. The information that should be shared is not only related to the current visit. Patients have to share information about previous appointments, even if this appointment was with other healthcare professionals. Personal information, such as addictions, are often also shared as well [1]. All this personal data is very sensitive and should be handled with care. It is important that the privacy of this data is respected.

In 1928 privacy was described by Louis Brandeis, a United States Supreme Court Justice, as “the most comprehensive of rights and the right most valued by civilized men” [3]. In healthcare, privacy is indis-pensable, due to the growing amount of data. Privacy can be seen as a key principle in the relationship between patients and healthcare professionals [1]. The trustworthiness of this relationship is, together with the trustworthiness of the relationship amongst healthcare professionals, a basic requirement in healthcare [4].

We are facing a dilemma: patient’s privacy should be guaranteed by implementing security measures into the system. However, the system should not impede healthcare professionals in providing patient care. In order to protect patient’s privacy, healthcare organisations should invest in different security sys-tems in order to protect patient data [1]. These systems should not only contain technical solutions such as access control systems, but also policies and personnel should be taken into account [1].

Although legislations with regard to privacy (of a patient) are evident, it unfortunately appears that these legislations are not always applied correctly. One of the most important provisions of these legisla-tions is that patient’s health data should only be accessed by healthcare professionals that provide care to that specific patient. This is the so-called treatment relationship and this is the most important reason to give a healthcare professional access to health data. However, on the fifth of April in 2018, the Dutch Haga hospital in The Hague published that an internal research showed that healthcare professionals without a treatment relationship had consulted the electronic health record (EHR) of a patient [5]. This resulted in a national debate about the safety and privacy of personal health information [6,7]. The minister for Medical Care was forced to explain how this situation could have occurred [7]. Different (national) legis-lations state that in general only healthcare professionals with a treatment relegis-lationship with the patient are allowed to access and process this personal health data [8,9,10,11]. The Haga hospital informed the Dutch Data Protection Authority (Dutch DPA), an independent governing body in the Netherlands that monitors the safety of personal data processing [12,5], due to the legislation concerning reporting data breaches [13].Later that month, the Haga hospital and the Dutch DPA published more details concerning this data breach. They concluded that 85 employees consulted the patient’s EHR unlawfully [14, 15]. Consequently, all employees received an official warning [14, 15]. If any of these employees makes this mistake again, he or she will be fired immediately [14,15]. Besides this, the Haga hospital took additional measures in order to secure patient safety and extended their authorisation policies [14,15].

One month after the incident, on the 25th of May 2018, the General Data Protection Regulation (GDPR) became applicable. The GDPR is an European legislation that provides rules in order to protect natural persons with regard to processing personal data [8]. The GDPR replaces the Data Protection Directive 95/46/EC (DPD) from 1995 [16,17,18]. In the Netherlands, the GDPR replaces the law on Dutch law on protection of personal data (Wet Bescherming Persoonsgegevens, WBP) [19]. The GDPR forces healthcare professional to increase the meticulousness on how patient data is used [20].

The GDPR increases the privacy rights of a person, in this case the patient [21]. Persons have received more opportunities to protect themselves and their personal data [21].This was needed, since both re-search as well as the case mentioned earlier show that unauthorised access to patient data is a problem in healthcare [22]. The data breach in the Haga hospital, is not the only incident with unauthorised access to patient data. In the United states McCoy et al. investigated all health data breaches that were reported to the Health Insurance Portability and Accountability Act (HIPAA) from 2010 till 2017 [22]. This research shows that unauthorised access or disclosure is the second most frequent reported health data breach. Only hacking or IT incidents are more reported as breach[22]. In total, 7.8 million patient records are effected by unauthorised access or disclosure [22]. Bloomrosen et al. summarised the best papers that were published in the field of Health Information management in 2017 [23]. Some of those articles addressed problems and potential solutions for authentication processes. One of the mentioned solutions is the development of an authentication protocol in order to assure that only authorised persons can access personal information [24,25]. This kind of protocols should prevent incidents like the data breach in the Haga hospital.

In research, potential solutions are de-identification and pseudonymisation of personal data. De-identification is the process of removing identifiers from personal (health) information [26].This health data can now be

(10)

used, without violating patient’s privacy [27]. However, de-identification is not sufficient enough to protect the patient’s privacy alone. A research shows that even if the data is anonymised in a correct way, the risk of re-identification is not zero [28]. Personal data can also be so-called pseudonymised. Pseudonymised data is data which is processed in such a way that a personal data cannot longer identify subjects without using additional information. This additional information should therefore be stored separately [29,30]. If data only have undergone pseudonymisation, additional security measures are obligatory to make, due to the fact that the GDPR considers pseudonymised data as personal data [31]. Bloomrosen et al. conclude that, based on these articles, the development and implementation of new authentication protocols will become more important [23]. The need for new authorisation approaches are caused by the concerns about cybersecurity and the growing amount of patient data [23].

Authorisation problems are not limited to one hospital and are not solved with the introduction of the GDPR. Eight months after the GDPR became applicable (February 2019), another Dutch hospital admit-ted that a significant data breach has occurred. The OLVG (the abbreviation of “Onze Lieve Vrouwen-Gasthuis” in Amsterdam, The Netherlands) confirmed that students with a side job in the hospital could access health data from patients who visited the hospital in the past 15 years [32]. The authorisations for these students were not implemented correctly. The accounts of students should be able to switch quickly between different departments. However, the authorisations were implemented in such a manner, that student accounts had access to all patients from all specialisms [32]. The OLVG claims that the data breach was solved immediately after it was discovered [32]. Theo Hooghiemstra, expert on personal data security in healthcare, states that authorisations have no urgency in healthcare, although the different reports of the Dutch DPA [33].

The problems in the Haga hospitals and the OLVG and the conclusions that new authorisation proto-cols are needed, are not as unexpected as one may think. In 2013, the Dutch DPA published a report about the access security of personal health data in healthcare [34]. They concluded that the investigated institutions did not have appropriate safety measures in order to secure that only authorised persons could access the patient data [34]. Too many unauthorised persons could access patient data [34]. In 2016, the Dutch DPA sent an open letter to the Boards of Directors of health institutions in the Netherlands to draw attention to the security of personal health data [35]. Although the amount of evidence about the impor-tance of good implemented authorisation protocols and the reports of the Dutch DPA, the authorisations in EHRs are not always in accordance with the current legislations. It is important to understand why this discrepancy exists. This can be accomplished by using qualitative research. In healthcare, qualitative studies are used to gain insight into how social practices and patterns are created [36]. Furthermore, it also provides insight into the opinions of the healthcare professionals and patients on these practices in different contexts and situations [36].

1.1 Research aim

After the introduction of the GDPR, the authorisations were not always adapted accordingly. This study aims to gain insight into the current state of the authorisations in Dutch hospitals. Authorisations will be examined and afterwards interviews will be executed to find the underlying reasons of the found discrep-ancies between the implemented authorisations and the GDPR and other regulations. An authorisation tool is developed to help with the examination of the implemented authorisations.

1.2 Thesis outline

The study described in this thesis is partly performed three hospitals in The Netherlands that participated as pilot hospitals to investigate the current state of the authorisations. The overall aim of this thesis is to identify the consequences of the GDPR on the daily workflow of actors in the healthcare environment.The main research question that will be answered in this thesis is therefore:

“What consequences has the GDPR on the daily workflow of actors in the healthcare environment?”

In order to answer the main research question, this thesis is divided into three subdomains. In Chap-ter 2, the current state of the GDPR in The Netherlands will be assessed. In this part, one sub-question will be answered. This sub-question aims to investigate to what extent the GDPR is applied on Dutch EHRs. This question will be answered based on relevant literature.

The third chapter describes interviews in order to provide insight into why discrepancies between im-plemented authorisations and legislations could occur. The discrepancies are found using the previous described authorisation tool. Three sub-questions are answered, in order to address the reason behind the found discrepancies and the current regulations. First, we will look on the most frequently discovered discrepancies and the opinion of different actors concerning these discrepancies. After the discrepancies

(11)

are found, the (socio-technical) factors are causing the discrepancy between the implemented authorisation rights and the authorisation protocol according to the GDPR will be investigated. Finally, the impact of changing the authorisations in an EHR according to the GDPR on the daily workflow of a healthcare professional will be examined.

In the fourth chapter, the impact of the regulation on the daily practice is examined. The question that will be answered in this chapter will be: “In what way can a guideline help healthcare professionals in order to adjust the authorisations according to the advice of the authorisation tool in an EHR?” In the final chapter overall conclusions will be made, overall recommendations are given and future research will be discussed.

(12)

(13)

Abstract

Introduction: The General Data Protection Regulation (GDPR) is an European regulation that provides rules in order to protect natural persons with regard to processing personal data [8]. This chapter focusses on gaining insight on the current state of the GDPR in healthcare and how Dutch citizens think about their privacy in general.

Methods: Literature research and (non-)scientific reports are used. Furthermore, question-naires with IT-auditors in healthcare are executed.

Results: Sixteen articles were included for reading the abstract. Eight articles were included for a full text review. None of the articles gave information about the current state of the GDPR in healthcare. The questionnaire showed that that there is no generic GDPR audit. One IT company hands out an GDPR compliant certificate, while they are aware that such a certificate is not approved yet. Other reports show that parts of the GDPR are implemented (e.g. the appointment of a data protection officer). However, people are still concerned about the privacy of their personal data.

Discussion: Almost one year after the introduction of the GDPR, no scientific studies about the consequences in healthcare are performed or published. Also, the outcomes of the ques-tionnaires show that there is currently no general agreement about how a hospital or EHR should be implemented to be GDPR compliant. Furthermore, Dutch citizens are concerned about the security of their personal data in healthcare.

(14)

2.1 Introduction

The General Data Protection Regulation (GDPR) is an European regulation that provides rules in order to protect natural persons with regard to processing personal data [8]. The previous legislation before the GDPR required organisations to have a legal basis to process personal data [16]. However, this legislation needed modernisation, because of changes in the security landscape, such as increased interconnectivity between technologies and the increased processing power of systems [17]. Moreover, the privacy require-ments prescribed by the DPD were also outdated and needed to be updated as well [17]. With the GDPR, new rights and procedures for individuals were introduced [29].

All organisations that collect and process personal data from individuals of the EU must be compliant to this legislation [37]. When an organisation is not complaint to the GDPR, legal and financial punish-ments up to a maximum of 20 Million Euros or 4% of the annual global turnover can follow [8, 19,38]. The GDPR replaces the law on Dutch law on protection of personal data and is therefore also applicable in healthcare [19].

It is important that the quality of used security techniques are high, because healthcare professionals are responsible that only authorised persons have access to the patient’s record or to certain information in the record [39]. After that the GDPR became applicable, the authorisations in EHRs were not always adapted. This is remarkable, since technical and social measures in order to improve the protection of personal health data become more important due to the changed regulations and potential financial penal-ties. Since the introduction of the GDPR, patients have more and stronger rights to protect themselves and their personal data [21,29,40]. Because of this, the Dutch DPA provided considerations about how a system should be implemented in order to be compliant to the law itself.

In healthcare, various technologies are used for protecting the security and privacy of personal data [41]. Authentication and access control are examples of techniques that are widely adopted in order to secure personal data [41]. Authentication protocols determine or confirm if the claims that are being made by a user are correct and genuine [41]. The usage of an authentication system with strong authenticators is strongly advised in order to meet the requirements of the GDPR [42]. However, there is significantly proven that challenges occur in developing appropriate tools and policies for the security of patient related information in EHRs [43]. Access control systems are an essential part of the security of patient data in EHRs. Information security is often divided into three main categories: confidentiality, integrity and avail-ability [44]. Access control systems provide confidentiality, because it checks if the user has the required rights before the user gets access to the requested information [44]. It can be seen as the ability to process or collect patient related information when this is needed [43]. When these access control systems are implemented, new challenges that are no issue in other industries can occur [45]. Healthcare professionals understand that the security of patient data is important, but it is not as important the convenience of the system [44,45].

After a person has gained access to the system via an access control system, the presence of high quality authorisations is important. Authorisations can be described as grating rights for a specific individuals[43,

46]. These rights determine what personal health data and patient information could be consulted by the healthcare professional after accessing the EHR [43].

Finally, authentication is a commonly used technique in order to secure patient health information in healthcare [41]. Authentication methods checks if the claims that are made by the user are true or not [41]. An example of a commonly used authentication method is endpoint authentication. Endpoint au-thentication is specifically used in order to prevent man-in-the-middle attacks [41,47].

This chapter focusses on gaining insight on the current state of the GDPR in healthcare. Furthermore, this chapter will reflect on how Dutch citizens think about their privacy. Finally, this chapter reflects on (financial) sanctions from previous case laws in the Netherlands and other European countries. These outcomes will be used to predict potential sanctions for Dutch hospitals if they are not compliant with the GDPR.

(15)

2.2 Background - GDPR

In this section, the GDPR and the changes relative to the WBP will be discussed. The most important subjects and their consequences for hospitals and healthcare professionals will be explained. Thereafter, the importance of authorisations in an EHR will be discussed. The GDPR introduces some definitions that are essential for understanding the GDPR and are used in the descriptions below. Extended explanation about the most important definitions can be found in AppendixA.

2.2.1 The GDPR and Other Legislations and Standards

As discussed before, the GDPR has replaced the WBP. However, other legislations and laws will still be applicable besides the GDPR [20]. In this section, we will discuss the other Dutch legislations in healthcare. As a results of the GDPR, the current rules concerning privacy will be secured and sometimes be sharpened [20]. The legislations that are still applicable are [20]:

• Law on the Medical Treatment Contracts (Wet op de Geneeskundige Behandelingsovereenkomst, WGBO);

• Law on quality, complaints and disputes in healthcare (Wet kwaliteit, klachten en geschillen zorg, Wkkgz);

• Healthcare Professionals Act (Wet BIG);

• Health Insurance Law (Zorgverzekeringswet,Zvw);

• Healthcare Market Regulation Act (Wet marktordening gezondheidszorg, Wmg);

• Law on auxiliary conditions for personal data processing in health care (Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg, ACPDP); [48]

• Law on clients’ rights concerning electronic data processing (Regelgeving voor elektronische gegevensver-werking door zorgaanbieders, CLEDP)

How these legislations interact can be found in Figure1.

(16)

The medical professional secrecy will also still be applicable [20]. Besides the legislations several Dutch standard should be addressed: the NEN7510 (which consists of two parts, the 1 and NEN7510-2), the NEN7512 and the NEN7513 [49]. The NEN7510 describes measurements to protect the availability, integrity and the confidentiality of personal health data [49]. The measurements also decribes how access to this information could be checked and justified [49]. The NEN7512 is a supplement for the NEN7510 and describes the completion of the measures in more detail [50]. The NEN7513 describes how the access to pa-tient data should be logged. This is not extensively mentioned in the NEN7510 [51]. The GDPR describes that the controller and processor should implement appropriate technical and organizational measures to secure patient data [52]. By implementing the different measurements mentioned in the standards, the healthcare institution will be meet the requirements concerning technical safety measures [49].

However, there are some important changes for healthcare organisations that should be taken into ac-count. The most important change due to the GDPR is that natural persons will have more and stronger privacy rights to protect themselves against collection of personal data [21]. This is needed, because their data is available for different actors in the healthcare environment. The GDPR has not only consequences for patients, but also for controllers and processors. A controller is a natural or legal person, agency or other body that determines the purposes and resources of the personal data processing, for example the Board of Directors of the hospital [53]. The processor is someone or something (a natural or legal person, public authority, agency or other body) that processes the available personal data [53]. More extensive explanation of these two definitions can be found in AppendixA. The GDPR gives the controller the responsibility to demonstrate that they meet the privacy requirements [54]. The GDPR describes this as “accountability” [55]. The controllers do not need to inform the Dutch DPA about data processing [56]. In Figure2is a simplified representation of the most important actors with access to patient data.

(17)

2.2.2 GDPR: Introduction of new rights and definitions

The GDPR expands the existing rights of natural persons (e.g. patients) to protect their own privacy. Furthermore, two new privacy rights in order to increase privacy rights of natural persons are introduced. The new rights are “the right to erasure (Article 17)” and “the right to data portability (Article 20)” [57,

58]. The GDPR also expands the definition of (special) personal data [8,59]. The right to erasure

The right to erasure (“the right to be forgotten”) ensures that natural persons can demand an organisation to erase their personal data [60, 61]. The GDPR describes six situations in which organisations should erase personal data if a natural person uses this right [60,61]. These situations are [60,61]:

• The personal data is no longer needed to the purpose for which the personal data was initially collected.

• A data subject withdraws its consent to process the personal data • A data subject objects against the processing of personal data • The personal data is processed unlawfully

• The legal retention period has expired

• The data subject is 16 years or younger and the personal data is collected by the use of an information society service (for example websites or mobile applications).

There are exceptions on the right to erasure. For example, if the data is processed because it is legally required or needed for public health, this right cannot be applied [60,61].

The right to data portability

The right to data portability implies that data subjects, in this case the patients, have the right to receive personal data in a structured, commonly used and machine-readable format [62,63]. The patient has the right to transfer the data to another healthcare professional. The patient can use this right if he or she wants a second opinion of a different healthcare professional.

More (special) personal data

With the introduction of the GDPR, more data is seen as (special) personal data [8,59]. Instances of special personal data are information about a natural persons race, religion and political preferences [19,

64]. Examples of special personal data in healthcare are genetic data, biometric data and data concerning personal health [19]. After the application of the GDPR more information is categorised as special personal data, such as DNA and fingerprints [59]. Hospitals should use more strict protection standards if special personal data is processed [65]. Special personal data should only be processed in health related purposes if it is necessary for a natural person or society [65]. The GDPR also states that pseudonymised data should still be considered as personal data [31]. This means that additional security measures should be made.

As shown earlier in Figure2, different processors could access the personal health data of patients. Ex-amples of these processors are healthcare professional and general practitioners. These processors access the patient data by using EHRs or other information systems. Since hospital information systems and systems of general practitioners process a large-scale of special categories of personal data, additional re-quirements, to ensure the safety of personal health data, are mandatory [8,66,67]. The GDPR states that a Data Protection Officer (DPO) should be assigned by the controller or processor if large-scale data are processed [68]. Therefore, the controller (the Board of Directors of the hospital) should designate a DPO [66]. However, even if data processing in hospitals was not considered as large-scale, a DPO would still be mandatory due to the fact that hospitals process genetic data, biometric data and data concerning health [68]. A DPO can help an organisation with establishing the right GDPR standards [66]. According to the GDPR the DPO should also inform and advise the controller and processor concerning the data being processed and which risks these processes have [69].

Another consequence of large-scale processing is that a controllers (healthcare organisations) should exe-cute a Data Protection Impact Assessment (DPIA) in certain situations [70]. Some types of processing (for example if new technologies are used) are likely to have high risks [70]. These risks can affect the freedom and rights of natural persons [70]. In order to examine these risks, a DPIA should be performed [70]. The Dutch government made a list with criteria to examine if a type of processing has potential high risks [71]. Individual healthcare professionals are not obligated to perform a DPIA, because processing data by an individual is not large-scale data processing [72].

(18)

2.2.3 Technical Safety Measures

The GDPR introduced additional patient rights and expanded already existing definitions. Furthermore, the GDPR introduced new requirements for safety measures that were not mentioned in the WBP, nor in previous European Legislations [38,73]. In order to protect the patient data appropriately, changes in the EHRs are unavoidable. The WBP did describe that suitable measures in order to protect information of natural persons should be implemented [73]. However, the GDPR does explicitly describe that safety measures should be included in the technical design of the system [8,73]. Two safety measure that should ensure data security are described in article 25 of the GDPR: privacy by design and privacy by default [8]. These safety measures are implemented in the EHR and will protect the patient’s safety for processors and third party’s as described in Figure 2. The concept of privacy by design and privacy by default are not new. At the end of the 90s, the Information and Privacy Commissioner of Ontario (Canada), Dr. Cavoukian, developed a new framework that addressed privacy by design [74,75,76]. According to Cavoukian, the current privacy legislations and regulations were no longer sufficient in order to protect the rights and freedoms of individuals [76]. The technology evolved rapidly and therefore the experience and expectations of privacy evolved as well [75]. In order to secure privacy, Cavoukian concluded that seven principles were needed. The seven principles are [76]:

1. Proactive not Reactive: Preventative not Remedial: the organisation should anticipate and prevent events that influences privacy aspects before they happen.

2. Privacy as the Default: if an individual will do nothing, his or her privacy is still guaranteed. Privacy is part of the used system.

3. Privacy Embedded into Design: the system does not need patching afterwards. Privacy should be implemented immediately.

4. Full Functionality—Positive Sum, Not Zero-Sum: privacy should always be a positive-sum (“win-win”). Privacy should not be a trade-off in order to avoid false dichotomies (e.g. privacy or security).

5. End-to-End Lifecycle Protection: the accountable organization should include privacy into every process during the full lifecycle of a product.

6. Visibility and Transparency: organisations should ensure that they are open and honest to all individuals.

7. Respect for User Privacy: the user is the centre of the process. Information of a user should always be treated with respect and functions should be user-friendly.

Preferably these principles should be used directly into the design specifications and architecture of new systems and processes [75]. These seven principles make it possible to identify potential problems for pro-tecting data [77]. The discovered problems can be addressed before patches are needed while the system is already operational [77]. When privacy is embedded into the design of the system, users are not obligated perform additional tasks in order to secure their personal data [73].

Meanwhile, the privacy by design framework is a widely used standard. In October 2010, privacy by design was adopted by the 32nd International Conference of Data Protection and Privacy Commissions as an international privacy standard [74]. In healthcare, various techniques of privacy by design are used in order to protect the security and privacy of personal data [41]. Two of the most used techniques are authentication and access control [41]. Authentication ensures that the claims that are made by or about the subject are true and authentic [41]. Access control is important after a person is authenticated. Access control ensures that after a person is authenticated only certain information in the system can be accessed. Which information can be accessed, is based on privilege and rights, which are secured in the access control policy [41]. The GDPR describes the need of appropriate security measures in order to protect personal data [55]. Authorisations and access control can help achieve this. According to the GDPR “consultation” of personal data is already seen as processing [53]. This means that if a unauthorized person has access to certain data, the organisation is not in line with the GDPR.

A second important strategy in order to achieve privacy by design is data minimisation [37, 39, 78,79]. Data minimisation is also mentioned in the GDPR as one of the principles relating to processing personal data [55]. To achieve data minimisation, a clear and unambiguous understanding of the context is needed [78]. If data minimisation is implemented correctly, it will restrict the amount of personal data that is processed [79]. Systems should still be operational for data processing, even without using personal data or using as little personal data as possible [77].

The other technique that is mentioned by the GDPR is privacy by default. The GDPR states that privacy by default means implementing appropriate technical and organisational measures which should assure that only relevant personal data is processed [8]. Privacy by default links to principle of data minimisation [38]. However, it is not enforced by the design of the software and more information than

(19)

is needed for a process could be processed. It is important that a data specification is needed before the data is processed processed [38]. Moreover, the individuals must be informed in an appropriate way and explicitly give consent of using their data [8,38].

It is also important to notice that the definition of privacy by default in the GDPR is not the same as the second principle mentioned by Cavoukian. According to Cavoukian, privacy as the default means that privacy is always guaranteed, even if an individual does nothing about his or hers own privacy [75,76]. However, this is more in line with the definition of privacy by design according to the Dutch Government [73].

2.3 Methods

Relevant literature about the GDPR (in healthcare) was assessed. Secondly, additional sources (reports and law cases) are included to give information about privacy in the Netherlands. Finally, a questionnaire was sent to companies which performed (IT-)audits.

2.3.1 Literature Research

PubMed was used in order to obtain relevant articles about the GDPR in healthcare. Search information could be found in AppendixB.

2.3.2 Questionnaire

In the Netherlands, the Dutch DPA monitors the safety of personal data processing and can give a company legal and financial punishments. In order to prevent these penalty’s, hospitals could assign IT-auditors to in give an indication for the current status of the authorisations in relation to the GDPR. Beforehand, little was known about how these IT-auditors worked and which parts of the GDPR are seen as the most important and which parts are checked the most extensively. Evaluating their work method, could help to evaluate which parts of the GDPR should be necessarily implemented. Therefore, a questionnaire was composed. This questionnaire contained ten open questions about how IT-audit companies perform the GDPR-audits. The questionnaire can be found in AppendixC. The questionnaire was sent to eight IT-audit companies and five IT-audit companies replied.

2.3.3 Other Sources

In order to find information about the GDPR relative to the Dutch healthcare (system), not only scientific resources were used. The resources that were used were:

• Reports of the AP

(20)

2.4 Results

Based upon on relevant literature and outcomes of surveys executed by the Dutch DPA and other research institutions. Besides that, relevant case laws and the answers of the questionnaire are discussed as well.

2.4.1 Results Literature Research

Since the GDPR is relatively new, not many articles were available to review the current state extensively. After the search on PubMed only 55 articles were found. The search query was executed multiple times during the research, in order check for new published relevant articles. These 55 articles were screened by the author. Sixteen articles were included based on the title. From all sixteen articles, the abstract was read. Eight articles were included for a full text review [29,80,81,82,83,84,85,86]. None of the articles gave information about the current state of the GDPR in healthcare. The papers gave information about potential changes, impact of the GDPR or they gave advise about changes that should be taken into account after the GDPR became applicable. One paper had no full text available [81]. The other articles were all excluded because of the content.

2.4.2 Results Questionnaires auditors

The results of the questionnaires show different important points that provide a broader insight of the integration of the GDPR in healthcare in the Netherlands. The results show how strictly the GDPR is used in the current situation.

The most important finding is that there is no generic GDPR audit that could be executed by every company. Two companies offer an audit (or internal investigation) that is fully focussed on the GDPR. One company uses the NOREA framework [87] and the other company developed an own framework the investigate if a hospital is GDPR compliant. All the companies declared that some aspects of the of the GDPR were covered in other audits (ISO checks or financial statement checks at the end of the year). Sometimes, the NOREA framework is (partly) used. Two companies gave the absence of an approved certificate as reason why they do not offer a GDPR-audit. However, one of the company does provide a certificate that claims that the investigated hospital (or other company) is compliant to the GDPR if the NOREA framework does not reveal major privacy issues. As discussed before, such a certificate is not approved by the Dutch DPA yet. The company reacted to this as follows:

“We do certify a company as GDPR compliant. It is true that the Dutch DPA have not officially ap-proved such a certificate. However, authorities in other countries do accept this certificate.”

A second important finding is that none of the companies have one specific audit that is executed to answer a certain question. The duration, scope and type (for example interviews or a more technical check) of the audits can differ. Furthermore, audits are only executed on request of the hospitals. There-fore, the hospitals decide which parts of the EHR are examined and which not.

The only resemblance between four of the five companies is that they use the NOREA privacy control framework as a guide to determine the gaps between the current state of the privacy implementation of the EHR and the GDPR [87]. However, none of the audit companies used the full framework. They used the parts that were relevant for the found GDPR problems that were discovered in other audits.

2.4.3 Other Sources

Findings of the Dutch DPA

In June 2018, the Dutch DPA warned for institutions that claimed that they could provide a quality mark concerning the GDPR [88,89,90]. The quality mark would demonstrate that a company is compliant to the GDPR [88,89]. Such a quality mark does not currently exist. The Dutch DPA did not approve any quality marks until now [88,89]. The Dutch DPA is involved by an accreditation of different companies that could provide a GDPR-certificate [88,89]. A certificate can be requested by the board of accreditation [88]. This certificate shows that a company is compliant to certain specific requirements of the GDPR [88, 89]. However no company has such an accreditation yet, so no companies could provide approved certificates [88].

An important new requirement that was introduced by the GDPR, is that every hospital should assign a DPO and their contact information should be published. In October 2018, the Dutch DPA published an report concerning these assignments. The Dutch DPA checked if the included institutions had appointed a DPO and if the (direct) contact information of the DPO was easily accessible. All 91 hospitals and 33 health insurance companies had appointed a DPO and in all cases a direct phone number or mail address were available [91,90].

(21)

In January 2019, the Dutch DPA and the ministry of healthcare, welfare and sports concluded that new guidelines concerning how long log files should be stored were needed [67]. The current rule of thumb is that the log files should be stored as long as necessary for the interests of the patient[67]. At this moment, the retention period differs from two until fifteen years[67]. The retention time of a medical record is at least 15 years. The Dutch DPA proposed that this should also be applied to the log files, however the ministry sees practical objections if all log files should be stored for 15 years [67].

Later that month, the Dutch DPA published a report concerning the number of data breaches that were reported in 2018 [92, 93]. In 2018, 20,881 data breaches are reported. This number is doubled (109% more) relative to 2017 [92,93]. After the introduction of the GDPR on the 25th of May, the number of reported data breaches increased [92, 93]. This report also showed that healthcare was the sector with most reported data breaches (29% of the total data breaches) [92,93]. From this fraction, 24% of the data breaches were related to hospitals [92]. In total 6,526 data breaches concerning medical data were reported to the Dutch DPA [92].

Privacy report Dutch DPA

At the end of January 2019 (the European day of Privacy), the Dutch DPA published the results of a survey about the privacy concerns of Dutch citizens. The survey is executed in the period from the 12th until 17th of January 2019. In this survey 1002 Dutch citizens with an age between 18 and 75 are included [94].This survey showed that despite the introduction of the GDPR, patients have big concerns related to the safety of their personal health data. According to the survey, 98% of the participants are concerned about the security of their personal medical data [94]. Around 65% of the participants have big concerns about the security of their medical data [94]. Participants are still afraid for abuse abuse of their personal data, or that unauthorized people could access their data [94]. The survey also showed that new rights introduced by the GDPR are not as widely known. Only 51% of the participants were familiar with the right on data portability. Moreover, only 43% of the participants were aware of the right on human inter-vention for decisions based merely on automated processing [94].

Findings by other institutions or persons

A report of the Erasmus School of Health Policy & Management (ESHPM) about the application of big data in healthcare was published in January 2019 [95, 96]. ESHPM interviewed 160 experts from eight different European countries and reviewed relevant documents to address all questions [96]. ESHPM con-cludes that privacy has a big role in the application of big data in healthcare [95]. In the Netherlands, people are more careful if it concerns their personal data [95]. Prof. Antoinette de Bont states that people are afraid that unauthorised persons could access their data or that their data could be abused, despite that they are aware of the importance of sharing medical data [95]. The ESHPM concluded that the second world war is an important factor in the Netherlands to be more aware of the registration of their personal data [95].

Case Laws

At the end of October 2018, the first significantly high financial penalty for a violation of the GDPR in healthcare was given [97,98,99]. The Centro Hospitalar Barreiro Montijo hospital was fined for 400,000 Euros [97,98,99]. According to the Portuguese Data Protection Authority CNPD (the Portuguese equiv-alent of the Dutch AP), the security measures were incompliant to the GDPR [97,98,99]. First, at least nine non-medical professionals had access to patient related data in the hospital’s system [98]. Moreover, the biggest violation was related to the authorisations in the EHR. The CNPD stated that 985 users were assigned for a physician roles and rights in the system. However, only 296 physicians work in the hospital [98,99]. In the Netherlands, the Dutch DPA has already announced that it will check hospitals for having a registration of data processing[97]. The Dutch DPA published a letter to the ministry of healthcare, welfare and sports concerning patient authentication in digital information exchange [97]. The Dutch DPA states that hospital should implement appropriate technical and organisational measures to protect personal data [97]. The GDPR does not give concrete solutions for the protection of personal data. As a result of this, concrete norms like the NEN7510 should be used to implement information security measures [97].

(22)

2.5 Discussion

In this first chapter, insight was provided into the current state of the GDPR in healthcare as well as about the sense of privacy in the Netherlands. Results of the first study show that there are no scientific studies that examined the current state of the GDPR in the Netherlands or another European country yet. The eight articles that were fully read and reviewed did not discuss the current state. Further research should aims to indicate if the GDPR influences the authorisations in EHRs.

The questionnaire filled in by IT-auditors showed that there is no generic GDPR audit. One company does give certificates, while they are aware that this certificate is not approved by the AP. It seems to be an im-portant next step that a certificate is developed in order to check the current state of the privacy settings in relation to the GDPR. We think that this will result in more perspicuity for the hospitals and that potential privacy issues are discovered more easily. Moreover, this change is also needed, because now hospitals have no guarantee that they are GDPR compliant after the audit is executed. The questionnaire also identifies that the audits differ in duration, scope and what data is used. This can lead to different outcomes and missing problems. Finally, the audits are always initiated by the hospitals. This can give a distorted idea about the current state of the hospital’s authorisations, because some parts are checked while other parts are not. Moreover, the hospital can choose to conceal potential hazards. Therefore, we advise the start of more unexpected GDPR related audits in order to examine the current state in a more objective manner.

Although scientific evidence was absent, a general overview of privacy legislation in the Netherlands was provided. Six years after the first report, the authorisations and access control security measures are still not implemented correctly. The report about the number of hospitals that assigned a DPO is until now the only report concerning the compliance of hospitals to the GDPR [91,90]. All other reports were not specifically aimed at the GDPR. The Dutch DPA published several reports about privacy and privacy perception. They also reported about the number of data breaches in 2018 in the Netherlands. All these reports showed that privacy in healthcare still is a big problem.

The outcomes of the survey about privacy rights were in line with a report of the ESHPM about the application of big data in healthcare that was published in January 2019 [95, 96]. The results of both articles show that rightly implemented authorisations are essential in order to help reducing the concerns about the collection of personal medical data. If the authorisations are reliable and the hospitals are transparent about their policies, it is likely that the concerns will decrease. For example, hospitals could publish their (authorisation) policy on the website so every patient has access to this information.

The fear that unauthorised persons have access to personal patient data is the second most important reason of the concerns about the security of personal data [94]. This is also one of the conclusions Prof. De Bont makes in the report of the ESHPM. According to mister Hooghiemstra, an expert on personal data, a lack of trust could influence healthcare [32]. After the incidents in the OLVG and the Haga hospital, it seems that the patients have well-founded reasons to be sceptical about the safety of their personal data. It is alarming that six years after the first reports concerning the safety of personal (health) data no adequate measures are implemented. The urgency to adapt these authorisations is high. Not only for hospital to prevent themselves against financial penalties, but also in order to maintain the trust of patients in healthcare institutions and healthcare professionals.

In order to decrease the privacy concerns, the proposal to extend the retention time of log files can fulfil an important role. If the log files are stored longer, patients have the opportunity to see if unauthorised persons have accessed their data and therefore the transparency of the system will grow. Research shows that transparency reduces the concerns of data subjects [100]. The identity and especially the intention of the data collector are important factors in order to decrease the level of concerns [100]. If the log files are stored longer, these factors will be addressed. However, for a patient it is hard to determine if a certain healthcare professional is authorised to see their personal data or not. Further research should investigate if increasing the transparency of the system will decrease the privacy concerns and how these adjustments should be implemented.

The high number of data breaches reported after the introduction of the GDPR may be caused by the increased (media) attention [92]. This does not necessarily mean that more data breaches have occurred in 2018. However, it seems that the GDPR raises the awareness concerning (the chance of) data breaches. The increasing awareness will not only lead to more data breaches being reported, but it can also affect the security measures used. Further research should observe the number of data breaches in the upcoming years. Furthermore, research should investigate if organisations have adjusted their security measures in order to decrease the change of data breaches.

(23)

It is important that Dutch hospitals are aware of law cases from other countries, because it gives an indi-cation on potential financial penalties that could be given in the Netherlands. Authorisations and access control are important factors and they will probably be investigated in future GDPR compliance checks by the AP. Therefore, hospitals should investigate and potentially update their authorisations in order to prevent these kind of financial penalties. However, for hospitals it can be difficult to revise privacy measures, because the GDPR does not give technological or organisational specifications about these mea-sures. Therefore, hospitals need proper guidance to become GDPR compliant [97]. In the next chapters, this study will investigate the compliance of current authorisations in EHRs concerning the GDPR and other national legislations. Interviews are used to gain information about how the authorisations are im-plemented and how healthcare professionals think about them. Finally, we in investigate if it is possible to come up with a protocol to give hospitals more guidance concerning authorisations. These outcomes could be found in the final chapter.

This literature research that was performed had several limitations. First, limited scientific evidence was available in order to investigate the current state of the implementation of the GDPR in healthcare. The advises in the articles were often aimed at researchers in healthcare and not to healthcare organisa-tions, healthcare professionals or systems like an EHR. It is a possibility that this study is executed too short after the introduction of the GDPR. It could be the case that the changes that should be made by healthcare organisations and healthcare professionals are not implemented yet. Another possibility is that the studies are not finalised and have not yet been published. It is therefore important to follow the developments on this topic.

A second limitation is that only questionnaires were sent to the IT-auditors. No DPO of a hospital was consulted due to time constraints. However, the knowledge of a DPO could have been useful in order to gain more insight in what kind of precautionary measures a hospital has made to be compliant to the GDPR. On the other hand, when a DPO is consulted a potential bias could occur. DPOs can never be objective, because they have to judge their own work and employers.

2.6 Conclusion

Almost one year after the introduction of the GDPR, no scientific studies about the consequences in health-care are performed or published. Also, the outcomes of the questionnaires show that there is currently no general agreement about how a hospital or EHR should be implemented to be GDPR compliant.

The authorisations in hospitals are still not implemented correctly, although several reports address these problems. The incident at the OLVG shows the consequences of wrongly implemented authori-sations.Furthermore, Dutch citizens are concerned about the security of their personal data in healthcare. Dutch hospitals should alter the organisation and implementation of authorisations in their EHR to be compliant to the GDPR and to decrease the concerns around patient privacy. Authorisations can contribute to achieve this by letting only authorised persons access relevant data. In the next chapters, authorisations in the EHR will be investigated more extensively.

(24)

3 A evaluation of the authorisations in a Dutch EHR:

iden-tifying discrepancies relative to the GDPR

(25)

Abstract

Introduction: The EHR has become one of the most important sources for patient data and it helps the healthcare professional with providing care [101]. It is important to understand how healthcare professionals interact with the EHR. Due to the fact that interaction with an EHR is needed, they are classified as a socio-technical systems. Socio-technical evaluations are used to provide insights and explain why certain settings are implemented in socio-technical systems . This chapter aims to identify problems in authorisations in hospitals and the un-derlying reasons of how these problems could occur.

Methods: To identify the authorisation problems, a tool that evaluates the authorisation settings in the EHR was developed. Two hospitals agreed to participate in this study. After the problems were identified, interviews based on the grounded theory were executed. The findings are placed in a framework that described different dimensions of socio-technical fac-tors.

Results: The authorisation tool successfully identified authorisation problems based on the database. The interviews based on grounded theory identified 90 different codes after the open coding phase. The intercoder reliability was 78% and the intercoder agreement was 94%. Finally three core components could be distinguished as underlying factors for the discovered problems: authorisations have a low priority; end users have the most important role and there is a lack of communication between the different stakeholders. It was also possible to map these core components to the socio-technical model for studying health information technology in complex adaptive healthcare systems (STM-HIT model). All problems could be related to the fifth (workflow and communication) and sixth (Internal organisational policies, procedures and culture) dimension.

Conclusion: The coded interviews and the mapping to the STM-HIT model showed that the most important problems are caused by bad communication, a sub-optimal workflow or that the internal procedures in the hospital is not in line with the implemented authorisations. A behavioural change is needed to prioritise authorisations and solve the found problems.

(26)

3.1 Introduction

As discussed before, healthcare professionals need patient data to be able to provide the patient the cor-rect diagnoses and care [1]. This information is often stored in an Electronic Health Records (EHRs) and healthcare professionals should interact with the EHR to complete their daily tasks [37].The EHR has become one of the most important sources for patient data and it helps the healthcare professional with providing care [101]. Healthcare professionals in the primary care spend 52% of their time (5.9 hours on a 11.4 hour workday) with interacting with an EHR [102].

EHRs have many advantages over paper patient records for healthcare professionals, patients and health outcomes in general [103,104,105]. One advantage is that patient data can be stored in a safer way [103,

104, 105]. Another advantage of EHRs is that it can increase the efficiency and effectivity of healthcare [103, 104, 105]. It is important to increase the effectivity of healthcare, because studies show that the majority of healthcare professionals (64%) experience their workload as too heavy [106]. A burnout is a major organizational and personal problem among healthcare personnel [107]. Therefore, an EHR should reduce the workload and support the healthcare professionals with their tasks [108].

On the other hand, EHRs also have several barriers and potential drawbacks. One of these drawbacks is the risk of privacy violations of personal health data of a patient, due to the increased amount of available data [104,109,110]. In order to decrease the concerns about this topic, safety and privacy measures should be taken to protect personal health data [104]. However, these privacy measures could also act as barriers in usage of an EHR [44]. In healthcare environments, the use of systems that control who can access patient data is necessary. These so called access control systems and are commonly implemented and studied. In healthcare, a lot of different healthcare professionals (doctors, nurses, administrative personnel, etcetera) should have access to sensitive information [101]. Therefore, the access control systems in the EHR are very complex and are difficult to develop and implement [101]. Nevertheless, studies show that no potential end users (nor patients nor healthcare professionals) are consulted during the integration period of the system [44,101]. The participation of end users in the development process could increase the effectivity of health-care and can lead to better healthhealth-care [44]. This idea is in line with the conclusion of Bloomrosen et. al that new authorisation approaches are needed to protect the increasing number of personal health data [23]. Another big problem related to EHRs, is that healthcare professionals often have to adapt their work-flow in order to use the EHR and the corresponding access control systems [44,101,111]. The problems occur if the design of the system is not in line with the workflow. The healthcare professional is forced to adapt his current workflow to provide patient care [44,101,111]. These adaptions could influence the satisfaction of the user, quality of care and the safety of the patient [111]. Implementation of access control systems and authorisations could lead to disrupted workflows. Disrupted workflows are the most important reason for the occurrence of suboptimal outcomes or adverse events [111]. Adverse events will influence the security of the personal health data of the patient.

It is important to understand how healthcare professional interact with the EHR. Healthcare professionals interact with the EHR to complete healthcare related tasks. Interaction is the most important charac-teristic of socio-technical systems [37]. Due to the fact that interaction with an EHR is needed, they are classified as a socio-technical systems [37]. The settings of socio-technical systems can also be adjusted depending on the organisational environment they are implemented in [112]. This means that EHRs and their settings depend on the organisational environment as well [112]. Socio-technical evaluations focus on the relationship between technology and the environment around it [113]. In this way, socio-technical evaluations can provide insight into why certain settings are implemented. This means that that an EHR can be used in a socio-technical analysis [112]. These It tries to identify the dynamic between the technol-ogy (the EHR) and those relationships [114]. The evaluation can help to understand why certain choices are made during the implementation process.

The authorisation problems in the OLVG and Haga are examples of problems in the access control systems of a EHR. It is important to understand why these authorisation problems occur to prevent them from happening in the future. In this chapter, discrepancies between the implemented authorisations and how the authorisations should be implemented are examined and evaluated. The outcomes of the scan will be presented to different stakeholders in the hospitals where these discrepancies were found. With interviews, this study aims to clarify why the problems with authorisations could occur. Thereafter, this study aims to identify the socio-technical factors that cause these discrepancies. If these underlying factors could be found, it could clarify if the authorisations disrupt the workflow of the healthcare professionals. Finally, this chapter also reflects on the workflow consequences for healthcare professionals if the authorisations are implemented in the most strict way in relation to the GDPR and other national legislations.

(27)

3.2 Background

A frequently used qualitative research method is Grounded Theory (GT). GT defines a collection of tech-niques and procedures which can be used by researchers. These techtech-niques and procedures help to identify concepts and are used to develop theories based on the qualitative data found [115]. The most used GT method is the qualitative interview [36]. The most commonly used interview set-ups are unstructured or semi-structured [36]. In an unstructured interview, no questions are made beforehand [36]. This method is preferable if the topic of the interview is not clear or not properly understood [36]. Due to this openness, it is more likely to find all important aspects of the topic [36]. On the other hand, open-ended interviews also have some disadvantages. The most important disadvantage is that a participant can talk about irrelevant issues that do not contribute in answering the questions and finding underlying problems [116]. The disadvantages could lead to the problem that the outcomes are hard to code and analyse [116]. In a semi-structured interview, the interviewer composes an interview guide with a list of themes, problems, and questions that should be discussed during the interview [116]. Every participant will be asked about the same themes with the same open-ended questions [36,116]. With this predefined list of themes and questions, the interview is structured [36]. However, there is still room to adjust the order of the questions and themes if this is necessary for the continuation of the interview [116]. Moreover, additional questions that were not included in the interview guide could be asked if they arise during the interview [116]. With this additional questions it is possible to gain more in-depth knowledge [116]. In this way, it is possible to identify views and opinions of the participants[116].

After an interview based on grounded theory has taken place, the outcomes should be coded. The coding is performed while using three consecutive methods: open, axial, and selective coding [36,117,118]. First, open coding is applied on the data. During this phase, similarities and differences in the answers of the participants were identified [36]. As a result of this, parts of the data will be summarised with a label [118]. It is important that potential biases and subjectivity is discarded during this phase [117]. The next step is axial coding. In this phase, subcategories and (temporary) relationships between the labels of the open coding session were identified [36,117,118]. The final phase is the selective coding phase. In this phase the core categories or variables of all relationships that were found in the second phase were identified [36,118]. The core categories represent the underlying reasons for the given answers, relations and subcategories [117]. The process of open, axial, and selective coding and the relation between those types of code is systematically shown in Figure3.

A review of EHR authorisations in Dutch hospitals after the introduction of the GDPR