On May 19, 2021, the Italian Supervisory Authority (“Garante”) fined a physician €5,000 for publishing a patient’s medical records without obtaining that patient’s specific consent to do so.  As background, the physician downloaded medical records about a patient she treated at a local hospital from the hospital’s online archive system, including images taken during surgery.  The physician used these records for a presentation at a medical conference, and also included them as documentation supporting a scientific research paper she submitted for a competition hosted by a surgeons’ association.  The physician’s paper was ultimately selected as the winner of that competition, resulting in the publication of her work on the association’s website.

In its decision, the Garante concluded that the physician’s disclosure of patient data violated Articles 5(1)(a), 5(1)(c), 6 and 9 of the GDPR.  In particular, the Garante held the following:

  • Lack of valid consent. The patient did not consent to the processing of his health data for the specific purposes engaged in by the physician.  The Garante said that while the patient consented to the use of his data for “epidemiological investigation and scientific research” purposes, that consent did not encompass use of the data for other “scientific information” purposes.  The Garante’s narrow distinction here seems subtle and somewhat surprising, as the dissemination of research results (such as a presentation given at a medical conference) is considered by many to be an essential component of the research process.
  • Lack of authorization. The patient consented to “epidemiological investigation and scientific research” conducted by the hospital, not by the physician in question.  The Garante said the physician therefore should have requested authorization from the hospital to use the patient’s data for purposes other than medical treatment.  Instead, the physician independently acquired a copy of the records and images later used for the conference presentation and research paper.  The Garante’s decision thus underscores the importance of ensuring appropriate internal controls on access to data.
  • Failure to effectively anonymize the data. According to the Garante, the physician did not properly anonymize the patient’s data from the report she presented at the medical congress.  In particular, the published documents contained the following information: the patient’s initials, age, details of hospitalizations, medical history, and several images from the patient’s surgery (although the decision does not specify what the images reveal).  According to the Garante, all of this information – taken together – made the patient identifiable.
  • Prohibition on the open dissemination of health data under the Italian Privacy Code. The Garante further recalled that Article 2-septies, paragraph 8 and Article 166, paragraph 2, of the Italian Privacy Code expressly prohibit the open dissemination of data which may reveal the health status of an individual.  Accordingly, the 2014 Code of Medical Ethics of the National Federation of Surgeons and Dentists provides that physicians who wish to disclose data for scientific information purposes must ensure that their scientific publications or any disclosures of clinical data and studies do not reveal the identity of any of the patients concerned (e.g., are anonymized).