Access the health records and safeguards in the processing of health data


Authors: Chiara Zampaglione, Andrea Strippoli, Miriam Andrea Fadda


With regard to access to and consultation of the Electronic Health File (EHF), the Italian Data Protection Authority recently issued a ruling on 22 February 2024 [1] imposing a fine of EUR 75,000 to the Azienda Sanitaria dell’Alto Adige (ASL) for failing to correctly and securely configure the relevant access procedures.

This decision is particularly important in light of the implications that may arise in processing activities involving special categories of personal data pursuant to Article 9 of the GDPR [2], which include health-related data. The EHF constitutes, in fact, the set of personal data generated by present and past clinical events concerning a data subject, shared by the health professionals who assisted him/her, in order to record his/her medical history and provide a quality care process. This tool is set up in a healthcare organisation (such as a hospital or a private clinic), which assumes the role of sole data controller, within which several professionals operate [3].


The case

The initiation of the sanction proceeding was initiated on the basis of two claims and two notifications of personal data breaches concerning unauthorised access to the EHFs of three data subjects.

Specifically, in the first of the two claims, the data subject reported frequent accesses to his file that did not correspond with the dates on which he had been hospitalised. In the second complaint, instead, the patient reported five inappropriate accesses to his EHF by healthcare staff who had not been involved in his treatment process. In the context of the second complaint, the ASL had also decided to notify, pursuant to Article 33 GDPR, the personal data breach that had occurred as a result of the unauthorised accesses to that file and also to issue a data breach communication to the data subject pursuant to Article 34 GDPR. In addition, the ASL had proceeded to submit a second data breach notification following further access by a healthcare professional to her husband’s health file. The data subject involved, at the time of the events, was a patient at the structure, but not under the care of the professional accused of the violation, who, therefore, was not entitled to access that file. By means of such access, the professional had been able to view laboratory tests and investigations relating to her husband outside of his course of treatment and, above all, without his knowledge.


The main violations

The investigation carried out by the Italian DPA showed several profiles of non-compliance with data protection regulations. In particular, in relation to:

      • Profiles of authorisation for access to the EHF: firstly, the configuration of the health file adopted by the ASL made it possible for its professionals to have unrestricted access to the EHFs of patients who were not – at the time of access – being treated by the professionals in force, in violation of the principles of lawfulness, fairness and transparency and of the Authority’s orders already issued on the subject [4].
      • Systems for controlling access to the EHF: the ASL had not monitored the security of access to the EHF with the activation of specific alerts capable of identifying anomalous or risky behaviour, relating to the operations performed by the persons authorised to process the data (for example, by setting alerts relating to the number of accesses performed, the type or the time frame), in violation of the principles of integrity and confidentiality as well as the security of processing.
      • Purposes for access to the EHF: the ASL had also allowed medical personnel access to the EHF for the pursuit of several purposes, in addition to those of treatment, prevention, diagnosis and rehabilitation of the patient. Among these, there was the possibility of accessing the files for regulatory/organisational purposes and for consulting the Cancer Registry. On this matter, the Italian DPA recognised, first of all, the violation of the provisions contained in the Guidelines related to the Health File [5] on the basis of which “the data controller is required to identify, in relation to the different functions to which the staff is assigned, specific profiles for access to the file”, thus restricting the cases of access to those essential to patient care and prevention, diagnosis and rehabilitation. Moreover, with reference to the Cancer Registry, the Italian DPA has, on the other hand, observed that the procedures for consulting this Registry are regulated by the sector regulations and that they do not allow the use of the health dossier for consultation [6].



The decision in question shows a constant need of protection in processing activities involving data relating to health, as represented by the Italian DPA in the aforementioned Guidelines. For the data controllers involved, such as Local Health Authorities, hospitals, private clinics, etc., the adoption of such measures requires the implementation of adequate technical and organisational measures to guarantee the security of the personal data processed, in order to prevent the risk of

  • access to the information processed through the health file by unauthorised persons; and
  • communication of the data contained in the health file to third parties not authorised to receive such information.


#healthlaw #electronichealthfile #italiandataprotectionautohor

[[1]] Italian Data Protection Authority, Decision of 22 February 2024, [web doc. no. 10001279],

[[2]] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

[[3]] Italian Data Protection Authority, Guidelines on electronic health record (EHR) and health file of 16 July 2009, [web doc. no. 1634116],

[[4]] The Italian Data Protection Authority had already ruled on the processing of the data in question with its ruling of 3 July 2014 [web doc. no. 3325808], in which the ASL was ordered to put in force specific measures that would allow only the health professionals currently treating the patient to access his or her health file for the time during which the treatment process is taking place. These measures had to be adopted by the ASL by 31 October 2014 as provided for in the Deferral Order of 11 September 2014, [web doc. no. 3494478],

[[5]] Italian Data Protection Authority, Guidelines on Health File of 4 June 2015, [web doc. no. 4084632],

[[6]] On this topic, the Italian Data Protection Authority issued its opinion on a draft decree pursuant to Article 12, paragraph 13 of Law Decree No. 179 of 18 October 2012, converted with amendments into Law No. 221 of 17 December 2012, for the creation of the National Cancer Registry – 7 April 2022, web doc. no. 9773977,