Skip to content

Deficiencies in how healthcare providers control staff access to patient journal data

Published: 3 December 2020
Swedish Authority for Privacy Protection has audited eight health care providers in how they govern and restrict personnel’s access to the main systems for electronic health records. The DPA has discovered insufficiencies that in seven of the eight cases lead to administrative fines of up to SEK 30 million.

Swedish Authority for Privacy Protection has now concluded a review of eight health care providers. What has been examined primarily is whether the health care providers have conducted the needs' and risk analysis required in order to assign an adequate access authorisation for personal data in the electronic health records.

— Health care providers must carry out a thorough analysis and assessment of the personnel's need to access information in the health records and the risks that accessing patient data includes, according to the Swedish Patient Data Act that is complementary to the GDPR. Without such analysis, health care providers cannot assign the personnel a correct level of authorisation, which in turn means that the organisations cannot guarantee patients' right to privacy protection," says Magnus Bergström, coordinator of the eight audits.

Swedish Authority for Privacy Protection notes that seven of the health care providers have not carried out a needs' and risk analysis, while one care provider has carried out an analysis that, however, includes some shortcomings.

The authority concludes that seven of the health care providers do not limit the users' access authorisation to the respective patient journal system to what is strictly necessary for the performance of their tasks.

— This means that the seven health care providers have not taken appropriate measures to ensure and be able to demonstrate a sufficient level of security for the personal data in the electronic health record systems.

The deficiencies of seven healthcare providers are so serious that they result in administrative fines of between SEK 2.5 to 30 million. The calculation of the amount of the fine differs significantly depending on whether it is a private company or a public authority. For companies, the maximum fine is EUR 20 million or four percent of the company's global annual turnover, whichever highest. For authorities, in Sweden the maximum fine is SEK 10 million.

Swedish Authority for Privacy Protection has developed guidelines that summarises the conclusions from the audits with regards to the obligation to conduct needs' and risk analyses.

— This guidance points to the importance of health care providers ensuring that needs' and risk analyses are carried out. The aim is to help care providers in conducting such analyses, which need to be carried out before any access authorisation is assigned in a health record system. Our hope is now that all the healthcare providers in the country use this guidance in their work to ensure that authorisation is correctly done, in order to guarantee patients the privacy protection they are entitled to, says Magnus Bergström.

For more information, please contact

Coordinator Magnus Bergström, telephone +46-8-657 61 30

Press office, telephone +46-8-515 15 415

Latest update: 7 May 2021
Latest update: 7 May 2021