Can the person issuing an e-prescription provide the patient with a 4-digit access code by phone?
Healthcare facilities are sending questions to the Personal Data Protection Office which relate to the situations in which patients request the necessary access code for the execution of e-prescriptions via phone call. Healthcare facilities have doubts as to whether they can make such information available by telephone. These requests often result from the fact that the patient lost the access code, which was provided to him or her in the form of a printout.
In accordance with Article 96b of the Pharmaceutical Law, the prescriber shall provide the patient with information on the issued e-prescription containing a 4-digit access code. This information may be sent to the patient’s e-mail address indicated by him or her in the health information system or by SMS to the phone number. The patient may also receive a prescription in the form of a printout in three cases: 1. failure to indicate an email address, 2. failure to indicate a telephone number, as well as 3. at the patient’s request or in any other agreed form containing at least the access code to the prescription or the prescription package or the access code and the name of the medicinal product, in case of provision of a healthcare service at the place of request or examination by means of ICT systems or communication systems, and the impossibility to provide information in in the form of a printout (para. 2 point 3).
Thus, on the basis of the applicable legal provisions, this information is provided to the patient, in addition to a printout, also at his or her request or in any other agreed form in specific situations, i.e. when the healthcare service is provided at the place of request or examination by means of ICT systems or means of communication (telemedicine).
In any other case, the patient may request a reprint at the place where the prescription was issued.
In accordance with Article 96b (3), this information shall be provided only by the person who issued the prescription, regardless of the method of its provision. Thus, if the prescription for a particular patient has been issued by a doctor, it is only that doctor who is authorised to provide the patient with the information containing, inter alia, a 4-digit access code contained in the prescription.
When providing healthcare services within telemedicine, from the point of view of personal data protection, the correct identification of the patient is crucial. Incorrect identification of the patient may lead to information being made available to unauthorised person who, if he or she would additionally have the patient’s personal identification number (PESEL), could fill the prescription by impersonating the patient. The confirmation of the interlocutor’s identity should be carried out in accordance with the rules that have been put in place to ensure the maximum level of personal data protection, so that the information is provided only to the person entitled to obtain such information.
Although the binding legal provisions do not indicate that the healthcare facility has the right to inform the patient on the 4-digit code during the telephone call, in exceptional situations, after having verified the identity of the caller, the prescriber could provide the 4-digit access code to the patient. In such cases, the correct authentication of the patient with whom the phone call is conducted (e.g. the patient’s PESEL number, the reason for the medical visit, the date and time of the visit, etc.) is vital.
This does not mean, however, that the provision of this information in the form indicated above should become a common practice allowing for making the patients’ personal data available each time by healthcare facilities. In case of doubt as to the identity of the person calling in order to obtain information about the patient, the information should be refused in usual situations.
Filling the e-prescription
During filling of the e-prescription, pharmacists should also take into account the principles of personal data processing (inter alia the principle of data minimisation), bearing in mind that, for that purpose, it is not necessary to present nor to copy (scan) the patient’s identity card. In accordance with the provisions of the Pharmaceutical Law, it is sufficient, for that purpose, that the patient presents the information printout or gives specific data contained in the prescription, e.g. a 4-digit access code (contained either in the information printout or in the received SMS) and the PESEL number. Alternatively, the copying of an ID card would lead to the collection by the pharmacy of data going beyond the scope provided for by the relevant legislation, necessary for the execution of the prescription, for example, the patient’s image not complying with the principles of purpose limitation and data minimisation, as referred to in Article 5 (1) (b) and (c) of the GDPR.
It is worth stressing that pharmacies cannot store information printouts made available by patients. Therefore, after the reading of such a printout of the data required to execute the prescription, the pharmacist should return it to the patient. In this respect, it must be borne in mind that the printouts cannot be treated in the same way as the e-prescription stored in the IT system, to which the retention period of such documents indicated in the applicable legislation will apply.