Information on the protection of personal data 

This information is provided, in compliance with Articles 13 and 14 of the European Privacy Regulation no. 679/2016 (hereinafter the “Regulation”), to users (hereinafter referred to as: “Users”) of the website in both desktop and mobile versions (hereinafter referred to as: “Site”) and of any mobile application relating to the service (hereinafter referred to as: “App”) owned by Punto Exe Srl, with registered office in Campobasso at Via Altobello, 3 and with VAT number IT00900060708, which is the legal entity responsible for the processing of personal data (hereinafter referred to as: “Controller”), and is intended to describe the methods of management of the Website and App with reference to the processing of personal data, as well as to allow Users of the Website and App to understand the purposes and methods of processing of personal data by the Data Controller in the event of their provision. 

Punto Exe Srl places the protection of personal data as its top priority. Therefore, to adequately care for those who rely on us, it is necessary to acquire and exchange certain personal information during use of the service. This information must be managed with the highest levels of security and in compliance with current regulations. For this reason, Punto Exe Srl has created a service that complies with the rules imposed by the new European General Data Protection Regulation (also known as GDPR) and has adopted the latest technologies for data storage and encryption. The company has implemented the following measures to achieve this: 

1. Masking and encryption of health data: data relating to the patient’s health status are visible only to the doctor carrying out the consultation with the patient.
2. Masking personal data through de-identification, i.e., the use of alphanumeric codes in place of the first and last name. This technology allows us to separate patient identities from their associated information, thus ensuring their privacy at all times.
3. Data is encrypted using algorithms and stored on Microsoft-owned servers, which provide them through the Azure service. These servers are located exclusively within the European Union and comply with the highest international standards (e.g., ISO 27001, ISO 27017, ISO 27018, etc.). Technically, the algorithms used are AES 256-bit.

 

Transparency on consent given and on the methods of processing sensitive data 

– Double consent to the processing of personal data for all users during registration and use of the service (as recommended by the Ministry of Health). Users can also request at any time both the withdrawal of consent to data processing and the deletion of all personal data. 

– Publication of information on the processing of personal data on the website 

-At any time the user (both patient and professional) can ask for further clarifications, or the immediate cancellation of his/her data, regarding the data processing simply by writing to supporto@psycare.it  

 

The sessions were organized in accordance with the guidelines of the Ministry of Health and the directives of the National Order of Psychologists. The stakeholders involved are described below. 

 

ACTORS INVOLVED 

The actors involved within the Psycare.it portal are: 

 

Users 

Those who use a telemedicine service. These may include: 

– a patient, possibly assisted by a caregiver, or a group of patients 

– a doctor in the absence of the patient (teleconsultation) 

– a doctor or other healthcare professional in the presence of the patient 

The user transmits health information (data, signals, images, etc.) and receives service results (diagnosis, treatment recommendations); it is also possible to exchange (in any direction) documents such as questionnaires, assessments, tests, etc. 

 

Service Center 

A Service Center is a structure responsible for managing and maintaining an information system through which the Provider Center provides telemedicine services, installs and maintains equipment at remote sites (the patient’s home or specially designated sites), provides, manages, and maintains communication channels (including alert management) between patients and doctors or other healthcare providers, and trains patients and family members in the use of the equipment. For example, the Service Center manages the health information generated by the User that must be sent to the Provider Center, and the service results that must be transmitted from the Provider Center to the User. 

The Psycare.it portal is therefore a technological center that provides IT support for the provision of services, including healthcare. 

 

RELEVANT ASPECTS FOR THE USE OF TELEMEDICINE IN THE NHS 

In accordance with the relational organizational model described above, it is possible to identify some relevant aspects for the purposes of systematization and widespread use of Telemedicine in the National Health Service; 

1. a) Information and Training Aspects. Information aspects concern the User, who must be appropriately informed about the methods of telemedicine delivery of the service, and doctors or other healthcare professionals, in order to increase acceptance of telemedicine methods. Training aspects concern the User, Service Center, and Provider Center, in order to ensure adequate quality of service. See a more in-depth discussion of these aspects in the next chapter.
2. b) Procedures for integrating Telemedicine into the National Health Service. These include: i) the criteria for Authorization and Accreditation of the Providing Center for the provision of Telemedicine services privately and/or on behalf of the National Health Service; ii) contractual agreements with the National Health Service. c) Ethical aspects, processing of personal data with electronic means, and professional liability.

 

 

INFORMATION 

The Ministry of Health indicates that it is desirable, if not necessary, to provide correct information to patients and doctors/other healthcare workers. 

 

INFORMATION FOR PATIENTS 

Healthcare procedures requiring telemedicine must comply with the rights and obligations inherent in any healthcare procedure, but must also take into account the specific requirements associated with such procedures, including patient information. Patients must be informed of the appropriateness and scope of the procedure, as well as the means used and the methods of data storage and processing, in compliance with applicable legislation (for this purpose, please refer to the information on personal data protection available on the Psycare.it portal). The wider diffusion of telemedicine services raises new ethical concerns, especially due to the changing relationships between patients and doctors. Therefore, to ensure acceptance of these innovative service modalities, it is essential that the relationship between providers and recipients of healthcare be defined to take into account the needs of patients who require human warmth and comprehensible, accurate, and reassuring information. In the relationship between healthcare professionals and patients, it is important to ensure that the questions asked and the answers given by the healthcare professional are comprehensible to the patient. To address user concerns and strengthen their confidence, information programs must be implemented to familiarize patients with these new methods and tools, especially since they often involve older people. Such information programs could be developed with the support of the European Commission and the involvement of representative patient, consumer, and healthcare professional organizations, as well as voluntary organizations. 

 

INFORMATION FOR DOCTORS AND OTHER HEALTHCARE PROFESSIONALS 

Many doctors and other healthcare professionals still suspect that telemedicine could hinder or impact their relationships with their patients. It is therefore necessary to provide doctors with more information about telemedicine, which is seen as a system for simplifying and improving healthcare procedures, especially those aimed at monitoring chronic conditions and making patients’ lives easier, without detracting from the medical process or the doctor-patient relationship. 

 

HEALTH INFORMATION 

The health information and results transmitted can be of different types: 

• Texts: which usually accompany any other type of data in the form of the patient’s medical history, personal data, etc. – Images: both digitized from analog sources and directly digital
• Video and audio: images and sounds related to videoconferencing in patient consultations

 

Information can be static, which does not change over time (text, images, etc.), or dynamic, which changes over time (audio, video, etc.). The quality of the information transmitted and received must be guaranteed to ensure the quality of services provided through telemedicine compared to those provided through conventional methods. 

 

ETHICAL AND REGULATORY ASPECTS 

Ethical Aspects 

Telemedicine has significant implications in the delicate ethical sphere, as this different approach to managing interaction and communication between patient and doctor (or, more generally, the healthcare professionals involved) impacts a particular situation for citizens in need of healthcare, the way they establish a relationship with the doctor, and the perception of safeguarding the patient’s dignity. It therefore seems necessary to ensure that the doctor-patient bond of trust can also develop in this new context, including by dedicating the necessary time to meeting the patient’s information needs, well beyond informed consent, which today is sometimes interpreted as defensive rather than engaging in dialogue and sharing with the patient. From the perspective of telemedicine, this trend might seem the opposite, as telemedicine tends to “bring” doctor and patient closer together, even if it appears—at first glance—to “distance” the two main centers of interest (doctor and patient). In truth, the reality is much more complex, and this must also be taken into account when applying mediation to telemedicine practices, given that there are many more than two centers of interest, including the healthcare facility and the insurance company, which often have different interests than both the doctor and the patient. Finally, interesting prospects arise from the so-called “ethical certification” of the quality and professionalism of doctors and healthcare facilities (both public and private). 

 

PROCESSING OF PERSONAL DATA AND CLINICAL DATA WITH ELECTRONIC TOOLS 

 

The operations on citizens’ personal and health data required for the provision of Telemedicine services fall within the scope of sensitive data processing carried out using electronic means, which are regulated by the provisions of Legislative Decree 196/2003. The methods and solutions required to ensure data confidentiality, integrity, and availability must, therefore, in any case be adopted in accordance with the security measures expressly provided for in Legislative Decree no. 196/2003 and the related Annex B (Technical Specifications for Minimum Security Measures). 

In terms of obligations towards patients, the following aspects are particularly important, also in line with the ethical aspects highlighted above: 

 

1. Information on treatments (examinations, remote transmission, use, etc.) and their purposes/guarantees, as well as, in the case of specific diagnostic-therapeutic pathways, on protocols. It is necessary to develop precise and as uniform (in content) as possible information templates at the national level, as remote services may also be performed in different regions and, potentially, at the European level.

 

1. Patient Informed Consent: Patients must be clearly informed of the information needed to make an informed decision. In the specific case of remote services, it is necessary to assess whether or not repeating consent is necessary for each service, and whether the risks involved should be specifically explained (such as the risks associated with the lack of physical contact and the doctor’s clinical gaze, the impossibility of a complete examination, and the impossibility of immediate intervention in emergencies).

 

1. Patient Rights Over Their Personal Data. It is essential to develop increasingly clear and simple methods to respect and guarantee the rights to personal data, especially in the context of telemedicine, which by its very nature involves greater technological complexity and the potential interaction of multiple data processing entities. Furthermore, it is particularly important to analyze and design healthcare processes so as to accurately define responsibilities, tasks, and functions, in accordance with current legislation, and identify appropriate organizational and technological solutions that allow for accountability and access to information only to those authorized to use it.

About PSYCare and GDPR 

Pursuant to Regulation (EU) 2016/679 (GDPR), the data controller is Punto Exe Srl, with registered office at Via Altobello 3, 86100 Campobasso (CB), VAT number IT00900060708 (hereinafter “Company”). For any information or to exercise your rights, you can write to:supporto@psycare.it  

2. Type of data processed

The Company collects and processes the following user data: 

• Identification data (name, surname, email, telephone number, tax code); 

• User account login and registration data; 

• Payment data (only limited to the data required for the transaction); 

• Health data and data relating to psychological well-being entered in the medical record or communicated during consultations; 

• Technical data on platform usage (log, IP, timestamp); 

• Any recordings of the sessions, as per the specific section. 

3. Purpose of processing and legal basis

The data is processed for the following purposes: 

• User account creation and management; 

• Provision of services offered by the Portal (consultations, chat, prescriptions, medical records); 

• Contractual obligations and legal obligations; 

• Service improvement and technical monitoring; 

• Payment management through integrated platforms; 

• Recording of sessions, exclusively with the user’s prior consent. 

Legal basis:Processing is necessary for the performance of the contract (Article 6.1.b GDPR), for the fulfillment of legal obligations (Article 6.1.c), for the pursuit of legitimate interests (Article 6.1.f), and — for special (health) data and registrations —only with explicit consent(art. 9.2.a). 

4. Recording of video sessions

The user may, with explicit consent, authorize the professional to record the video session. In this case: 

• Registration can only be activated by the professional and managed via tools integrated into the platform; 

• The recordings are encrypted, non-downloadable, and accessible only by the professional; 

• The Company does not access in any wayto the recorded contents; 

• Consent may be revoked at any time, without prejudice to the lawfulness of processing until revocation. 

5. Data retention

The data is retained for the entire duration of the subscription to the service and, subsequently, for the time necessary to comply with legal obligations or for legal protection. 

6. Data recipients

The data may be processed by: 

• Independent healthcare professionals who are data controllers; 

• Authorized Company personnel and technical suppliers (e.g., hosting, technical support); 

• Public bodies or judicial authorities in cases provided for by law; 

• Stripe or other payment operators integrated into the platform. 

7. Non-EU transfers

Data is not transferred to countries outside the EU. If cloud providers with servers outside the EU are used, appropriate safeguards (e.g., standard contractual clauses) will be implemented. 

8. Data subject rights

The user can exercise the following rights: 

• Access to personal data; 

• Rectification and updating; 

• Erasure (right to be forgotten); 

• Restriction of processing; 

• Objection to processing; 

• Data portability; 

• Revocation of consent (without prejudice to the lawfulness of the processing already carried out); 

• Complaint to the Italian Data Protection Authority. 

9. Mandatory nature of the provision

Providing your data is necessary to use the Portal’s services. Failure to provide it will make it impossible to provide the requested services. 

10. Changes to this Policy

Any changes will be communicated via email or notifications on the Portal. Users are encouraged to regularly review the updated version of the policy. 

11. 11. Protection

Personal data protection and full compliance with the new European General Data Protection Regulation (GDPR) are PsyCare’s top priorities. To adequately care for those who rely on us, it is necessary to acquire and exchange certain personal information during use of the service. This information must be managed with the highest levels of security and in compliance with current regulations. To achieve this goal, PsyCare has enlisted the support of professionals and invested in creating a service that complies with the new European General Data Protection Regulation (GDPR). It has also adopted the latest technologies for data storage and encryption. Some of the key actions undertaken by the PsyCare team include the following: 

 

Data masking and encryption – health data is visible only to the doctor conducting the consultation with the patient. 

– Masking personal data through the use of alphanumeric codes. This technique allows separating patient identities from related information, thus ensuring their privacy at all times. This process is known in the medical jargon as “de-identification.” 

 

Data encryption algorithms are used and stored on servers located within the European Union and compliant with the highest international standards (e.g., ISO 27001, ISO 27017, ISO 27018, etc.). Technically, the algorithms used are AES 256-bit. 

 

Maximum transparency on consent given and how sensitive data is processed. 

The Ministry of Health recommends obtaining double consent for the processing of personal data for all users upon registration and use of the service. This recommendation has been fully met. Furthermore, users can request at any time both the withdrawal of consent to data processing and the deletion of all personal data, as well as, of course, its modification. 

 

Publication of information on the processing of personal data on the website 

At any time the user can ask for further clarifications regarding the processing of data simply by writing to supporto@psycare.it  

PsyCare follows the Ministry of Health’s national guidelines (2012), identifying itself as a “Technological Support Services Center.” Below are excerpts from the national guidelines, with a view to user training on telemedicine. 

 

ACTORS INVOLVED IN TELEMEDICINE 

The actors involved in a healthcare act performed via Telemedicine are: 

 

Users 

 

Those who use a telemedicine service. These may include: 

– a patient/caregiver (televisit, telehealth) 

– a doctor in the absence of the patient (teleconsultation) 

– a doctor or other healthcare professional in the presence of the patient (televisit, telehealth cooperation) 

The user transmits health information (video, audio, data, signals, images, etc.) and receives the service results (diagnosis, treatment recommendations). 

 

Health care provider 

It could be: 

– National Health Service facilities, authorized or accredited, public or private, 

– NHS workers such as psychologists or psychotherapists who provide healthcare services through a telecommunications network. 

The Provider Center receives health information from the user and transmits the results of the service to the user. 

 

Technology Support Services Center 

A Service Center is a structure that manages and maintains an information system, through which the Provider Center carries out Telemedicine services, installs and maintains equipment in remote locations (the patient’s home or specially designated sites), and supplies, manages, and maintains communication between patients and doctors or other healthcare professionals. 

 

PsyCare is therefore a technological center that allows timely and easy access to health services. 

 

RELEVANT ASPECTS FOR THE USE OF TELEMEDICINE IN THE NHS 

In accordance with the relational organizational model described above, it is possible to identify some relevant aspects for the purposes of systematization and widespread use of Telemedicine in the National Health Service; 

4. a) Information and Training Aspects. Information aspects concern the User, who must be appropriately informed about the methods of telemedicine delivery of the service, and doctors or other healthcare professionals, in order to increase acceptance of telemedicine methods. Training aspects concern the User, Service Center, and Provider Center, in order to ensure adequate quality of the service. See a more in-depth discussion of these aspects in the following Chapter 4.
5. b) Procedures for integrating Telemedicine into the National Health Service. These include: i) the criteria for Authorization and Accreditation of the Providing Center for the provision of Telemedicine services privately and/or on behalf of the National Health Service; ii) contractual agreements with the National Health Service. c) Ethical aspects, processing of personal data with electronic means, and professional liability.

 

INFORMATION 

With a view to engaging users participating in the PsyCare portal, the information that the Ministry of Health indicates as necessary for patients and doctors/other healthcare professionals is also explained. 

 

INFORMATION FOR PATIENTS 

Healthcare procedures requiring telemedicine must comply with the rights and obligations inherent in any healthcare procedure, but must also take into account the specific requirements associated with them, including patient information. Patients must be informed of the appropriateness and scope of the procedure, as well as the means used and the methods of data storage and processing, in compliance with current legislation (see the information on the processing of personal data on the PsyCare website). The wider diffusion of telemedicine services, and telemonitoring in particular, raises new ethical concerns, especially due to the changing relationships between patients and doctors. Therefore, to ensure acceptance of these innovative service modalities, it is essential that the relationship between providers and recipients of healthcare be defined to take into account the needs of patients who require human warmth and comprehensible, accurate, and reassuring information. In the relationship between healthcare professionals and patients, it is important to ensure that the questions asked and the answers given by the healthcare professional are comprehensible to the patient. To address user concerns and strengthen their confidence, information programs must be implemented to familiarize patients with these new methods and tools, especially since they often involve older people. Such information programs could be developed with the support of the European Commission and the involvement of representative patient, consumer, and healthcare professional organizations, as well as voluntary organizations. 

 

INFORMATION FOR DOCTORS AND OTHER HEALTHCARE PROFESSIONALS 

Among physicians and other healthcare professionals (especially doctors), many still suspect that telemedicine could hinder or impact their relationships with their patients. It is therefore necessary to provide physicians with more information about telemedicine, which is seen as a system for simplifying and improving healthcare procedures, especially those aimed at monitoring chronic conditions and making patients’ lives easier, without detracting from the medical process or the doctor-patient relationship. 

 

HEALTH INFORMATION 

The health information and results transmitted can be of different types: 

• Texts: which usually accompany any other type of data in the form of the patient’s medical history, personal data, etc. – Images: both digitized from analog sources and directly digital, they concern many disciplines (radiology, dermatology, pathological anatomy, etc.)
• Other one-dimensional data: ECG signals and other signals from physiological parameter monitoring
• Video and audio: images from endoscopy, ultrasound, and videoconferencing during patient consultations.

 

Information can be static, which does not change over time (text, images, etc.), or dynamic, which changes over time (audio, video, etc.). The quality of the information transmitted and received must be guaranteed to ensure the quality of services provided through telemedicine compared to those provided through conventional methods. 

 

ETHICAL AND REGULATORY ASPECTS 

Ethical Aspects 

Telemedicine has significant implications in the delicate ethical sphere, as this different approach to managing interaction and communication between patient and doctor (or, more generally, the healthcare professionals involved) impacts a particular situation for citizens in need of healthcare, the way they establish a relationship with the doctor, and the perception of safeguarding the patient’s dignity. It therefore appears necessary to ensure that the doctor-patient bond of trust can also develop in this new context, including by dedicating the necessary time to meeting the patient’s information needs, well beyond informed consent, which today is sometimes interpreted as defensive rather than engaging in dialogue and sharing with the patient (for example, according to research by the Journal of the American Medical Record Association, if visits last less than 15 minutes, litigation levels are at a certain level, based on the ratio of visit duration to number of cases, while if they last more than 18 minutes, litigation declines dramatically). From the perspective of Telemedicine, this trend might seem the opposite, as Telemedicine tends to “bring” doctors and patients closer together, even if it appears—at first glance—to “distance” the two main centers of interest (doctor and patient). In truth, the reality is much more complex, and this must also be taken into account when applying mediation to Telemedicine practices, given that there are many more centers of interest and that they also include the healthcare facility and the insurance company, which often have different interests from both the doctor and the patient. Finally, interesting prospects open up from the perspective of the so-called “ethical certification” of the quality and professionalism of doctors and healthcare facilities (public and private). This project is still in its infancy but lends itself to application, especially in Telemedicine, to provide the greatest possible guarantees of reliability to those who, using a remote service, may have greater difficulty ascertaining the professionalism of the provider. 

 

PROCESSING OF PERSONAL DATA AND CLINICAL DATA WITH ELECTRONIC TOOLS 

 

The operations on citizens’ personal and health data required for the provision of Telemedicine services fall within the scope of sensitive data processing carried out using electronic means, which are regulated by the provisions of Legislative Decree 196/2003. The methods and solutions required to ensure data confidentiality, integrity, and availability must, therefore, in any case be adopted in accordance with the security measures expressly provided for in Legislative Decree no. 196/2003 and the related Annex B (Technical Specifications for Minimum Security Measures). 

In terms of obligations towards patients, the following aspects are particularly important, also in line with the ethical aspects highlighted above: 

 

1. Information on treatments (examinations, remote transmission, use, etc.) and their purposes/guarantees, as well as, in the case of specific diagnostic-therapeutic pathways, on protocols. It is necessary to develop precise and as uniform (in content) as possible information templates at the national level, as remote services may also be performed in different regions and, potentially, at the European level.

 

1. Patient Informed Consent: Patients must be clearly informed of the information needed to make an informed decision. In the specific case of remote services, it is necessary to assess whether or not repeating consent is necessary for each service, and whether the risks involved should be specifically explained (such as the risks associated with the lack of physical contact and the doctor’s clinical gaze, the impossibility of a complete examination, and the impossibility of immediate intervention in emergencies).

 

1. Patient Rights Over Their Personal Data. It is essential to develop increasingly clear and simple methods to respect and guarantee the rights to personal data, especially in the context of telemedicine, which by its very nature involves greater technological complexity and the potential interaction of multiple data processing entities. Furthermore, it is particularly important to analyze and design healthcare processes so as to accurately define responsibilities, tasks, and functions, in accordance with current legislation, and identify appropriate organizational and technological solutions that allow for accountability and access to information only to those authorized to use it.