Publication date: February 05, 2025
The ongoing digitalization of the healthcare sector in Poland brings new opportunities, but also challenges related to personal data protection and improving process efficiency. One of the latest achievements in this area is the introduction of the Health ID application, which aims to simplify and secure the process of confirming patients’ identity during the implementation of e-prescriptions. The new application, developed as part of the Potential Project, is an innovative solution that changes the approach to patient identification, while responding to the needs of modern data security standards [1].
Correct identification of the patient’s identity is a legal obligation of the entity providing medical services. Determining the identity of a given person and their entitlement to health care services is required in connection with the implementation of the Personal Data Protection Act of 10 May 2018 (GDPR). Verification is a key stage that should take place before the patient’s personal data is recorded. The previous procedure for confirming the identity of patients in Poland is regulated by the Act of 27 August 2004 on health care services financed from public funds and was based on the use of traditional identity documents, such as an identity card, passport or driving license, which the patient had to show to an authorized person in order to verify their identity. Since the Covid-19 virus pandemic, new forms of contact with a doctor have been used, which are also present in the post-pandemic era, such as teleconsultations. In connection with the provision of teleconsultations, doctors verified the patient’s identity in accordance with the organizational standard of teleconsultation within primary health care (Journal of Laws 2022.1194). In practice, this worked by confirming the patient’s identity on the basis of the patient’s data contained in the medical records provided by him/her via IT systems, by showing an identity document during a video call or by using the patient’s electronic account created as a result of confirming his/her identity.
With the development of digital technologies, the mObywatel application was introduced, which allows data to be presented in digital form. In accordance with Article 50 of the Act of 27 August 2004 on healthcare services financed from public funds, the beneficiary can confirm their identity not only with a classic ID card, but also using a document in the mObywatel application[2]. These changes came into force on 14 July 2023. From the moment they come into force, the electronic document is equivalent to physical documents confirming identity.
The Project Potential (full name: PilOTs for EuropeaN digiTal Identity wALlet) is an initiative supported by the European Commission, aimed at piloting and testing the European Digital Identity Wallet (EUDI). The aim of the project is to enable citizens to securely identify themselves and use a range of public and private services in the European Union. The project is being implemented by a consortium consisting of over 140 public and private entities from 19 EU Member States and Ukraine. Participation in the project will allow Poland to prepare for changes resulting from Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation). This regulation introduces a new tool – the European Digital Identity Wallet.
The European Digital Identity Wallet is a tool in the form of a mobile application to be used in public and private services throughout the European Union. Thanks to it, users will be able to digitally confirm their identity, store and share documents such as driving licenses, diplomas or prescriptions, as well as sign electronically. Users will have full control over their data, deciding what information they share and with whom. Using the wallet is to be voluntary and free of charge, without the need to give up traditional documents. The introduction of the European Digital Identity Wallet is intended to simplify many everyday activities, including the implementation of e-prescriptions. The Digital Identity Wallet is to be respected in all Member States, which means that users will be able to handle formalities not only in their own country, but also abroad, within the EU.
As part of Poland’s participation in the pilot program for the implementation of the European Digital Identity Wallet, the E-Health Center is introducing the Health ID application, which is part of the Project Potential.
The Health ID application, developed by the e-Health Center, is a key element in the development of digital services in the healthcare sector. It is a modern tool that allows patients to safely and conveniently confirm their identity in electronic form when making prescriptions, as well as in other situations requiring verification of personal data. In an era of increasing digitalization and automation of medical processes, Health ID is in line with global trends of simplifying administrative procedures and increasing security in the healthcare sector.
The application’s functionality is based on generating unique digital credentials that can be securely transferred to pharmacies, clinics and hospitals. This process eliminates the need to use traditional identity documents, which not only increases user convenience but also minimizes the risk of loss, falsification or misuse of personal data. Additionally, thanks to the use of modern encryption algorithms, the application provides comprehensive protection of transmitted information, preventing its interception or unauthorized access.
One of the key assumptions of Health ID is to raise the standards of personal data protection and patient privacy. Implementation of the application not only streamlines patient identification processes, but also allows medical facilities to manage data more effectively in a manner consistent with applicable legal regulations, such as GDPR. Thanks to automatic user authorization, the system reduces the risk of administrative errors, which translates into better organization of work in medical facilities and improvement of the quality of patient service.
An additional advantage of Health ID is its ease of use and integration with existing e-health systems, which makes the application user-friendly for both individual users and medical personnel. This solution is part of a long-term strategy for digitalizing healthcare, the goal of which is not only to increase patient comfort, but also to optimize administrative processes and increase the level of security in the entire healthcare system.
Health ID, which is part of the developing “European digital identity portfolio”, is an innovative tool which, as assured by the e-Health Centre (CeZ), will bring a number of tangible benefits to both patients and the entire healthcare system, including pharmacy systems.
The advantages of introducing this technology include:
Communication in the application is carried out in accordance with the principles contained in the ISO/IEC 18013-5 standard. This is an international standard defining specifications for mobile driving licenses (mDL) and their application in digital identity verification. By adopting the ISO 18013-5 standard, the countries that have adopted it have reduced the number of cases of identity fraud and increased the overall trust in digital identities. The ISO 18013-5 standard is also used in the private sector. Thanks to mDLs compliant with this standard, the procedures for verifying the identity of people have been significantly accelerated, which affects the quality of the services provided. The ISO/IEC 18013-5 standard is also beneficial for users, because thanks to this they gain more control over their personal data, which provides them with more thorough privacy protection. Thanks to mDLs standardized by ISO 18013-5, users can provide only the necessary information during identity verification, which reduces the risk of unnecessary disclosure of data[6].
The Health ID application generates a special mdoc certificate, which is used to confirm the patient’s identity. Documents in the mdoc format are based on the ISO/IEC 18013-5 standard. These are digital identity documents intended for storage on the holder’s mobile device and can be verified in person or remotely (online). Documents in the mdoc format are particularly important when used for identity certificates, as they offer additional protection against forgery, cloning, eavesdropping and impersonation of a specific person[7]. The application will connect via Bluetooth technology with the pharmacy system, which will enable the implementation of e-prescriptions without the need to reach for documents in the classic form. The implementation of prescriptions will be possible not only in Poland, but also in other European Union member states on the basis of a prescription obtained in Poland.
The protection of personal data in the context of the introduction of the European Identity Wallet is regulated by Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation). In April 2024, this Regulation was amended by the subsequent Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards the establishment of a European digital identity framework. The key passages relating to data protection in Regulation No 910/2014 are :
The issue of patient data protection in mobile applications has also been raised in the EU forum by initiating work on a privacy code for mobile health applications, aimed at promoting trust among users and providing a competitive advantage for application developers who comply with its principles. The code was developed by an editorial team consisting of representatives of the technology industry, including companies such as Apple, Google, Microsoft and Samsung, with the support of the European Commission. Its aim was to create practical guidance for application developers on data protection principles, compliant with the General Data Protection Regulation (GDPR). In particular, the code emphasized the importance of obtaining the user’s explicit and informed consent to the processing of personal data and the need to delete this data in the event of withdrawal of consent. Despite intensive work, in 2018 it was found that the code did not yet fully meet the requirements of the GDPR, which prevented its formal approval. Further work is currently underway to adapt the code to the applicable regulations so that it can be submitted to the European Data Protection Board for formal approval[9].
In Poland, there are mobile applications that are classified as health applications. These include “mojeIKP” and “Medicover online”. By using Medicover online, the patient can contact a doctor who can issue an e-prescription or e-sick leave. By creating an account in the Medicover Online application, the patient’s data is processed by the data controller, which, according to the regulations, is Medicover sp. z o. o. The data of patients using the Medicover Online application are subject to special protection and used in accordance with applicable legal regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). This data is collected and processed solely for purposes related to the provision of medical services, including diagnostics, treatment and maintaining medical records. Only authorized persons, such as doctors and medical personnel, have access to them, to the extent necessary to provide health services. Patients have the right to access their data, rectify it, limit its processing, and in certain cases also delete it in accordance with applicable legal regulations[10].
The mojeIKP (Internetowe Konto Pacjenta) application is the official mobile application of the Ministry of Health, enabling patients to quickly and securely access their medical data and digital services related to healthcare in Poland. Its main functions include the ability to check, process and share prescriptions and referrals, view medical records, including hospital discharge notes, medical recommendations or test results , and grant access to medical data to close people, e.g. family members. Personal data of patients processed within the e-health system (P1), including in applications such as Internetowe Konto Pacjenta (IKP) and mojeIKP, are subject to special protection and processed in accordance with applicable legal regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the Personal Data Protection Act. The data administrator is the Minister of Health, who ensures their processing in a legal, reliable and transparent manner, in accordance with the principle of minimization – data is collected only for specific, legally justified purposes and is not stored longer than necessary to provide health services and obligations arising from legal provisions. In terms of security, the e-Health center meets the requirements of the ISO 27001:2017 standard, which ensures the integrity, confidentiality and security of data, protecting them against unauthorized access, modification, loss or destruction. Patients using medical applications have the right to access their data, rectify it, limit its processing, and in certain cases also to delete it. In addition, in the event of doubts as to the compliance of data processing with applicable regulations, they have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO)[11].
Summary
Health ID is an example of modern technology that can significantly improve the quality of services in the healthcare sector. Thanks to advanced digital solutions, the application not only makes it easier for patients to fill prescriptions, but also ensures a high level of protection of their personal data by using the latest security standards. By implementing the European Digital Identity Wallet program, filling prescriptions will be easier for users who are abroad and want to fill a prescription issued in Poland, which is another argument proving the improvement in the quality of services in the medical sector.
[1]Identity will be confirmed by Health ID. New application of e-Health Center is launched [in] https://www.rynekzdrowia.pl/E-zdrowie/Tozsamosc-potwierdzi-Health-ID-Rusza-nowa-aplikacja-Centrum-e-Zdrowia,267386,7.html?mp=promo
[2]Act of 27 August 2004 on health care services financed from public funds (Journal of Laws 2004 No. 210 item 2135).
[3] Project Potential [in] https://www.gov.pl/web/rozwoj-technologia/projekt-potential3
[4] Identity will be confirmed by Health ID. New application of e-Health Center is launched [in] https://www.rynekzdrowia.pl/E-zdrowie/Tozsamosc-potwierdzi-Health-ID-Rusza-nowa-aplikacja-Centrum-e-Zdrowia,267386,7.html?mp=promo
[5] ibidem
[6]https://www.dock.io/post/iso-18013-5
[7]https://learn.mattr.global/docs/mdocs
[8]REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
[9]https://digital-strategy.ec.europa.eu/pl/policies/privacy-mobile-health-apps
[10]https://www.medicover.pl/polityka-prywatnosci/
[11]https://pacjent.gov.pl/polityka-prywatnosci