key: cord-0753487-pbp0330f
authors: Stipa, G.; Gabbrielli, F.; Rabbito, C.; Di Lazzaro, V.; Amantini, A.; Grippo, A.; Carrai, R.; Pasqui, R.; Barloscio, D.; Olivi, D.; Lori, S.
title: The Italian technical/administrative recommendations for telemedicine in clinical neurophysiology
date: 2020-09-24
journal: Neurol Sci
DOI: 10.1007/s10072-020-04732-8
sha: 9959eb1767c12cd6b453048b211143529e76a4d7
doc_id: 753487
cord_uid: pbp0330f

Recent advances in technology, information technology, Internet networks, and, more recently, fiber optics in industrialized countries allow the exchange of a huge amount of data, in real time, across the globe. The acquisition of increasingly sophisticated technologies has made it possible to develop telemedicine, by which the specialist’s evaluation can be carried out on the patient even remotely. In Italy, this very useful tool, although possible from a technological and information technology point of view, has not been developed because of the lack of clear and univocal rules and of major administrative obstacles related to the Italian Public Health System. To promote telemedicine implementation in Italy, the Italian Society of Clinical Neurophysiology and the Italian Society of Telemedicine together with the National Centre for Telemedicine and New Assistive Technologies of the Italian Higher Institute of Health prepared these inter-society recommendations. Because of potential forensic value of these recommendations, they were prepared considering the current regulations and the General Data Protection Regulation and will provide the basis for a Consensus Conference planned to discuss and prepare National Telemedicine Guidelines.

Telemedicine "in the Internet age" has found increasing use and can be applied in various medical sectors, especially in times of health emergency, such that we are experiencing during COVID-19 pandemia. In a recent paper [1] , it reported that the World Health Organization (WHO) and Centers for Disease Control and Prevention (USA) have recommended use of telemedicine during the current pandemic. With acute shortage of neurologists and neurosurgeons, it becomes more difficult to provide neurological care to those who need it the most, particularly with travel restrictions. Recently, the episodes of lockdown caused by the COVID-19 pandemic have strongly accelerated telemedicine implementation in neurology and scientific societies have promptly provided recommendations for the management of neurological disorders [2, 3] . The social restrictions caused by the COVID-19 pandemic impacted heavily on medical care for different neurological disorders such as epilepsy; indeed, it has been shown that in Italy there has been a reduction of more than 70% of electroencephalogram recording [4] . This had a profound impact on care, and most of the patients with this condition experienced clinical worsening [5] . Thus, the development of an efficient telemedicine system is urgently needed for neurological disorders care. The use of telemedicine can benefit not only healthcare professionals but also patients, for a better management of medical care and diagnoses, for the simplification of procedures, and for the reduction of hospitalization duration. Through telemedicine, it is possible to remotely control the terminal of medical devices allowing remote viewing, to access medical records, personal data of patients, and clinical images. Clinical neurophysiology lends itself very well to telemedicine and benefits from increasing the quality of the decisions of doctors and technical staff by making available to them, in a simple and fast way, patient's information. Teleneurophysiology extends the concept of working on the terminals by offering to healthcare professionals the possibility to carry out medical consultations, monitor patients, and create exam reports from a PC, tablet, or smartphone, even outside the hospitals.

The purpose of these recommendations is to provide precise indications to clinical neurophysiologists and neurophysiology technologists for the use of telemedicine, in full compliance with the current regulation, also in light of the recent European Regulation on the protection of personal data, which went into effect in May 2018 [6] .

The present recommendations set the basis for the development of Italian National Guidelines for clinical teleneurophysiology. Future guidelines will be defined through a sharing process with all the members of the Italian Society of Clinical Neurophysiology (SINC) and with the Italian Society of Telemedicine (SIT), for which a dedicated inter-society study group (SG) has been created, using first of all a special discussion forum, already present on the SINC website, and, subsequently, through a specific Consensus Conference. The final text thus obtained will then be submitted for examination by the Institute of Health according to current procedures.

The history of telemedicine can be divided into three main periods: analogue telecommunication era, digital era, and internet era. In the 1970s, there were the first attempts of teleconsultation and telemonitoring of complex systems, based on the use of TV technology to convey remote information. At this stage, the audio and video data were not integrated. Thanks to digital technology, communication capabilities reached a turning point in the 1980s. In this phase, characterized by the integration of communication with computers, technology offered the possibility to transmit relatively large amounts of data. Thanks to ISDN (Integrated Services Digital Network), it was possible to simultaneously transmit voice, video, and biometric data. The first networks were created with sophisticated systems of telephone lines, which allowed point-to-point, point-to-multipoint, and multipointto-multipoint communications. Finally, from the 1990's and thanks to the Internet, large amounts of data, images, and audio could be sent for consultation or shared over long distances and with a relatively very low cost compared with the previous eras. This is the era from which it has been truly possible to start experimenting more effectively with teleconsultation and telemonitoring in real time. There have been various attempts in Italy and in other countries to build remote control systems for medical devices, to allow teleworking, medical teleconsultations, and remote reporting. The methodologies for telemedicine applied to different medical branches include the "Telemedicine for cardiovascular disease continuum" [7] , the "L'ANMCO/SIT -Consensus Document: Telemedicine for cardiovascular emergency networks" [8] , the European project "HEALTH OPTIMUM (Health OPTIMization throUgh Telemedicine)" of the Veneto Italian region for neurosurgical teleconsultations, and the Telelaboratory, the Neurological Teleconsultation for the management of ischemic stroke and the management of oral anticoagulant therapy [9] , and also the digitization projects for electronic health records of patients (ESF) of the Tuscany [10] and Emilia Romagna Italian Regions [11] .

Historically, we have seen the earliest attempts of teleconsultation in clinical neurophysiology already with the advent of Microsoft Windows 95, where with modem connections and via the SLIP (Serial Line IP) protocol, a dedicated network with point-to-point interchange of exam files was created. This protocol allowed to share information, but it offered non-immediate response and decision times, differently from telemonitoring today.

From the end of Windows 95 support, and with the introduction of Windows 98 and Windows XP, we started sharing, also through modems and Integrated Services Digital Network (ISDN) communication systems, exam reports and text files by emails, thus allowing medical teleconsultation.

With the release of Windows XP, in the early 2000s, a remote control of personal computers (PCs) was made possible.

This was a big step forward for teleconsultation and telemonitoring. Thanks to software tools like Microsoft NetMeeting and UltraVNC, it was possible to review neurophysiological recordings remotely, directly from the recording station, and also to follow online the execution of the exam [12] [13] [14] , with real-time interventions and much faster decision-making times than in the past.

With the advent of asymmetric digital subscriber line (ADSL) communications, and Wide Area Network (WAN) adaptations, the Italian hospitals had the opportunity to acquire the equipment for secure connections through virtual private networks (VPN) [15] , Secure Socket Tunneling Protocols, and Microsoft Windows Terminal Server (or equivalents such as Citrix).

Teleconsultation indicates the diagnosis and/or choice of a treatment by a physician without the physical presence of the patient. This is a remote consultancy activity that allows a physician to seek the opinion of one or more colleagues (second opinion), on the basis of specific training and skills, and on the basis of medical information related to the patient management.

Tele-reporting consists in processing the medical report remotely. An official digital report can be created with the authentication of the document through a remote digital signature, in accordance with the current legislation.

Tele-monitoring offers support to the physician and to the patient, allowing the constant monitoring of the physiological parameters of the patient at home (useful for chronically ill, elderly, and disabled patients), in disadvantaged geographical areas (health facilities located in the mountains, islands, communities isolated, etc.), or in intensive care units (ICU).

The method recommended by the SINC-SIT inter-society Telemedicine Working Group consists in the use of both intra-hospital (Intranet) and inter-hospital and extra-hospital (Internet) computer networks, using a secure VPN connection and a "Remote Desktop" software. This method complies with all the current privacy legislations. Furthermore, it is "freeware," since it is not necessary to purchase any software license.

The term VPN is a generic term that defines the concept and not a brand or a standard; in particular, VPN has already been integrated into the operating systems of common PCs, tablets, and smartphones. However, there are some widely recognized and independent companies, such as ICSA Labs, which certify the interoperability (the ability of a system or an IT product to cooperate and exchange information) and the security of IT systems [16] . For example, a device or a software, which bears the ICSA Labs brand for IPsec VPNs, has passed a series of objective and replicable tests, which guarantee the compatibility with all the other certified implementations, with an adequate level of security. It is now widely believed that a properly designed VPN has a comparable, if not greater, degree of security than a dedicated network.

The term "Remote Desktop" indicates a software that allows, through a graphic interface, to display on a monitor of a "client" PC the content displayed from the monitor of a "server" PC. This function was introduced through a teleconferencing software called "Net Meeting" in Windows 95. Net Meeting is now discontinued, and its function is now incorporated in the latest generation operating systems, with the term RDP (Remote Desktop Protocol) or RDS (Remote Desktop Services) [17] . RDP is a proprietary network protocol developed by Microsoft, which allow a remote connection from one computer to another in a graphical manner. The default protocol uses the TCP and UDP port 3389. There are other softwares dedicated to remote desktop sharing, freely downloadable from the Internet, such as Ultra VNC, a software tool that offers the same functionality of Microsoft Remote Desktop, but which requires an additional level of user authentication, in addition to that already required by the VPN access.

The use of a remote desktop sharing program brings the following advantages:

1. There is no exchange of sensitive data: the only information that travels on the network is the exchange of digital data concerning the graphic interface. This also has the advantage of not overloading the line used: a minimum traffic of 4 Mbit/sec is sufficient. 2. It is not necessary to install electromedical softwares on the PC used by the medical consultant (client), since the softwares, with the relative licenses, are located on the PC (server) whose desktop is used by the client. 3. After the disconnection from the client PC, no residual information remains on the server PC.

The use of an Internet connection, a VPN connection to the company server, and a "remote desktop" software allows the neurophysiologist and the neurophysiology technologists to take control of any electromedical equipment with an operating system (electroencephalograms, EEG monitoring in resuscitation unit-intensive care, etc.) remotely [18, 19] . This method also allows remote reporting, with the help of modern electronic digital signature techniques [20] . It integrates well with the IT services already available by the various healthcare companies, as described in the privacy chapter of these recommendations.

The neurophysiological diagnostic techniques most commonly used in the clinic are the following: Neurophysiological techniques are suitable for remote consultation. However, some tests listed above necessarily require the presence of the clinical neurophysiologist: a. EMG: the presence of the clinical neurophysiologist is required for the insertion of the needle electrode, the quantification of the traces, the qualitative evaluation of the motor unit activity, and the identification and classification of spontaneous activity at rest. b. Intraoperative neurophysiology: telemedicine allows remote monitoring of single patients and possibly of multiple interventions simultaneously. Based on the complexity of the cases and the characteristics of the telemedicine system, the responsibility of the intraoperative monitoring decides on the presence of the clinical neurophysiologist in the operating room during some crucial phases of the intervention [21] . c. Assessment of brain death: telemedicine can be applied only for the preliminary evaluation of the standard EEG recording before the beginning of the procedures required for brain death certification. All members of the commission must be physically present in the unit where the procedure of brain death determination takes place.

In the cases described above, always in the presence of a specialist, it is however possible to make use of "experts" connected remotely, in order to be able to request a further specialist evaluation aimed at a "second opinion."

The application of the general data protection regulation (GDPR) to health IT-telematic systems 1) is more simply referred to as "GDPR," or General Data Protection Regulation. The GDPR regulates the personal data processing within the European Union. The previous regulation was part of the Directive 95/46/CE [22] . The new instrument chosen by the European legislator (the "regulation" instead of a "directive") has completely different characteristics compared with the aforementioned directive. A directive is a legislative act of the European Union that sets the principles and the results to be achieved by the individual Member States. How those results will be achieved is a responsibility of individual states. The legislator of each EU Member State decides how to apply those directives through transposition rules (in Italy, EU directives are usually transposed into local laws through legislative decrees) [23] .

A regulation is instead directly applicable within the legal system of each Member State: "The regulation has general scope. It is mandatory in all its elements and directly applicable in each of the Member States" [24] . The EU regulations, therefore, unlike the directives, do not require any legislative act of transposition or implementation. They are therefore defined as "self-executing."

The reorganization of the legislation on personal data processing started on January 25, 2012, when the European Commission, acknowledging that the technological progress and globalization have profoundly changed the way data is collected, used, and accessed, proposed a comprehensive reformation of the data protection rules that were contained in the EU Directive of 1995, with the aim of strengthening the rights of the "online" privacy and promoting the development of the European digital economy.

According to the commission, a legislative act was necessary for all the European States, in order to eliminate the regulatory fragmentation caused by the transposition of the previous directive in ways that differ from State to State.

The application of Regulation 2016/679 to the health sector, especially in consideration of the ever-increasing use of IT-telematic resources, has already had and will continue to have a far-reaching impact and will cause the rethinking, reorganization, and rationalization of procedures of transmission of data and health information.

It is an effort but at the same time a great opportunity to achieve transparency and effectiveness in personal data processing.

Based on the indications of the GDPR, a health facility must conform to the following requirements [25] :

case where:

(a) the processing is carried out by a public authority or body; (b) the core activities of the Controller or the Processor consist in data processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of the subjects of data on a large scale; or (c) the core activities of the Controller or the Processor consist of processing on a large scale of special data categories, including sensitive data and data with a health content.

The Data Protection Officer shall have at least the following tasks:

(a) to inform and advise the Controller or the Processor and the Employees who carry out the data processing about their obligations; (b) to monitor the compliance with the regulations, with the data protection provisions of other Union or Member States and with the policies of the Controller or Processor in relation to the protection of personal data, including the assignment of responsibilities, awarenessraising and training of staff involved in processing operations, and the related audits; (c) to provide advice where requested regarding the Data Protection Impact Assessment (DPIA) and monitor its performance; (d) to cooperate with the supervisory Authority; (e) to act as the contact point for the supervisory Authority on issues relating to processing, and to consult, where appropriate, for any other matter.

In the case of design and implementation of e-Health systems aimed at integrating into or interacting with a healthcare facility, the primary contact person for consultations regarding the correct processing of data will therefore be the DPO.

The health facility, as controller, will have to draw up a fundamental document, called the "record of processing activities." The record of processing activities must be prepared by each controller who processes specific categories of data, including sensitive data and data with a health content.

The Record of Processing Activities must contain:

(a) the name and contact details of the Controller and, where applicable, of the joint Controller, and the Data Protection Officer; (b) the purposes of data processing; (c) a description of the categories of data subjects and of the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; (e) where applicable, transfers of personal data to a third Country or an international organization, including the identification of that third Country or international organization (f) where possible, the envisaged time limits for erasure of the different categories of data; (g) where possible, a general description of the technical and organizational security measures.

The record of processing activities allows a mapping of the data processing by the health facility, which is fundamental to the purposes of data protection, because the purposes, data subjects, and recipients as well as the security measures applied will be known for each treatment.

From what has been said, it is easy to understand how essential it is that this mapping also takes into account the treatments carried out through e-Health systems.

The regulation reaffirms the importance to provide adequate information to the data subject (the patient in the case of healthcare facilities). In particular, the European Legislation requires that the information is clear, does not exceed legal formalisms, and is comprehensible.

Drafting of simple and clear information forms regarding the treatments carried out through digital healthcare systems must be one of the main objectives of the controller, who, however, must not prepare different forms for each project or digital healthcare system, but to draw up as much as possible unitary and comprehensive documents, according to the objectives of clarity and simplification of the European legislator.

It should also be remembered that it is in the intents of the European legislator, in compliance with the "right to be forgotten," that the right to obtain data erasure is provided and strictly regulated.

It follows that for each new e-Health system installed, not only the start-up and ramp-up phases but also the phase of system dismissal must be carefully considered.

The "abandonment" of databases containing information of such relevance as that relating to the health of citizens would have a very negative impact on the overall evaluation of the health system in terms of data processing.

With regard to the patient's consent, after the entry into force of the GDPR [26] , the Italian Data Protection Authority has provided clarifications for physicians: the healthcare professional (like the physicians) no longer has to request a consent for the processing of data necessary for the treatment activities.

The reason is that physicians and other healthcare professionals are already subject to professional secrecy when dealing with patients' care. Therefore, consent to data processing is not considered necessary in that case.

Consent is instead necessary in some cases indicated by the data protection authority:

1. Processing of health data through the use of medical "apps" 2. Data processing for customer loyalty program (such as those practiced by pharmacies) 3. Data processing for promotional or commercial purposes In these cases, since the purpose is not strictly a treatment, the patient's consent to the processing of his/her data must be collected.

5. Appointment of data processor A correct mapping of data treatments will allow a rapid identification of the information flows towards the outside, for the purpose of an exact and precise identification of the subjects who will have to be appointed as processors with a specific legal act.

This legal act will have to clarify which data treatments the processor will have to handle, how they will be carried out, and what security measures the processor will have to adopt.

In the case of e-Health systems, the presence of suppliers (e.g., software companies) that have to be appointed as processor is very frequent. It should be stressed that processors frequently use other sub-suppliers (e.g., providers, cloud services managers). In such cases, the regulation requires that the data holder (i.e., the health facility) verifies the choice of subsuppliers and authorizes the appointment of further processors (called sub-processors).

In order to avoid the long times and bureaucratic burdens of individual authorizations, the health facility, if there is a fiduciary relationship with the data processor, can use a general authorization for all the sub-processors.

For a correct use of a computer-telematic system by the user, it is necessary to proceed with the authentication configuration tools and the authorizations profiling, based on the tasks entrusted to the user.

This fulfillment, already foreseen in the privacy code, is maintained in the new regulation, since it is an essential requirement for the correct data processing by the users.

Persons who, under the direct authority of the controller, are authorized to process personal data must be appointed with a specific legal act. In this act, the security measures they must comply with and the methods of accessing and using the information and communication technology (ICT) system must be indicated.

This legal act is a fundamental document to guarantee the correct and lawful processing of data by the users of the e-Health systems.

Since the technological evolution of healthcare facilities has caused an ever wider use of IT-telematic resources, for each authorized user, only one deed of appointment is needed that takes into account all the ICT systems that this user accesses.

7. Data protection impact assessment or DPIA

The article 35 of the Regulation called Data Protection Impact Assessment states [27] : "Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."

The e-Health systems are ICT systems that perform data processing through new technologies and that involve high risk to the rights of patients. Therefore, the Data Protection Impact Assessment must certainly be carried out in healthcare facilities, in particular regarding telemedical applications.

Furthermore, with reference to the creation and implementation of an e-Health system, the following indications of the GDPR must be taken into consideration:

The regulation recognizes to the controller a role of effective responsibility, not purely formal.

The controller is responsible for the choices and decisions regarding all the data processing that take place under his control.

We recall that in the case examined here the owners are health organizations, hospitals, and private clinics.

For the GDPR, this is a real "taking charge" (accountability principle) of data processing.

The owner's decisions must protect the data and be motivated.

The design of the IT-telematic systems must be based on the principle of privacy by design [28] .

"Privacy by design" is a concept developed in the nineties of the last century in the Canadian context, by the Information and Privacy Commissioner for the Canadian province of Ontario and then adopted throughout Canada and in the USA.

In 2010 the principle of privacy by design was accepted as essential by the 32nd International Conference of Data Protection and Privacy Commissioners.

The application of this principle means that each ITtelematic system must be designed from the outset so that the data is processed by the system in a lawful and correct manner.

This means that those who make this system (including e-Health systems) will have to consider the correctness of personal data processing as a design requirement and as an evolution requirement.

The data protection requirement will not have to be considered a contour element or an accessory, to be added to the finished system. The principle of privacy by default is closely associated with privacy by design and establishes that personal data are automatically protected, being privacy built into any given IT system by default. No action is required from the individual to protect their privacy.

In case of doubt, the correct behavior of the owner will be that of utmost prudence: personal data must be processed only in case of strict necessity.

The controller must adopt adequate security measures, due to the nature of the data, the purposes of the processing, the context in which the processing takes place.

Taking into account the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures. These measures shall be reviewed and updated where necessary.

The e-Health systems are characterized by high complexity at scientific and technical level.

Therefore, the controller and the manager of an e-Health system must be very careful in choosing the appropriate technical safety measures.

Furthermore, not only technical but also organizational and procedural security measures must also be applied.

User policies, possibly subject to certification, are fundamental to guarantee fair data processing.

In fact, even if an ICT system is designed correctly in terms of data processing, any effort of correctness and lawfulness can be made null by its incorrect use.

It is therefore important not only that the ICT system is designed correctly but also that it is used correctly. This is particularly true for e-Health systems, since they process large amount of very sensitive data, the patient is a vulnerable subject, and the system is characterized by great technical and scientific complexity.

IV. The right to be forgotten

One of the principles on which the new GDPR is based is the strengthening of "the right to be forgotten": the interested party can always ask for the deletion of their data if there is no legitimate reason for their conservation. This also applies to e-Health systems: the patient can always ask to be "forgotten," that is, being deleted from the web or from the database, when the treatment is no longer justified. This is a requirement that must be observed starting from the design of the ICT system, and that must not be overlooked when archiving it (locally or remotely). These archives cannot be left to an uncertain and undetermined fate.

It must always be provided to the patient the possibility to have access to his/her data and to request their deletion and also to delete single data or to perform time-based deletions (e.g., 10 years after the closure of the patient's medical record).

Since the data management is frequently carried out by an external supplier, the data processing agreement must be carefully stipulated, as it will have to take into account:

1. The patient's right to access to his/her personal data 2. The patient's right to have his/her personal data erased 3. Data deletion requests 4. Data transfer policies

Telemedicine in Italy has suffered a considerable delay compared with other countries, both European and non-European, due to the organization of the Italian Public Health System, in which the state must not only guarantee the health to all citizens but must also protect the legal rights of the individual, including in the field of privacy. Other reasons for this delay are the healthcare autonomy of the Italian regions, consequent to the reform of the 5th title of the Italian constitution [29] , and the regulations on telemedicine which, at the present moment, are generic and not always clear [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] . For all these reasons, it was necessary to draw up the present recommendations, in order to be able to regulate the telemedicine applied to clinical neurophysiology: the "teleneurophysiology." The SINC, the SIT, and the National Centre for Telemedicine and New Assistive Technologies of the Italian Higher Institute of Health are about to hold, together with other Scientific Societies, a Consensus Conference, which has not only the purpose of developing teleneurophysiology guidelines from these recommendations but also to create a solid basis for the application of telemedicine to other medical branches. The need to regulate and standardize the telemedicine in Italy is currently of fundamental importance, also in view of the recent global COVID-19 emergency, which has pushed worldwide telemedicine and smart working to the forefront in all disciplines, both medical and administrative.

Telemedicine and neurological practice in the COVID-19

Digital technologies, web and social media study group of the Italian Society of Neurology

AAN) for implementing a telemedicine service

Electroencephalography at the time of Covid-19 pandemic in Italy

Epilepsy Care in the Time of COVID-19 Pandemic in Italy: risk factors for seizure worsening

/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

Telemedicine for cardiovascular disease continuum: a position paper from the Italian Society of Cardiology Working Group on Telecardiology and Informatics

ANMCO/SIT Consensus Document: telemedicine for cardiovascular emergency networks

Progetto HEALTH OPTIMUM (Health OPTIMizationthro UghteleMedicine

Monitoraggio neurofisiologico in Terapia Intensiva: sviluppo di un modulo di stimolazione-acquisizione e trasmissione dati mediante tecnologia wire-less. Riunione annuale della sezione Tosco-Umbra della SIN

Monitoraggio neurofisiologico in terapia intensiva: sviluppo di un modulo di stimolazione acquisizione e trasmissione dati mediante tecnologia wire-less

Telemedicine a new frontier of neurophysiology: the "Add-on role" of neurophysiological technologist

Telemedicina presso la struttura di Neurofisiopatologia dell'AOS S. Maria di Terni: una proposta di applicazione innovativa

Telemedicine application in neurophysiology: The pros and cons in Italy

New telemedicine protocol and patented remote-EEG system from Terni S. Maria Hospital Neurophysiology Division: experimental assessment and pathway towards large scale service

Yingling CD, membership of the ASNM (2019) Practice guidelines for the supervising professional: intraoperative neurophysiological monitoring

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Codice in materia di protezione dei dati personali

288 of TFEU -TREATY ON THE FUNCTIONING OF THE EUROPEAN UNION -Consolidated versions of Treaty on European Union and the Treaty on the

37 General Data Protection Regulation -REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

Disposizioni per l'adeguamento della normativa nazionale alle disposizioni del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonché alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

25 of GDPR. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Legislative Decree n. 502/1002. Riordino della disciplina in materia sanitaria, a norma dell'articolo 1 della legge 23 ottobre 1992

Istituzione del Sistema Tessera sanitaria e la ricetta elettronica 32. Decree Law n. 158/2012, converted into Law n. 189/2012. Disposizioni urgenti per promuovere lo sviluppo del Paese mediante un più alto livello di tutela della salute

221/2012: article 12. Fascicolo sanitario elettronico e sistemi di sorveglianza nel settore sanitario; article 13 Prescrizione medica e cartella clinica digitale and article 13-bis Ricetta medica

lettera d), numeri 1) e 2) del decreto-legge 13 maggio 2011, n.70, convertito, con modificazioni, dalla legge 12 luglio 2011, n. 106, recante «Semestre europeo -prime disposizioni urgenti per l'economia» 35. Telemedicina. Linee di indirizzo nazionali. Intesa ai sensi dell'articolo 8, comma 6, della legge 5 giugno 2003, Intesa tra il Governo, le Regioni e le Province autonome di Trento e Bolzano 36. Patto per la salute per gli anni 2014-2016. Intesa ai sensi dell'articolo 8, comma 6, della legge 5 giugno (2003) Intesa tra il Governo, le Regioni e le Province autonome di Trento e Bolzano 37. Ministerial Decree 2 avril 2015 n. 70. Regolamento recante definizione degli standard qualitativi, strutturali, tecnologici e quantitativi relativi all'assistenza ospedaliera 38. Decree of the President of the Council of Ministers

Definizione e aggiornamento dei livelli essenziali di assistenza, di cui all'articolo 1, comma 7, del Decreto Legislativo 30 dicembre 1992

Publisher's note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations