1. Introduction
The Italian federated Electronic Health Record, called the Fascicolo Sanitario Elettronico (hereafter FSE), is a pillar within the initiatives relevant to the accomplishment of Digital Health [
1]. It provides a consistent information base that is useful for the entire healthcare pathway to improve the cooperation among different healthcare professionals. Patients also have the possibility to access, trace, and consult their healthcare history and to share it, anytime and anywhere all over the country, with healthcare professionals, who have constant access to a clear and complete view of the patient’s health conditions and can, therefore, ensure an effective and efficient care service, especially in emergency situations.
The first Italian regulations for the FSE were the guidelines issued by the Italian Data Protection Authority in 2009 [
2], which mainly addressed the management of patient data privacy. Subsequently, in 2012, the Legislative Decree n. 179 urged Italian regions and autonomous provinces to establish and implement regional FSE systems, highlighting the need to ensure interregional interoperability services. In 2015, the Prime Minister Decree n. 178 intervened specifically on the matter by regulating the FSE legislation with an annex focused on the technical requirements, i.e., document formats, clinical coding systems usage, etc. Recently, the Decree Law n. 34/2020 [
3] enhanced the FSE functions and scope, in relation to the clinical data and document types and the plethora of healthcare subjects who can feed it, as well as introducing the patient’s explicit consensus for FSE activation and indexing of medical records produced before the Decree itself.
In this context, the Agency for Digital Italy (AgID) and the Italian National Research Council (CNR), cooperating with expertise from the Ministry of Health and the Ministry of Economics and Finance, defined a series of technical specification documents to address interoperability services [
4].
The national federated and interoperable infrastructure applied to FSE [
5,
6,
7], as mentioned, aims to facilitate access to healthcare data and documents for both healthcare providers and patients and so to improve diagnostic and therapeutic care pathways. It is built to allow the management and sharing of clinical documents among the different regional FSE systems through the National Infrastructure for the regional FSE Interoperability (INI). Its architecture is based on a network of registries, one per region, and repositories, which can be centralized or distributed within a region (e.g., located in the healthcare facilities or hospitals). FSE registries index metadata of the clinical documents in order to be an assured reference for finding and retrieving them; FSE repositories physically collect documents that are available for access and consultation.
All the advantages that FSE offers are feasible if the documents, and the information they contain, are updated, accessible and available over time. Moreover, it is fundamental for the FSE system to ensure access to legally valid, reliable documents, which are also enforceable towards third parties, guaranteed by the application of the reference legislation. Within the Italian normative framework, all these requirements can be achieved if the document is inserted in a long-term preservation system, arranged by document producers in compliance with the principles of the Italian national guidelines for the creation, management and preservation of digital documents, edited by AgID (hereafter Guidelines) [
8]. The producers ensure that no modifications have been made to the original document during the custodianship, and for them digital preservation is both a practical necessity and a legal obligation [
9]. Long-term preservation represents the final step of the document management process and it is closely influenced by the accuracy of the prior steps regarding document creation and management. The document migration, in a preservation system according to the Guidelines, ensures its immutability and integrity by means of specific metadata as well as its authenticity, reliability, readability and availability, regardless of how it was created. Metadata is the key element to achieve these objectives, describing the document and its content and supporting interoperability between document management and preservation systems.
The FSE gathers copies and/or duplicates with different probative value against the original documents, which are instead preserved by healthcare facilities that produce them [
10]. Considering this, it is necessary to organize processes and implement strategies for maintaining long-term access to legally valid FSE documents and timely information retrieval.
The goal is to underline the importance of reinforcing the use of metadata to improve document description. Its main task regards document formal correctness and consistency, guarantee of authenticity, together with efficient information retrieval. In this way, documents provided by producers will be compliant to the Integrating Healthcare Enterprise (IHE) recommendations and to the national regulatory framework. Therefore, this work proposes a method to ensure the long-term preservation of and access to the FSE and its documents which mainly focuses on the enhanced use of the current metadata schema provided by the Affinity Domain (AD) Italy [
11], in order to maintain the validity of FSE documents throughout their lifecycle.
The paper is organized as follows.
Section 2 provides a background on the FSE infrastructure and describes the literature related to clinical document long-term preservation.
Section 3 reports materials and methods of the work, firstly highlighting the importance of metadata for document management and long-term preservation throughout the workflow processes along the document lifecycle, analyzing the Italian normative framework and the specific needs to address the issue of long-term preservation of FSE; subsequently, proposing the enhanced use of metadata schema for FSE document long-term preservation and access, paying particular attention to registry preservation; finally, particular attention is paid to registry preservation. The results are presented in
Section 4 by evidencing how proper use of metadata schema has positive implications on the long-term preservation of and access to legally valid FSE documents. Finally, in
Section 5, discussions and conclusions are provided, highlighting the advantages and weaknesses deriving from the application of proposed method, and explaining a working hypothesis about future research directions.
3. Materials and Methods
Management and preservation systems’ functionalities rely on metadata to work and to be achieved [
24]. The high-quality use of metadata allows for meeting this need and can ensure long-term preservation of and access [
25] over time to the FSE documents, by fostering communication between the regional FSE and producers’ management and preservation systems. The systematic metadata registration during the entire document lifecycle, together with the correct workflow execution, guarantees that documents maintain integrity and authenticity [
20], since it ensures the content is not corrupted over time. Therefore, information management and preservation systems are built and founded on metadata, whose correct use is critical to maintain and preserve electronic healthcare records [
26]. Different metadata types support different aspects of digital preservation and allow for performing many repository tasks that are considered key functions of trusted repositories (e.g., document integrity and authenticity tasks, preservation tasks, etc.). Each task relates to a particular repository function supported by more than one kind of metadata.
Analyzing the current framework for long-term preservation of and access to the FSE document and stakeholders’ roles in document management and preservation allows one to focus on the main issues of the entire process and so to propose a method to enhance the use of the FSE document metadata. Particular attention is paid to registry preservation, whereby a specific reflection is dedicated to this topic in the last part of this section.
3.1. Framework for Long-Term Preservation of and Access to the FSE Documents
Regardless of the type of FSE architectural model chosen among those possible [
27], the document producer is expected to send the document high-level metadata to the FSE system of the RDA, in order to facilitate their indexing in the regional registry and their subsequent retrieval in the repositories where documents are stored. The registry is able to give the view of the document aggregation given by the FSE and is, therefore, a key element as it contains the metadata associated with all the indexed documents, regardless of where they are stored (RDA; region in which the patient receives health services—RDE; region which contains the patient’s clinical document—RCD). Metadata include information about where the document can be retrieved and the attributes that allow its classification and application of filter rules during the document search. This process is also valid in the scenario in which the regions are in a subsidiarity regime [
28] (pp. 10–12).
Considering the articulated distribution of roles and responsibilities within the architectural model of the FSE, it is necessary to think about its preservation, given the need to keep the data and documents therein indexed accessible and visible over time.
As mentioned, original documents are created and stored by the health facility that produced them, in accordance with law provisions, while their duplicates, which are considered “working copies” [
29] (p. 4), are sent to the FSE repository of the RDA or RDE, depending, respectively, on whether the health facility is located in the patient’s region of assistance or in another region, where they are available for consultation and retrieval via INI [
30]. This means that the FSE system has as a reference for its duplicates the original documents preserved according to law, guaranteeing all the mentioned characteristics of authenticity, integrity, reliability, readability, and availability [
30]. Nonetheless, it also implies that this interdependence is subjected to the selection and discard policies applied by the producer, which retains the responsibility for its document long-term preservation [
27]. In this context, the FSE is likewise responsible for keeping track of the patient’s clinical history for the entire duration of his or her life and for a specific post-mortem period, not yet defined by regulations. So the availability of both the original documents and their duplicates should be ensured in accordance with the FSE activity period. This perspective makes the FSE case more specific than the general long-term preservation of administrative documents as defined by the CAD [
30]. Therefore, specific guidelines are needed in order to regulate the metadata usage and the operational procedures for long-term preservation from both sides, document producers and the FSE repositories, because of their interdependence, aiming at ensuring quality, consistency and protection of the document probative value. In this regard, Rothenberg [
31] discusses and states the importance of considering authenticity as a prerequisite to define what it is called “meaningful preservation”, which implies the usability of the preserved resource, arising from the maintenance of its authenticity and validity, since the aim of preservation is realized if it continues to allow retrieval of and access to authentic and valid digital materials. Without maintaining these characteristics, it means a resource has not been preserved at all. As mentioned, preserving authentic information is also the exigency related to the access to the FSE documents, discussed in this paper, since authenticity impacts on preservation in terms of their usability, intended as the capability to serve the same purpose as the original. Therefore, the focus is not only on the possibility to preserve and access to FSE’s documents over time, but also on the capability to consent the access to documents whose authenticity and reliability are ensured by their faithful correspondence to an original digitally preserved by producers in their own preservation systems. Several works address the issue of authenticity management in long-time preservation of information systems, evaluating and proposing solutions in different environments and fields of application [
22,
32,
33].
3.2. Enhanced Use of Metadata Schema for FSE Document Long-Term Preservation and Access
In this subsection, a conceptual and methodological description of the enhanced use of metadata to support the FSE long-term preservation process is presented, by highlighting its interaction with the FSE document management phase, since the two moments cannot be subordinated to each other. Regarding this, Xie et al. state that “digital preservation needs to be ongoing with activities integrated into all phases of creating, managing, and storing information” and “digital objects are inherently more vulnerable than analog materials and require immediate attention from the point of creation” [
34].
Currently, each clinical document indexed in the FSE is furnished with a set of metadata, both mandatory and optional, as required by the aforementioned Guidelines (e.g., IdDoc, Document Type, Object, Role, FormatID, DocVersion, Preservation Time, etc.). In this context, metadata plays a fundamental role as it can give evidence of the link between the duplicated document indexed in the FSE and its original preserved by the healthcare facility who produced it. Because of this, the original document needs to be persistent thus guaranteeing its visibility and accessibility, as well as its probative value, over the FSE active period (and for a certain number of years after the patient’s death). This means it cannot undergo the conventional discard policies established by the health facility’s long-term preservation service, but it needs to be in some way connected to the FSE validity. The information about the document indexing in the FSE registry is reported through a specific indexing metadata provided by the AD Italy [
11], which is the unique identifier of the document instance within the RDA registry and which must be assigned by the RDA during the document indexing. Therefore, in this process, the healthcare facility establishes, on one hand, which of its documents, in relation to their function, can be discarded over time, in compliance with the legislation that protects cultural heritage, and, on the other hand, which of them require unlimited preservation. The documents which have their duplicate indexed in the FSE need to be flagged as such, through the use of a specific metadata, and preserved as long as the patient’s FSE is active. Correspondingly, when the duplicate is sent to the FSE repository, the preservation metadata [
11] should be assigned, in order to certify that the duplicate corresponds to an original document preserved according to the law by the healthcare facility that produced it. From this point of view, to assign a value to this metadata is of fundamental importance as it allows us to consider the document indexed in the FSE legally valid even if the validity of the digital signature certificates have expired, since the existence of the original document in the producer’s long-term preservation system also guarantees the validity of its duplicate [
28]. The value assignment of this metadata should take place after the original document submission to the long-term preservation system, to ensure an accurate and consistent transmission and/or updating of the indexing metadata. The use of the preservation metadata is crucial to face the long-term preservation of and access to FSE documents. It is already part of the metadata schema defined in the AD Italy, but in fact its usage is infrequent and consequently its importance is largely underestimated, since it contributes to guarantee the original document preservation; the authenticity of digital resources over time; the document relationships between original documents and duplicates; and the decision-making in the preservation process [
35] (e.g., decisions about the time of preservation of each document).
The processes of assigning a value to metadata, concerning document indexing in RDA registry and document submission to healthcare facility long-term preservation systems, fall within the scope of the metadata communication flows envisaged by the FSE infrastructure [
28]. They refer to the communication flows of new metadata, in the case of creation of a new document, and of document updating, in the case of updating metadata of an already indexed document. In
Section 4, the flow charts describing these processes are presented as results.
3.3. Registry Preservation
Since the registry plays a central role within the FSE system, as it constitutes evidence of the virtual document aggregation, its preservation is fundamental to certifying the content of the patient’s FSE and the RDA is responsible for it. As regards the preservation, it could be assimilated for analogous purposes to the protocol register, which is sent daily to the preservation system, in accordance with the Guidelines [
8] (p. 21).
However, in order to not make this process too burdensome for the RDA, we assume that the registry could be transmitted to the preservation system periodically with a frequency to be defined on the basis of assessments of its sustainability. This solution aims to mediate between the need for economic and infrastructural sustainability and the exigency to preserve this key element of the FSE in compliance with all legal requirements, benefiting from all the resulting guarantees. Regarding the format in which the registry can be preserved, since it is a dynamic object, it is possible to evaluate solutions such as the eXtensible Markup Language (XML) format rendered in human-readable format (e.g., PDF) or the creation of CSV packages of atomic data, in accordance with the indications set out in Annex 2 of the Guidelines, “File formats and transfer”.
In the scenario in which the regions make use of the subsidiarity services provided by INI, similarly to what happens in Italy for the management of vaccinations against SARS-CoV-2 through the national platform, the region or autonomous province, as the controller of the FSE management and preservation processes, maintain the ownership, while INI, managing all the functions of the FSE registry and repository as well as the security measures, is the Data Processor pursuant to art. 28 of Regulation (EU) 2016/679. Therefore, INI, in carrying out functions in place of the region in subsidiarity, should also be responsible for the long-term preservation of the registry and any documents produced at the FSE regional level. Nonetheless, if a scenario in which INI is demanded to centralize the long-term preservation were to be created, it would imply that INI would have both the role of controller and processor of this task.
4. Results
The main result of the present study coincides with the formalization of the efficient and enhanced use of the indexing and preservation metadata in the FSE registry, which allows for guaranteeing the correct document workflows and long-term access to reliable resources, even if different stakeholders are involved. The two proposed flows relate to the metadata communication: (i) in case of creation of a new document, and (ii) in case of metadata updating of an already indexed document. They can further differ depending on whether the document is about a patient in its RDA or in RDE. These flow charts, regarding the description and modeling of activities and related areas of expertise, are a simplified version of the metadata communication flows, which are part of the services offered by the INI [
28].
In the following flow charts, the process step in which the registration of indexing and preservation metadata should be performed to correctly play its role is highlighted. In particular, the metadata communication process regarding the creation of a new document for a patient of the RDA (
Figure 2), involves the RDA, the INI and the National Register of Assisted (hereafter ANA), and it starts with the request by a health professional, through the regional system, sent to INI, which carries out the validation of the patient. In this case, in addition to the indexing metadata, the preservation metadata can also be registered during the metadata communication about a new document task, if the document submission to the preservation system of the healthcare facility and its indexing in the FSE registry are contextually performed, whereas if the submission of the document to the preservation system is subsequent to its indexing in the FSE, the preservation metadata registration should be performed within the metadata communication regarding document updating for the patients in the RDA (
Figure 3).
In the case of a patient in the RDE, within the metadata communication process on the creation of a new document, the RDE communicates to the RDA, through the INI, the metadata to index the document in the RDA registry (
Figure 4). It starts with a request sent by the RDE to the INI, which requests the ANA to validate the patient and to identify his/her RDA. The INI communicates the new document metadata to be included in the registry to the RDA. Finally, the RDA returns to the INI the outcome of the insertion of the metadata of the new document in the FSE of the patient, which is notified to the RDE.
As in the process in the RDA, in the metadata communication process regarding a new document for a patient of the RDE, in addition to the indexing metadata, the preservation metadata is registered during the metadata communication regarding the new document task, if the document submission to the preservation system of the healthcare facility and its indexing in the FSE registry are performed in the same step. Conversely, if the document submission to the preservation system is performed after its indexing in the FSE, the preservation metadata is registered during the metadata communication regarding document updating for a patient in the RDE process (
Figure 5).
The flows could be further integrated or revised after a survey with the stakeholders, which will be the next step of the study.
At the current stage of the research, the following outcomes can be highlighted: (i) the possibility of guaranteeing authenticity, integrity, reliability, readability, availability of the FSE documents over time, as required by the Guidelines; (ii) a non-impacting solution on the current FSE regional systems. This also means avoiding an additional effort for the regions in terms of investment of professional and economic resources.
5. Discussion and Conclusions
Within the present study, the methodological approach to long-term preservation provided by the Guidelines is maintained. They, in fact, have a legally binding nature and erga omnes validity, they provide the strategy for developing the management and preservation framework and, at the same time, they allow for making an enriched and enhanced use of metadata. The Guidelines clearly identify which are the requirements to be satisfied for guaranteeing the effective preservation process, in order to be sustainable for the National Health System and for all the actors involved in the entire document management process, from the creation to the long-term preservation.
This study intends to bridge the gap between the substantial legislation on digital preservation and the lack of operational guidance showing a proper use of metadata. As seen, it allows for achieving long-term preservation for and access to the FSE, guaranteeing the coherent and consistent information retrieval of reliable documents which are part of the FSE.
The proper use of the analyzed metadata, for expressing if the document belongs to a specific FSE and for attesting its storage in a long-term preservation system, can guarantee: (i) the persistence of the accessibility of the FSE; (ii) the maintenance of the probative value of the documents accessible through the FSE systems, thanks to the long-term preservation of the corresponding original documents; (iii) the validity of the document accessible through the FSE systems beyond the time limits of validity of the digital signature, since its storage in the producer’s long-term preservation systems and the presence of the related metadata within the registry, ensure that the duplicate accessible via FSE continues to be a valid document; and (iv) the improvement of interoperability between FSE repositories and producer preservation systems. Regarding the latter, it is well recognized that the use of standards, in general (and the standard metadata application), are an opportunity to specifically ensure the semantic interoperability accomplishment.
Finally, the added value of the proposed solution is to (i) ensure the access to legally valid, reliable and as well as enforceable towards third parties documents; (ii) exploit the existing metadata schema, by not involving further technical and economic efforts for the FSE systems; and (iii) not require the duplication of the long-term preservation of the FSE documents, in compliance with the current regulation on the subject, which states that the FSE must be established by preferring solutions that do not generate a duplication of health information in a new database [
2].
An interesting subject to address in the future concerns the analysis of possible solutions about what happens to the FSE preservation and access after the patient’s death, for which a normative reference is still under discussion. In this case, it is possible to fundamentally hypothesize three implementation scenarios for the management and preservation of the FSE registry and repository:
Patient’s data and documents remain online in both registry and repository: this solution allows them to be accessed promptly, even if the need for emergency access is no longer necessary. In the long-term this solution becomes onerous for FSE systems;
Only the patient’s data in the registry remain online: this allows us to promptly identify the documents of interest, but it will take time for the recovery of the document stored by the producer. This solution is less burdensome for the FSE system, which can remove the duplicated documents of the deceased patient from the regional FSE repository/ies, as the main reference becomes the original document preserved by the healthcare facility that produced it;
Patient’s data and documents are no longer available online: this means that in order to identify the documents of interest, one can consult the latest version preserved in the registry before the patient’s death, in order to recover the document references necessary for its retrieval in the producer’s preservation system.
Regardless of what the law will establish regarding the scenario after the patient’s death, the access policies to FSE should remain the same as defined through the consent.
A further topic which deserves a separate discussion is properly referable to documents expressing the patient’s consent to consult and access their documents. In fact, with regard to these documents, the responsibility of their preservation lies with INI, which manages these data and documents in the FSE and their storage. Therefore, INI should have the responsibility for the long-term preservation of consent and opposition documents, following the same.
The proposed method follows a top-down approach. This aspect is a strength of the study, since it is based on a consistent regulatory framework and technical specifications, which intend to harmonize the heterogeneous realities of implementation and use of the FSE in Italy. However, the results of the survey that will be carried out with the stakeholders may require changes and/or updates to the proposed method.