HCP Permission & Consent

Membership in an ERN comes with responsibilities, one of which is provision of cross-border care for rare disease patients. This is achievable via CPMS, soon CPMS 2.0, and therefore the member Healthcare Provider (HCP) is expected to engage with the efforts to permit smooth and easy access to this resource for their medical experts. The Data Protection Officer (DPO) or office of each hospital has been contacted by DG Sante on this matter.  Before using the CPMS 2.0 to consult on your patients, you must confirm with your DPO that you may do so, and how consent is gathered for this.  

Some questions in the FAQ document address this topic in more detail and the answers provide additional information.  

Steps to use CPMS 2.0 in your hospital

If your hospital is a member of Endo-ERN or any ERN, first confirm with your HCP representative/DPO/ rare disease office if permission to use CPMS 2.0 has already been granted.   

If your hospital does NOT yet have permission to use CPMS or your DPO has not been contacted by DG Sante,  please contact the CPMS helpdesk for further support.  

Please note: If your hospital is a member any/more than one ERN this does not require any additional action as your Data Protection Officer (DPO) only has to assess the need for a new Data Privacy Impact Assessment (DPIA) once. 

Key responsibilities of HCPs / Hospitals  

  • Each hospital must create a GDPR-compliant CPMS 2.0 patient consent form or procedure. This is their responsibility, and they are accountable to their national data privacy authorities. 
  • To minimize errors when enrolling a patient in CPMS 2.0, the patient consent form/ text should be aligned with CPMS 2.0’s mandatory consent for care 
  • Patient consent templates are available in all 24 official EU languages which are GDPR compliant and well aligned with CPMS 2.0. However, each hospital is free to decide on the template to use. 
  • Each hospital must assess the need to carry out a Data Privacy Impact Assessment (DPIA).  This can be based on if your HCP has used CPMS previously.               

Members and affiliated partners that ALREADY USE CPMS may choose to update an existing DPIA performed by their hospital, according to the guidelines of their respective national data privacy authorities. If this applies to your hospital, you will need to assess if a revision to that DPIA is needed. In most cases it is not, as the processing activities in the hospital did not change, however, it is up to the hospital to assess and decide. 

Members and affiliated partners that NEVER used CPMS must assess the need of carrying out a DPIA on their activities related to the use of CPMS, according to the guidelines of their respective national data privacy authorities and, if considered necessary, carry out the DPIA.   

Information video for patients and healthcare professionals

Type and Press “enter” to Search

Search