Medical History and Data Protection
Medical History and Data Protection
We all know that when receiving health care, a document called “Medical History” is generated.
Law 41/2002, of November 14, 2002, the basic law regulating patient autonomy and the rights and obligations regarding clinical information and documentation, defines it as the set of documents containing data, assessments and information of any kind on the situation and clinical evolution of a patient throughout the care process.
Therefore, the medical record contains special category data, since it deals with personal data related to the health of patients, very sensitive information to which extraordinary security measures must be applied with respect to the processing of personal data with a less high level of security.
Who can access the medical record?
Of course the patient himself Patient as the owner of his data.
Also the Doctors who treat the patient, but only if the access is in the exercise of their functions of a healthcare nature, subject to the duty of confidentiality and to their code of ethics.
The Healthcare Professionals will also be able to access the clinical history to know the health status of the patients they treat.
The Research Staff will be able to access the dissociated data and with the additional guarantees of the 17th Additional Provision.2) of the LOPDGDD.
The Administrative Staff of a health or social/health center, under the duty of secrecy and will only have access to the necessary information about the patient’s/user’s health condition.
The Student InternsThe students will have limited access to health data and will respect the duty of confidentiality. It is always suggested to apply pseudonymization or data dissociation techniques (separation of identifying data from clinical data).
The Health InspectorsThe Health Inspectors will be able to access the medical records to check the quality of health care.
Public Administrationin the case of procedures such as benefits, pensions, etc., as well as Authorities for judicial purposes, and Legal Professionals such as lawyers and solicitors, for the presentation of a claim for health reasons, being able to access the data necessary for the trial, as established by the judge.
The Companies Providing Services to PatientsThey will only know the data strictly necessary and must follow the indications of the person in charge of the treatment.
What happens if my medical records are consulted without justification?
If the clinical history is consulted without justification by healthcare personnel, administrative, disciplinary, civil and even criminal liabilities may arise.
This unjustified consultation is considered in most codes of ethics as serious or very serious, and is a crime, according to the Penal Code, for discovery and disclosure of secrets.
On the other hand, civil liabilities may also be derived through the imposition of a fine determined by the corresponding judge.
Can I know who has consulted my medical records?
The patient may contact the healthcare center and exercise his right of access, and within this, request the type of accesses produced to his medical record, but the center is only obliged to provide information on how many accesses have been produced to his medical record, the purpose of those accesses, etc.
The AEPD has pointed out that neither the Spanish data protection regulations, nor the healthcare regulations, require the center to provide the patient with the identification, by name and surname, of those persons who have accessed the clinical history of a given patient. Although there are some autonomous communities (Navarra and Extremadura) that do recognize the possibility of the patient knowing the identity of the persons who have accessed it, as part of the exercise of the right of access.
Patient’s rights over medical records
The patient’s rights with respect to his or her medical records are as follows:
Right of Access:
Data protection regulations understand this right as the possibility of the patient, in this case, to know whether or not the health center is processing his or her personal data and to request a copy of the data processed. In health regulations, this right with respect to the medical record implies access to the data contained therein.
Right of Rectification:
Inaccurate data may be changed or updated. With respect to health data, the health professional will determine whether or not the rectification requested by the patient is appropriate according to health criteria.
Right of Suppression:
This right is limited with regard to the medical record, since it is necessary to prioritize proper patient care. Therefore, it will be up to the healthcare professional to analyze the request and evaluate whether or not to proceed according to the impact on the medical record.
Make a Claim:
Patients can complain to the AEPD, through the citizen assistance channel, if any of their aforementioned rights have been disregarded or for those cases in which their rights have been violated, for example, when exercising the right of access to a copy of a medical record belonging to another person.
What are the data protection obligations of a healthcare facility?
According to Article 2.1 a) of Royal Decree 1277/2003, it defines the Health Center as the “.An organized set of technical means and facilities in which trained professionals, by virtue of their official qualifications or professional authorization, basically carry out health care activities with the aim of improving people’s health. Health centers may be made up of one or more health services, which constitute their health care offer. .”
Therefore, what is stated in this post would affect, for example, any clinic regardless of its specialty.
As we have already said, the medical record deals with special category data, so the obligations required by the RGPD and the LOPD-GDDsuch as, for example:
Prepare the corresponding Impact Assessment(EIPD).
To have the corresponding Treatment Activities Register(RAT), both in physical and electronic format.
Designate a Data Protection Officer(DPO).
Having a Security Breach Management Policywhere the steps to be taken in case of a breach of personal data security are clearly and concisely explained.
implement a Security Policies based on technical and organizational measures that guarantee patient privacy and the confidentiality, integrity and availability of their medical records.
How should healthcare facilities protect patient privacy?
We have commented on the obligation of any healthcare center to implement technical and organizational measures to guarantee patient privacy, as there are cases in which it is easy to commit an infringement. For example:
Calling patients
A common situation that generates many queries to Business Adapter®, is the way in which patients in waiting rooms should be called.
Obviously, the health center is obliged to ensure the patient’s privacy and the confidentiality of his personal data and calling him by voice with his name and surname goes against his privacy.
The right thing to do in these cases is to use alternative technical and organizational measures to avoid disclosing personal patient information.
Send clinical results electronically
There are situations where the patient requests or it is the policy of the healthcare center to send clinical results electronically. In this regard, it is necessary to know the security measures that must be applied to the documents sent and which technologies must be used for sending them.
Business Adapter® at your service
If you have a clinic and you want to know which are the technical and organizational measures that you must apply and fully comply with the European and Spanish data protection regulations(RGPD + LOPD) to which any clinic or medical professional is obliged, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]