Patient health data. Who, who and under what conditions provides this information?

  • The guidelines on the principles of access to information on the patient’s state of health have been drawn up jointly by the Patient Ombudsman and the Office for the Protection of Personal Data.
  • According to the General Data Protection Regulation in the European Union (GDPR), health information is a special category of personal data.
  • – This is one of the reasons why they require the use of adequate safeguards to prevent their disclosure to unauthorized persons – experts point out

How to improve the treatment of prostate cancer in the country?  The Federation will prepare a document

Niedzielski about the project

What information can the patient, his relative or his legal representative obtain?

Agnieszka Wernik from the Office of the Patient Ombudsman points out that from the perspective of the MPC, the protection of personal data and patient and health information includes:

  • Patient’s right to information
  • Patient’s right to privacy
  • Patient’s right to medical records *

The expert recalls that pursuant to art. 9 of the Patients’ Rights Act and the Patients’ Rights Ombudsman:

  • A patient, including a minor who has reached the age of 16, or his legal representative, has the right to obtain from a healthcare professional:
    affordable patient health information
    – proposed and possible diagnostic and therapeutic methods
    – predictable consequences of the application of these methods or their omissions
    treatment results and prognosis (as part of the health services provided by a given person exercising a medical profession and in accordance with his authorizations).
  • The patient or his legal representative have the right to consent to the provision of the above information to others
  • The patient also has the right to ask a health professional she did not give him this information.

Scheduled hospital checks: it would be weird if it didn't go well.  Temporary only for important reasons

Who is eligible for health information

The persons authorized to receive health information are:

  • Patient
  • The person authorized by the patient
  • A person who does not have the patient’s permission, but who is close to him (in special situations)

– In accordance with the Patients’ Rights Act and the Patients’ Rights Ombudsman for a close person he is considered: a spouse; a second-degree relative or a second-degree relative in a straight line; legal representative ; a person living together or a person indicated by the patient – lists Agnieszka Wernik.

He also recalls that guidelines on the rules and scope of access to patient health information were published in December 2020 in cooperation with the Ombudsman for Patients’ Rights and the President of the Office for Protection of personal data.

The expert points out that health data is a special category of personal data – according to Art. 9 sec. 1 of the General Regulation on the Protection of Personal Data in the European Union (RGPD), they therefore require the application of adequate safeguards to prevent their disclosure to unauthorized persons.

– What is very important, the guidelines drawn up by the MPC and the Personal Data Protection Office (UODO) contain only the recommended solutions that will allow the implementation of the right of the authorized person to information on the health of the patient, taking into account the principles resulting from the regulation of the protection of personal data in the entities providing health services – explains the representative of the MPC Office.

Stanisław Karczewski: I work hard to relieve my medical colleagues

The ease is to create the conditions ensuring the confidentiality of the data provided

Agnieszka Wernik emphasizes that, in accordance with the above recommendations, appropriate procedures should be prepared in a medical institution, including organizational and technical solutions on the appropriate measures to allow interviews while respecting the confidentiality of the patient’s health data.

– It is recommended that medical entities have a dedicated mailbox, to the address of which authorized persons can send a copy of the authorization granted by the patient to obtain information about his state of health or the content of this authorization – the expert emphasizes.

It also adds that “the caller must be informed of the technical requirements that must be met by the file or the email sent to the entity”.

According to the recommendations of the MPC / UODO, in the event of the use of programs dedicated to the processing or recording of calls (telephone or video calls), the health entity must pay particular attention to the security of transmission of these calls, so that compliance with the principle of confidentiality of personal data processed in the course of conducting interviews. The preferred area for data storage is European Economic Area.

– In addition, medical entities are recommended to have dedicated systems for reading the data contained in the Internet Patient Account (IKP) and concerning the persons authorized by the patient to obtain information on his state of health – informs Agnieszka Wernik .

The doctor is on leave and the clinic refuses to see him.  The MPC advises what to do

Remote contact with an authorized person

The recommended procedures also include recommendations for hospitals and other healthcare facilities regarding rules for remote contact with a person authorized by the patient to provide him with information on his state of health. Below are the most important recommendations in this regard.

  • When admitting the patient, the patient should be asked to indicate the persons who authorize him to obtain information about his health remotely, as well as to transmit the established contact codes to the authorized persons.
  • The patient should be informed that more than one authorized person may be indicated
  • You can also ask the patient caller ID verification or indicate the possibility of direct contact with the patient (when there is no doubt about the patient’s state of consciousness).
  • Prior to providing information, medical facility personnel should remotely contact an authorized person make the identity of the contact person plausiblefor example by:
    – Control questions for the caller, aimed at proving that he is a person close to the patient or authorized to obtain information on the patient’s state of health
    – Presentation of a document confirming the identity (in the case of a video call).

Limited hospital visits.  The MPC threatens with a penalty and recalls the rules

When the patient’s condition does not allow him to indicate an authorized person

The recommendations also relate to the procedure related to obtaining from a close person information on the patient’s state of health in a situation where the patient – precisely because of his state of health – could not present the appropriate authorization to provide this information upon admission to the facility.

  • The staff of the medical entity must inform the person concerned of the possibility of presenting the authorizationwhich contains the patient’s declaration of consent to provide information on the state of health – indicating the name and surname of the authorized person – which was previously submitted by the patient to another medical institution and has not been revoked d ‘no way.
  • The declaration made by the patient also remains valid in other medical institutions.
  • Such a declaration may be presented during a video call or sent to the email address indicated by the medical entity, subject to appropriate safeguards.
  • It should be checked whether the patient was able to authorize the transfer of information to another medical institution (in a conversation with the caller) or in IKP.

Caller verification

Examples of questions that may be asked by health facility staff to the person calling the facility (in order to obtain information about the patient’s condition):

  • What is your relationship with the patient?
  • Please provide the patient’s PESEL number
  • Please indicate the patient’s place of birth
  • Please enter the patient’s middle name
  • Please indicate if the patient has any special characters
  • Please provide the patient’s phone number
  • Please describe what the patient was wearing (in case a close person stays with the patient daily and the patient was taken to a medical facility in a state of sudden threat to health or life)
  • In the case of a video call, please show another document proving the joint relationship (for example, a civil status certificate).

– Do not over-extract data as part of caller ID verification. The questions asked by the personnel of the establishment must take into account the individual situation of the patient and be adapted to the degree of kinship with the caller – summarizes Agnieszka Wernik from the Office of the Patient Ombudsman.

* All information and statements are taken from the remote conference “GDPR and cybersecurity in health” (May 24, 2022). Soon on the market website – more information about the patient’s right to medical documentation.

The support staff want a meeting with the minister.

Learn more about:

Leave a Comment