According to the Law on Protection of Personal Data (“Law”), the Regulation on Personal Health Data (“Regulation”), concerning activities of private real and legal persons and public legal persons that process personal health data, which is related to the processes and practices carried out by the Ministry of Health (“the Ministry”) has been published in the Official Gazette dated 21 June 2019 and numbered 30808. The Regulation has entered into force on 21 June 2019.
You may find below important issues sorted out by the Regulation:
What are the norms and principles to be followed during process of Personal Health Data ?
During process of personal data, all data processing principles in the Law shall be observed, especially the general principles under Article 4 of the Law. In addition to these principles, according to the Regulation; no one shall be compelled to submit or show past health data, except when it is necessary for health service delivery.
Necessary physical, technical and administrative measures will be taken by health service providers, to prevent unauthorized persons from entering in departments such as counters, pay desks and desks and at the same time to prevent clients from hearing, seeing, learning or seizing each other’s personal data.
Health service providers will implement the necessary partial de-identificaton or masking measures on printed material containing personal health data of the patent, such as analysis and examination results; and take other precautions on the material in question to make it difficult to identify who it belongs to, if it’s occupied by an unauthorized person.
Who can access to the health data of children?
Parents can access their child’s health records via e-Nabız, without any need for approval. Children with ability to distinguish, may subject parental access to their health history to permission through e-Nabız. In case of divorce of the parents, the party that has not been left on custody rights, has access to child’s health data in accordance with the legislation on protection of personal data and within the limits set by the Health Information Systems General Directorate (“General Directorate”), taking into account the benefit of the child and the guardian.
How can the relatives access the patient’s health data?
In terms of sharing personal health data with the relatives of the patients, the third paragraph of Article 18 of the Patient Rights Regulation, which is published in the Official Gazette dated 01/08/1998 and numbered 23420, shall be followed in such a manner that does not contradict with the principles of the Law.
Do lawyers have access to their clients’ health data?
Lawyers are not entitled to request their client’s health data by a general proxy. The power of attorney issued for the transfer of the client’s health data to its lawyer should include a special provision indicating express consent of the person concerned for processing and transferring of its sensitive personal data.
Who can access the health data of a deceased person and for how long?
The legal heirs of the testator are individually authorized to receive the health data of the decedent by submitting their certificate of inheritance. The health data of a deceased person is stored for at least 20 years.
Who can handle personal health data for scientific purposes and to what extent?
Witin the scope of Article 28/1b of the Law; “Processing of personal data for purposes such as research, planning and statistics through anonymization with official statistics”, scientific studies can be carried out with health data, which is anonymized by the data officer. In the scope of Article 28/1c of the Law; “Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or privacy rights or constitute a crime”. Personal health data may be processed for scientific purposes within the framework of technical and administrative measures to be taken provided that they; do not violate the privacy or personal rights of the persons concerned or do not constitute a crime.
How shall the security of personal health data be ensured?
Data security obligations in Article 12 of the Law will be observed. By taking technical and administrative measures, the Personal Data Security Guideline prepared by the Personal Data Protection Authority (“Authority”) will be predicated on. In the event that the processed personal data is seized by others by unlawful means, the notification to be made to the Data Protection Board (“Board”) by the data officer shall be based on the provisions of the Law and the regulatory procedures of the Board regarding this matter. Information security processes performed in the central units of the Ministry and provincial organizations and affiliated and related institutions are determined by the Information Security Policies Directive prepared by the General Directorate.
What is the sanction of non-compliance with the Regulation?
For the crimes and misdemeanors related to personal data protected by this Regulation, the procedure shall be carried out in accordance with Article 17-18 of Law. Public officials who do not fulfll the requirements of this Regulation will be notified to the disciplinary authority to which they are registered and their authority will be cancelled, if they have any. Real persons and private legal entities shall be treated in accordance with the relevant legislation.
The health service providers that do not send data to the central health data system in accordance with the procedures and principles determined by the Ministry shall be warned twice. Afterwards, a penalty amounting to 1% of the gross income in the previous month shall be applied to the providers that do not follow the warnings .
Please let us know if you have any queries.