No. The owner of personal data, and in particular the data in medical records, is always the patient. The health centre, doctor, private health insurance company, etc. who compile medical records are the controllers of the information they process, and must store, preserve and protect it.
Medical records can be kept in paper or electronic format, as long as it is possible to guarantee the authenticity of the content and that the records can be consulted in the future. A record must be kept of each time a record is accessed or modified, as well as the doctors and healthcare professionals who have accessed or modified it.
Although healthcare organisations may opt for different systems, the norm for some time now has been to use computerised medical records. For several years the Catalan public health system has been using the Shared Clinical History (HC3), which allows access to relevant information on the medical records of the different health centres in the public healthcare network.
For paper medical records, secure containers that do not allow unauthorised persons to retrieve information, and paper shredding machines must be used. It may be appropriate to entrust this process to companies that guarantee certified safe destruction.
In the case of electronic medical records, health centres or healthcare professionals must securely erase the information or, if necessary, physically destroy the medium or device.
Health centres, archives, and documentation centres must keep a record of the disposal of medical records.
What happens to my medical record when a health centre closes or a healthcare professional ceases to practice?
Health centres and services that close and professionals who stop working permanently must guarantee access to the medical records they keep, for the purpose of ensuring medical care and patients' rights.
When a self-employed doctor ceases to practice, they should notify patients so that they can collect their medical records and, if necessary, hand them over to a new professional. The doctor can consult with their professional association regarding how to manage this situation without jeopardising the rights of their patients and, where appropriate, how to securely destroy information.
In the area of healthcare, is the right to information provided for in data protection regulations the same as informed consent?
No. These are two different information rights:
- In healthcare, informed consent refers to the duty to collect the consent of patients who have to undergo certain more or less invasive treatments (examinations, clinical analyses, biopsies, surgery, care, medical treatments, etc.). The patient must be told what the action will consist of so that they can decide whether or not to authorise it.
- The right to information established in the personal data protection legislation is a right that belongs to all patients. Health centres do not have to ask for consent to process the data provided by patients in order to attend to them, but they are obliged to explain to them how they will use their data.
The information that patients receive should be concise, transparent, intelligible and easily accessible, with clear and simple language, particularly in the case of information specifically aimed at children. The information must be provided in writing or by other means, including, where appropriate, in electronic format.
The patient has the right to ask for any clarification they need. To do so, they can contact the data protection officer of the data controller.
I went to a private health centre for a work medical check-up and they asked me to sign on the screen of an electronic device to inform me how my data would be processed. They told me that I could read the information on a sheet of paper that they showed me, and that later they would send me the information clause by email. Is this right?
No. Requesting a signature from a patient without first informing them of what data will be collected, why, who it will be shared with, etc., and without allowing them to ask any questions, is not correct. The information required by law must be provided in such a way that there is a record of its having been provided, and the patient must be able to understand it. The patient should never sign without knowing what they are signing for. The patient has the right to obtain a copy of any document they have signed.
The use of apps to track fitness or promote health is becoming more and more common. These applications collect a significant amount of health data (heart and pulse rate, calories consumed, exercise, diet, etc.) directly or through sensors (wrist band, smart watch, mobile phone, etc.). Therefore, they must provide the user with the information required by personal data protection regulations.
Before starting to use these applications or provide health information, users are advised to carefully read this information, especially that relating to the company or companies responsible for processing the information, what they can use it for, where it is kept, who they may share it with, the consequences that may arise from the processing and how to make complaints.
Does the right of access provided for in data protection regulations make it possible to know which professionals have accessed a medical record?
The right of access does not include the provision of this information. The obligation to provide this information only exists if the medical record has been communicated to external entities or persons.
However, some health centres have established the provision of this information as best practice. In addition, in the case of public administrations, the regulations on access to public information may also allow patients to access it, given their legitimate interest in knowing it.
Sometimes, patients do not need to know everything included in their medical record, whether for their own benefit or that of other people (for example, when the professionals attending to the patient consider that there exist overriding healthcare needs or when there are subjective annotations).
I want to file a complaint against a dental clinic for possible medical negligence and I need them to give me a detailed report of the surgery they performed on me. Can they refuse?
No. The patient, as the data subject, may exercise the right to obtain a copy of all their healthcare reports. There is no obligation to explain to the clinic the reason for the request and, even if they are informed of the reason, this does not justify refusal to provide the information. If the clinic refuses to release the information, the patient can complain to the Catalan Data Protection Authority.
Do I have the right to know my biological origins, even if this means accessing information regarding my biological mother?
Yes. The right to know one's own biological origins includes the right to know the identity of biological parents. This right is recognised for children and adolescents who are not in the care of their parents (those who are adopted, or who are or have been under state guardianship), once they have reached the age of majority or are emancipated. Applicants must be able to access certain information from the biological mother's medical record that may be relevant to their own health.
A couple undergoes treatment at an assisted reproduction clinic. Can they both access the same medical information?
The owner (data subject) of the medical record is the woman who undergoes the assisted reproduction treatment. Her partner has the right to access his or her own data. If one of the two partners wants to access the data of the other one contained in shared documents, they need the consent of the owner. Data relating to pre-embryos can be considered information owned by both partners, meaning that both of them would have the right to access it.
Is it possible to access relevant medical information contained in the medical record of a gamete or pre-embryo donor?
The Assisted Reproduction Techniques Act states that medical teams must place all information on donors in a medical record, which must be properly safeguarded. The data included in medical records, except for the identity of the donors, must be made available to the recipient and their partner, or to the child born by these techniques or to their legal representatives, when they reach the age of majority, if requested.
Can I request the erasure of any information in my medical record about my assisted reproduction treatment and egg donation?
No. The law recognises the right of children and adolescents to know their genetic origin and to request, from the competent public administrations, the documentation that allows them to ascertain their identity. This means that information on embryo donation must be kept in the mother's medical record and, consequently, that this information cannot be erased. However, the mother can request that no one but the children access this information.
No. In cases of rectification or erasure of data, the data protection regulations impose the duty to block the data. This involves locating the data and maintaining it outside of the usual work circuits, and adopting measures to prevent its processing, so that it is only available to judges and courts, the Public Prosecutor's Office or the competent public administrations, and in particular to data protection authorities, to enforce possible responsibilities arising from the processing and only until such responsibilities expire.
In a report included in my medical record there is an error in the date of a surgical procedure and in the medical team that attended to me. Can I ask them to change it?
It is important that medical records adequately and truthfully reflect the relevant circumstances of patients' healthcare processes. Errors in the date of a surgical procedure or in the identification of the doctor in charge may negatively influence current and future care (for example, it may make it impossible for doctors to check whether the patient's recovery is within normal range, or it may make it impossible to confirm the information with the professionals who cared for them). Therefore, the information must be rectified.
No. The healthcare provided by the centres and services of the public healthcare network is not based on the consent of patients, but on the laws that establish that we all have the right to receive this service (section 4.1 of this guide).
However, portability can be requested from controllers (health insurance companies, doctors in private practice, etc.) that process data automatically in accordance with a prior decision of the patient who has contracted this service.
Years ago, I suffered from a serious mental illness. I am concerned that this information is available to any healthcare professional. Can I object to certain professionals accessing it? Can I demand that any reference to this episode be erased from my medical record?
Health regulations state that medical record data should only be accessible, for healthcare purposes, to healthcare professionals who need to treat the patient, and these professionals must protect and respect the confidentiality of this information.
The right to object means that, for reasons related to the patient's personal situation, they can request that only certain professionals have access to information on this episode. However, this right may be limited if the health centre can prove that there are compelling legitimate reasons that must prevail (for example, if it may jeopardise the healthcare received by the patient or the proper functioning of the health system).
Granting the right to object does not necessarily imply that the information will be erased, but that, due to the requirements of the law on patient autonomy, it must be kept for certain periods (section 1 of this guide).
I requested the erasure of certain data from my medical record two months ago and I have not received a reply. What can I do?
The fact that the exercise of a right will not have the effect intended by the requesting party (the effective erasure of a piece of data, for example) does not justify the lack of response. On the contrary, a response must be given within one month, explaining why the request has been rejected. As the right has not been respected, a claim for protection of rights can be filed with the Catalan Data Protection Authority.
Who can I contact if I have any questions about the processing of my personal data or a right that I have exercised has not been fulfilled?
You can contact the Data Protection Officer (DPO) of the controller. You can find their contact details in the information clause that must be provided by the controller when the data is collected.
Alternatively, and also if you do not agree with the response given by the Data Protection Officer, you can contact the Catalan Data Protection Authority.
Can the health centre that treated me provide me with information that I ask for by telephone about my state of health or the result of the tests that have been performed on me?
The communication of health data by telephone carries the risk of providing the information to a third party who is impersonating the patient. For this reason, this should be avoided, unless protocols have been implemented to securely identify the person requesting the information.
I am a nurse and at the same time a patient in a hospital. Can my colleagues access information about my surgery?
No. Unless these people are involved in providing medical care to the patient, access would be inappropriate and would violate the principle of confidentiality. Merely because someone works in a health centre does not mean they are allowed to access a colleague's information without their consent. Health centres should give proper instructions to their workers in this matter. The patient can complain to the Catalan Data Protection Authority or the judicial authorities.
A paediatric clinic where I take my children has published a photograph of them on its website, to advertise the speech therapy services it offers. Can they do that?
No, unless they have the free, specific and unequivocal consent of the parents (or children, from the age of 14) and have properly informed them. In addition, if it can be deduced from the photograph that the child suffers from any type of illness, the consent must be explicit. The advertising purpose may be legitimate, but the provision of healthcare does not imply that images of patients can be disseminated.
I accompany a relative to a medical visit at their primary health centre. Am I entitled to receive a letter to justify my absence from work?
The law allows relatives who so request to be provided with a letter with information about the patient they have accompanied. However, this letter only contains the minimum information necessary for the worker to request and take the time off provided for by labour regulations in order to accompany a relative to the doctor.
I called a hospital to ask for information on a relative who has been admitted and they did not give it to me. Have they acted correctly?
Yes. Before providing any information about a patient's state of health, health centres must verify the identity of the caller, their relationship with the patient and, where appropriate, the instructions given by the patient. Otherwise, they may violate the patient's privacy. It is good practice for the centre to ask the patient who may receive information about them, for example, on their recovery after surgery.
The hospital can only give the room number (which is data that forms part of the medical record) to family members or the people who are accompanying them during their treatment. For other visitors, the patient must give their authorisation.
A relative of mine who is unable to decide for themselves about their medical treatment has been admitted to a health centre. Who can access their information to decide what needs to be done?
When, in the opinion of a doctor, a patient is not able to make decisions about their own health (for example, due to a serious accident or mental illness), the people who represent their interests or are family reasons or a common law partner, may access their information.
Yes. Family members or civil law partners of deceased subjects of medical records may request access to the deceased's personal information, unless this has been expressly prohibited by the deceased. Access to medical records by a third party due to a risk to the health of the latter should be limited to relevant data. Information that affects the privacy of the deceased, subjective notes of professionals or information that may be harmful to third parties should not be provided.
No. Access to a medical record without the patient's consent or without justification on the grounds of healthcare is a violation of the principle of confidentiality of patient information. Therefore, medical professionals who, although they work in the same primary health centre, hospital, social care centre, care home, etc., are not involved in the care of a patient, may not access their personal data.
Can health centres share my data with mutual insurance companies that work with the public healthcare system?
When treating a patient (a worker) referred by a mutual insurance company that works with the public healthcare system, health centres may provide information on the worker's diagnosis without their consent, in order to manage financial benefits and healthcare arising from work-related incidents, and to monitor and control the worker's temporary disability.
Can the hospital where I was treated for a traffic accident share my details with my vehicle insurance company without my consent?
Yes. When it comes to compulsory insurance, the law allows health centres to claim from insurance companies the cost of the healthcare provided to policyholders of these companies. To do so, the health centre must be able to disclose patient data to prove that the required healthcare has been provided.
If I have filed a complaint against the hospital where I have been treated, can the hospital disclose my data to an external lawyer?
Yes. If the data is necessary to exercise the right of defence or compliance with the insurance contract, the hospital may provide the patient's health data to its lawyers or to the insurance company of the hospital or the doctors involved.
Can a health centre inform my family members or the company where I work, without my permission, that I have been diagnosed with a contagious disease?
If it is a notifiable disease, the law allows the health authorities to provide notification of the patient's identity (if absolutely necessary) and the disease they are suffering from to their workplace, school or people related to them, to check for spread of the disease. Within workplaces and schools, the information should reach the minimum number of people required for the health authorities to take appropriate action.
Yes. It is lawful for public health authorities to process our health data when necessary for reasons of public interest; for example, to control the spread of epidemics or pandemics and, ultimately, when health crises or cross-border threats occur that pose a serious danger to the health of the population. Processing is also lawful for the purpose of protecting the health of the data subject or others.
If there is a risk of transmission, the competent public health authorities must take the necessary measures to control patients, people in their immediate environment and those who are or have been in contact with them. To do so, they can process whatever data are needed.
In the case of epidemics that pose a risk to the general population, can public health authorities inform people around me about my health status?
In these situations, public health authorities can activate systems to contact and warn people who have been in contact with an infected person, in order to protect their health and prevent these people from spreading the disease. Whenever possible, authorities should report only on the possibility that the contagion has occurred or may occur, without disclosing the identity of the person who is the source of the contagion.
In the event of an epidemic, can any public administration or establishment control people's temperature when they access facilities, to detect suspected cases?
Establishing this as a general measure without the consent of the people concerned has no legal basis, unless established by the competent public health authorities.
This is without prejudice to the power of company health and safety departments to adopt appropriate health surveillance measures with respect to their workers if the health status of a worker may pose a danger to themselves, to other workers or to people who have contact with the company.
Yes, as long as these apps or websites that collect and process people's data comply with the requirements of data protection regulations.
These applications make it possible to know if a person has symptoms of infection, provide data on their psychological state, etc. and offer them suitable help and health resources. They can also be used to conduct epidemiological and statistical studies with the aggregate data they obtain from users (e.g. aggregated geolocation data to detect geographic areas with the highest epidemiological risk and incidence, to allow authorities to establish control measures).
Is it mandatory to provide my health data in a survey that the Generalitat wishes to use for the purposes of its Statistical Plan?
No. The provision of health data is strictly voluntary.
Although in some cases this processing may occur on the basis of patient consent, the law also envisages other possibilities such as, for example, the processing of pseudonymised health data for health research purposes. However, the data controllers must protect the information with appropriate security measures so as not to jeopardise the rights of data subjects (functional separation when performing pseudonymisation, confidentiality and non-re-identification commitments, specific security measures, ethics committee report, etc.).
I suffer from a rare disease and the medical team has invited me to participate in a research study. Do I have an obligation to participate?
No. The active participation of a patient in research studies is always voluntary, and the conditions or quality of the medical treatment they receive cannot depend on whether or not they choose to participate.
If the patient agrees to participate, before they join the study, they must receive all the information they need about the characteristics and implications of the study and how their data will be processed.
If medical research performed with pseudonymised data detects a real and specific danger to the safety or health of one or more people or a serious threat to their rights, or if necessary for the purpose of ensuring adequate healthcare, the people concerned may be re-identified.
If the participant stated that they did not want to know the results of the study, this wish must be respected. However, if it is considered based on medical criteria that, as a result of the findings of the study, the health or safety of their biological family members is in real and specific danger or there is a serious threat to their rights, or it is necessary for the purpose of ensuring adequate healthcare, they will need to be informed.
Several months ago I decided to take part in a clinical trial. Although it has already begun, I now want to leave the trial. Can I do that?
Yes. The patient can always revoke their initial consent. Your decision must be respected and may not have any detrimental effects on the healthcare you receive. However, the law protects medical research due to the general benefits it brings, so that in these cases the person in charge of the study can keep whatever data has already been collected and previously processed.
When researchers begin a specific line of research, they often do not know whether, as the research progresses, it may be relevant to expand the object of study. For example, research on a particular rare disease, as it progresses, may yield results that are useful for research into another disease related to the initial area of research. The law allows this data to be reused for the new research related to the initial area of research, and such processing would be considered compatible with the initial processing.
I have found out that my insurance company has included me in a study on my illness, because it thought I might be interested. It's right?
No. When the processing of health data requires the consent of the interested party, the consent must be explicit and must be recorded.
I have been asked to give my permission to record images of the surgery I am due to have, for university teaching purposes. It's right?
Yes. In this case, it is considered that the surgical procedure is recorded not for healthcare purposes, but rather for educational purposes, so the patient can authorise the processing of the images. The procedure cannot be recorded if the patient does not give their consent. If the images or other data are to be used in teaching or in scientific publications, the patient must not be identifiable.
Patients or their representatives may authorise trainees to be present during the provision of their healthcare (for example, during a physical examination or check-up). Doctors should limit the presence of students when deemed inappropriate due to the patient's clinical, emotional or social situation.