Organic Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) Can I know who has accessed my medical record?
Can I find out who has accessed my medical records?
A legal report has recently been published by the Spanish Data Protection Agency, in which it resolves a query to interpret, in the light of Supreme Court Ruling 476/2020 of 25 September, whether patients’ right of access to their medical records includes information on who has accessed them.
The first thing to point out is that the information contained in the medical record must be considered health data, in accordance with article 4.15 of the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016), which means that we are dealing with a special category of data, and mostly protected.
Before analysing the report, we anticipate the answer to the question, with which we began this article: The right of access to medical records and the information contained therein does not include the persons who have accessed them.
This conclusion is reached by the Spanish Data Protection Agency on the basis of the following arguments:
Article 12.5 of the LOPDGDD provides as follows:
“Where the laws applicable to certain processing operations establish a special regime affecting the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws shall apply.”
This article should be read in conjunction with Article 15 of the GDPR, which regulates the right of access of data subjects.
In the case of Spain, there is a law that regulates and develops the content and access of patients to their medical records, therefore, in accordance with the aforementioned legislation, the provisions of Law 41/2002, of 14 November, the basic law regulating patient autonomy and the rights and obligations regarding clinical information and documentation (hereinafter referred to as LAP) must be applied, as this is the law that, due to the subject matter and speciality, applies to the right of access to medical records.
Article 18 of the LAP provides as follows:
- The patient has the right of access, with the reservations indicated in section 3 of this article, to the documentation of the medical record and to obtain a copy of the data contained therein. The healthcare centres shall regulate the procedure that guarantees the observance of these rights.
- The patient’s right of access to medical records may also be exercised by duly accredited representation.
- The patient’s right of access to medical records may not be exercised to the detriment of the right of third parties to the confidentiality of data contained therein collected in the therapeutic interest of the patient, nor to the detriment of the right of the professionals involved in their preparation, who may oppose the right of access to reserve their subjective annotations.
- Health institutions and individual practitioners shall only provide access to the medical records of deceased patients to persons related to the deceased for family reasons or, in fact, unless the deceased has expressly forbidden it and proof of this is provided. In any event, access by a third party to the medical records on the grounds of a risk to his health shall be limited to the relevant data. Information that affects the privacy of the deceased or the subjective annotations of professionals, or that is prejudicial to third parties, shall not be provided.
In view of the above, it is appropriate to analyse the content of the medical record according to the LAP, specifically Article 15.
Article 15 of the LAP provides as follows:
The medical record shall include the information considered to be essential for the accurate and up-to-date knowledge of the patient’s state of health. Every patient or user has the right to have a written record, in writing or on the most appropriate technical support, of the information obtained in all their healthcare processes, carried out by the health service in both primary and specialized care.
The main purpose of the medical record shall be to facilitate health care, recording all those data which, according to medical criteria, allow for accurate and up-to-date knowledge of the state of health. The minimum content of the medical record shall be as follows:
a) Documentation relating to the clinical-statistical sheet.
b) The entry authorization.
c) The emergency report.
d) Anamnesis and physical examination.
e) The evolution.
f) Medical orders.
g) The consultation sheet.
h) The reports of complementary examinations.
i) Informed consent.
j) The anaesthesia report.
k) The operating theatre or birth registration report.
l) The anatomical pathology report.
m) The evolution and planning of nursing care.
n) The therapeutic application of nursing.
ñ) The graph of constants.
o) The clinical discharge report.
As indicated in the preceding article, a “minimum content” is established, and the LAP is considered basic legislation. Therefore, as the Autonomous Communities have transferred powers in health matters if additional content is determined in the autonomous regulation, it must be in accordance with what is indicated therein.
There are examples of autonomous communities that have extended the minimum content established in the LAP, such as the Autonomous Community of Navarre or Extremadura, where the right to know who has accessed our medical records is included.
The AEPD concludes its report by maintaining the criteria of previous consultations similar to the ones in question (reports 165/2005 and 171/2008), indicating that “the content of the right of access to the medical record does not include knowing the information on who has accessed it, as it does not form part of the medical record and also refers to personal data of third parties“, in accordance with article 18 LAP, the LOPDGDD and the RGPD.
The fact that the data subject cannot know, in the first instance, who has accessed his or her data, greatly complicates the exercise of any legal action he or she may be entitled to in the event of violations of his or her right to the protection of personal data.
The use of computerized systems can facilitate rapid access to information and can also be a security tool for data management in medical records, safeguarding identity and facilitating consultation at all times.
The integrity of data generated, processed, represented or stored in medical records is of vital importance.
Using technological tools within our reach, to make our processes more efficient, secure and reliable, is where we have to go. At OQOTECH we help you to develop, improve and validate key IT tools to ensure security, confidentiality and guarantee their functionality.