Personal Health Data Regulation Has Been Published 26 June 2019

According to the Law on Protection of Personal Data (“Law”), The Regulation on Personal Health Data (“Regulation”), concerning activities of private real and legal persons and public legal persons that process personal health data, which is related to the processes and practices carried out by the Ministry of Health (“the Ministry”) has been published in the Official Gazette dated 21 June 2019 and numbered 30808.

We would like to inform you of the Regulation in details here below.

1) What are the norms and principles to be followed during process of Personal Health Data?

During process of personal data, all data processing principles in the Law shall be observed, especially the general principles partaking in Article 4 of the Law. In addition to these principles, according to the Regulation;

  • No one shall be compelled to submit or show past health data, except when it is necessary for health service delivery.
  • Necessary physical, technical and administrative measures will be taken by health service providers, to prevent unauthorized persons from entering in departments such as counters, pay desks and desks and at the same time to prevent clients from hearing, seeing, learning or seizing each other’s personal data.
  • Health service providers will implement the necessary partial de-identification or masking measures on printed material containing personal health data of the patient, such as analysis and examination results; and take other precautions on the material in question to make it difficult to identify who it belongs to, if it’s occupied by an unauthorized person.

2) How and to what extent will medical personnel have access to these data?

Persons, who are in charge of health service delivery; may access to the health data of the person concerned, limited to the requirements of medical services.

  • Health data of people owning e-Nabız accounts; may be reached within the framework of their privacy preferences. Related persons are informed in detail about their privacy preferences and its consequences. The Ministry of Health will not be liable for any malfunctions and damages that may occur in medical service delivery, due to the preference of confidentiality and the inability to display past health data.
  • Health data of people not owning e-Nabız accounts; may be reached limited to exceptional purposes, which are stated in Article 6 Paragraph 3 of the Law, yet;
    • Without any time limit, by the family doctor to whom the person is registered, 
    • Limited to the day of appointment, by the doctor whom the person has made an appointment for health care, until the end of the procedures directly related to the health service received.
    • Limited to 24 hours, by the doctors who are working at the medical service provider, in which the person enters to receive health care.
    • By the doctors who are working at the medical service provider, to which the persons admission has been done, until the patient is discharged from the health care provider.

The above-listed access rules may be reassessed by General Directorate according to the requirements of the Ministry for health service provision and within the scope of Article 6/3 of the Law. In such case, what is necessary will be done within the scope of disclosure requirement.

For those who do not want to allow access by anybody to their past health data, the privacy preference will be provided via e-Nabız. Past health data of people, who use this privacy preference, can only be accessed, if the code, which will be sent to the phone number declared by the person, is shared with the doctor and entered by the doctor into the system.

Personal health data, which has a higher level of privacy, and which are at risk of adversely affecting the social life and mental health of the individuals in case of being seen and known by third parties, will be determined by the Ministry and restrictions may be placed on access of medical personnel to such data.

3) How and to what extent will the Ministry units provide access to these data?

Unit Chiefs of the Ministry determine the persons individually, who are authorized to match the health data, which is sent by the health service providers after de-identification to the central health data system with the persons they belong to, through the relational database separately and request the authorization of these persons from the General Directorate.

Users authorized by the General Directorate upon the request of the unit chief, can only exercise this authority in accordance with the principles of Personal Data Protection Legislation in the context of planning, managing, supervising and regulating of health care services and financing tasks.

The limits of the purpose of planning and managing health care services and financing are determined by the duties assigned to the relevant unit in legal and administrative regulations.

4) Who can access to the health data of children?

Parents can access their child's health records via e-Nabız without any need for approval. Children with ability to distinguish, may subject parental access to their health history to permission through e-Nabız.

In case of divorce of the parents, the party that has not been left on custody rights, has access to child’s health data in accordance with the legislation on protection of personal data and within the limits set by the General Directorate, taking into account the benefit of the child and the guardian.

5) How can the relatives access the patient’s health data?

By sharing of personal health data with the relatives of the patients, the third paragraph of Article 18 of the Patient Rights Regulation, which is published in the Official Gazette dated 01/08/1998 and numbered 23420, shall be followed in such a manner that does not contradict the principles of the Law.

6) Do lawyers have access to their clients' health data?

Lawyers are not entitled to request their client's health data by general proxy.The power of attorney issued for the transfer of the client’s health data to its lawyer should include a special provision indicating the express consent of the person concerned for processing and transferring of its special quality personal data.

7) Who can access the health data of a deceased person and for how long?

The legal heirs of the testator are individually authorized to receive the health data of the decedent by submitting their certificate of inheritance.

The health data of a deceased person is stored for at least 20 years.

8) How and by whom will the health data of people, who have been given a confidentiality order, be hidden?

The request for confidentiality of the health data of people, who have been given a confidentiality decision, and the warrant sent by the judicial authorities will be fulfilled by the local health authority.

The action taken by the local health authority will directly be reflected in the Identity Sharing System.

ll necessary technical and administrative measures shall be taken to ensure that confidentiality order are known only by persons who are required to know them by their duties.

9) How can the improperly process data be corrected?

The person concerned shall apply to the local health authority, to which the health care provider is affiliated, in order to correct the wrong health data about himself. If the local health authority reaches the information that the health data is created by mistake, as a result of the research on the relevant health service provider, it shall apply to the General Directorate with an official letter and ask for the correction of the health data, which created by mistake. The operation to be established by the General Directorate is also performed in the database of the health service provider.

The General Directorate determines the date, on which the wrongly created health data by the health service providers can be corrected and updates this date as required. Health data, which is created after this specific date given by the General Directorate, shall be corrected by the relevant health service provider; the health data, which is created before this date, shall be corrected by the General Directorate upon the request of the relevant provincial health directorate.

10) What is the procedure for transferring personal health data to other institutions?

One shall observe the article 8 of the Law for domestic transfer and the article 9 of the Law for international transfer of personal health data. A protocol shall be prepared for transferring personal health data to public institutions and organizations within the scope of these articles. The general principles of personal data protection legislation and the provisions regarding data security and information about data which will be transferred under the protocol, should be included in this Protocol. If the technical infrastructure is suitable, data will be transferred through KamuNET.

Demands for the transfer of personal health data are evaluated by the Ministry department, to which the requested health data is related, in terms of the Law and other relevant legislation. The process is established by the General Directorate according to the evaluation result.

11) Who can handle personal health data for scientific purposes and to what extent?

In the scope of article 28/1b of the Law; “Processing of personal data for purposes such as research, planning and statistics through anonymization with official statistics”, scientific studies can be carried out with health data, which is anonymized by the data officer.

In the scope of article 28/1c of the Law; “Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national crime, national security, public security, public order, economic security, privacy or privacy rights or constitute a crime”

Personal health data may be processed for scientific purposes within the framework of technical and administrative measures to be taken provided that they;

  • do not violate the privacy or personal rights of the persons concerned or
  • do not constitute a crime.

12) For which purposes and by whom can personal health data be made accessible to everyone?

By taking into account the regulations on data privacy and data security of the data contained in the systems used by the central and provincial organizations of the Ministry and its affiliated and related institutions, by the General Directorate, with some specific purposes such as;

  • ensuring transparency and accountability in the health system,
  • directing policies and strategies for health care delivery;
  • supporting scientific research in the field of health; and
  • ensuring the development of health-related products and services;

The Ministry shall determine the principles and procedures for making it accessible to everyone through a dedicated website.

13) How is the security of personal health data and information ensured?

Data security obligations in Article 12 of the Law will be observed. By taking technical and administrative measures, the Personal Data Security Guideline prepared by the Authority will be predicated on.

In the event that the processed personal data is seized by others by unlawful means, the notification to be made to the Council by the data officer shall be based on the provisions of the Law and the regulatory procedures of the Council regarding this matter.

Information security processes performed in the central units of the Ministry and provincial organizations and affiliated and related institutions are determined by the Information Security Policies Directive prepared by the General Directorate.

14) What is the sanction of non-compliance with the Regulation?

For the crimes and misdemeanors related to personal data protected by this Regulation, the procedure shall be carried out in accordance with Article 17-18 of Law.

Public officials who do not fulfill the requirements of this Regulation will be notified to the disciplinary authority to which they are registered and their authority will be cancelled, if they have any. Real persons and private legal entities shall be treated in accordance with the relevant legislation.

The health service providers that do not send data to the central health data system in accordance with the procedures and principles determined by the Ministry shall be warned twice. A penalty which is amounted of 1% of the gross income in the previous month hall be applied to the providers that do not follow the warnings .

15) When will the Regulation enter into force?

The Regulation has entered into force on 21 June 2019.

Other News