Personal Health Data Regulation Has Been Published 26 June 2019
According to the Law on Protection of Personal Data (“Law”), The Regulation on Personal Health Data (“Regulation”), concerning activities of private real and legal persons and public legal persons that process personal health data, which is related to the processes and practices carried out by the Ministry of Health (“the Ministry”) has been published in the Official Gazette dated 21 June 2019 and numbered 30808.
We would like to inform you of the Regulation in details here below.
1) What are the norms and principles to be followed during process of Personal Health Data?
During process of personal data, all data processing principles in the Law shall be observed, especially the general principles partaking in Article 4 of the Law. In addition to these principles, according to the Regulation;
- No one shall be compelled to submit or show past health data, except when it is necessary for health service delivery.
- Necessary physical, technical and administrative measures will be taken by health service providers, to prevent unauthorized persons from entering in departments such as counters, pay desks and desks and at the same time to prevent clients from hearing, seeing, learning or seizing each other’s personal data.
- Health service providers will implement the necessary partial de-identification or masking measures on printed material containing personal health data of the patient, such as analysis and examination results; and take other precautions on the material in question to make it difficult to identify who it belongs to, if it’s occupied by an unauthorized person.
2) How and to what extent will medical personnel have access to these data?
Persons, who are in charge of health service delivery; may access to the health data of the person concerned, limited to the requirements of medical services.
- Health data of people owning e-Nabız accounts; may be reached within the framework of their privacy preferences. Related persons are informed in detail about their privacy preferences and its consequences. The Ministry of Health will not be liable for any malfunctions and damages that may occur in medical service delivery, due to the preference of confidentiality and the inability to display past health data.
- Health data of people not owning e-Nabız accounts; may be reached limited to exceptional purposes, which are stated in Article 6 Paragraph 3 of the Law, yet;
- Without any time limit, by the family doctor to whom the person is registered,
- Limited to the day of appointment, by the doctor whom the person has made an appointment for health care, until the end of the procedures directly related to the health service received.
- Limited to 24 hours, by the doctors who are working at the medical service provider, in which the person enters to receive health care.
- By the doctors who are working at the medical service provider, to which the persons admission has been done, until the patient is discharged from the health care provider.
The above-listed access rules may be reassessed by General Directorate according to the requirements of the Ministry for health service provision and within the scope of Article 6/3 of the Law. In such case, what is necessary will be done within the scope of disclosure requirement.
For those who do not want to allow access by anybody to their past health data, the privacy preference will be provided via e-Nabız. Past health data of people, who use this privacy preference, can only be accessed, if the code, which will be sent to the phone number declared by the person, is shared with the doctor and entered by the doctor into the system.
Personal health data, which has a higher level of privacy, and which are at risk of adversely affecting the social life and mental health of the individuals in case of being seen and known by third parties, will be determined by the Ministry and restrictions may be placed on access of medical personnel to such data.
3) How and to what extent will the Ministry units provide access to these data?
Unit Chiefs of the Ministry determine the persons individually, who are authorized to match the health data, which is sent by the health service providers after de-identification to the central health data system with the persons they belong to, through the relational database separately and request the authorization of these persons from the General Directorate.
Users authorized by the General Directorate upon the request of the unit chief, can only exercise this authority in accordance with the principles of Personal Data Protection Legislation in the context of planning, managing, supervising and regulating of health care services and financing tasks.
The limits of the purpose of planning and managing health care services and financing are determined by the duties assigned to the relevant unit in legal and administrative regulations.
4) Who can access to the health data of children?
Parents can access their child's health records via e-Nabız without any need for approval. Children with ability to distinguish, may subject parental access to their health history to permission through e-Nabız.
In case of divorce of the parents, the party that has not been left on custody rights, has access to child’s health data in accordance with the legislation on protection of personal data and within the limits set by the General Directorate, taking into account the benefit of the child and the guardian.
5) How can the relatives access the patient’s health data?
By sharing of personal health data with the relatives of the patients, the third paragraph of Article 18 of the Patient Rights Regulation, which is published in the Official Gazette dated 01/08/1998 and numbered 23420, shall be followed in such a manner that does not contradict the principles of the Law.
6) Do lawyers have access to their clients' health data?
Lawyers are not entitled to request their client's health data by general proxy.The power of attorney issued for the transfer of the client’s health data to its lawyer should include a special provision indicating the express consent of the person concerned for processing and transferring of its special quality personal data.
7) Who can access the health data of a deceased person and for how long?
The legal heirs of the testator are individually authorized to receive the health data of the decedent by submitting their certificate of inheritance.
The health data of a deceased person is stored for at least 20 years.
8) How and by whom will the health data of people, who have been given a confidentiality order, be hidden?
The request for confidentiality of the health data of people, who have been given a confidentiality decision, and the warrant sent by the judicial authorities will be fulfilled by the local health authority.
The action taken by the local health authority will directly be reflected in the Identity Sharing System.
ll necessary technical and administrative measures shall be taken to ensure that confidentiality order are known only by persons who are required to know them by their duties.
9) How can the improperly process data be corrected?
The person concerned shall apply to the local health authority, to which the health care provider is affiliated, in order to correct the wrong health data about himself. If the local health authority reaches the information that the health data is created by mistake, as a result of the research on the relevant health service provider, it shall apply to the General Directorate with an official letter and ask for the correction of the health data, which created by mistake. The operation to be established by the General Directorate is also performed in the database of the health service provider.
The General Directorate determines the date, on which the wrongly created health data by the health service providers can be corrected and updates this date as required. Health data, which is created after this specific date given by the General Directorate, shall be corrected by the relevant health service provider; the health data, which is created before this date, shall be corrected by the General Directorate upon the request of the relevant provincial health directorate.
10) What is the procedure for transferring personal health data to other institutions?
One shall observe the article 8 of the Law for domestic transfer and the article 9 of the Law for international transfer of personal health data. A protocol shall be prepared for transferring personal health data to public institutions and organizations within the scope of these articles. The general principles of personal data protection legislation and the provisions regarding data security and information about data which will be transferred under the protocol, should be included in this Protocol. If the technical infrastructure is suitable, data will be transferred through KamuNET.
Demands for the transfer of personal health data are evaluated by the Ministry department, to which the requested health data is related, in terms of the Law and other relevant legislation. The process is established by the General Directorate according to the evaluation result.
11) Who can handle personal health data for scientific purposes and to what extent?
In the scope of article 28/1b of the Law; “Processing of personal data for purposes such as research, planning and statistics through anonymization with official statistics”, scientific studies can be carried out with health data, which is anonymized by the data officer.
In the scope of article 28/1c of the Law; “Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national crime, national security, public security, public order, economic security, privacy or privacy rights or constitute a crime”
Personal health data may be processed for scientific purposes within the framework of technical and administrative measures to be taken provided that they;
- do not violate the privacy or personal rights of the persons concerned or
- do not constitute a crime.
12) For which purposes and by whom can personal health data be made accessible to everyone?
By taking into account the regulations on data privacy and data security of the data contained in the systems used by the central and provincial organizations of the Ministry and its affiliated and related institutions, by the General Directorate, with some specific purposes such as;
- ensuring transparency and accountability in the health system,
- directing policies and strategies for health care delivery;
- supporting scientific research in the field of health; and
- ensuring the development of health-related products and services;
The Ministry shall determine the principles and procedures for making it accessible to everyone through a dedicated website.
13) How is the security of personal health data and information ensured?
Data security obligations in Article 12 of the Law will be observed. By taking technical and administrative measures, the Personal Data Security Guideline prepared by the Authority will be predicated on.
In the event that the processed personal data is seized by others by unlawful means, the notification to be made to the Council by the data officer shall be based on the provisions of the Law and the regulatory procedures of the Council regarding this matter.
Information security processes performed in the central units of the Ministry and provincial organizations and affiliated and related institutions are determined by the Information Security Policies Directive prepared by the General Directorate.
14) What is the sanction of non-compliance with the Regulation?
For the crimes and misdemeanors related to personal data protected by this Regulation, the procedure shall be carried out in accordance with Article 17-18 of Law.
Public officials who do not fulfill the requirements of this Regulation will be notified to the disciplinary authority to which they are registered and their authority will be cancelled, if they have any. Real persons and private legal entities shall be treated in accordance with the relevant legislation.
The health service providers that do not send data to the central health data system in accordance with the procedures and principles determined by the Ministry shall be warned twice. A penalty which is amounted of 1% of the gross income in the previous month hall be applied to the providers that do not follow the warnings .
15) When will the Regulation enter into force?
The Regulation has entered into force on 21 June 2019.
Other News
-
8.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
5.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.
-
15.3.2024
New Regulations Introduced With The 8th Judicial Package
The Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws ("Law"), which contains amendments and new regulations known as the "8th Judicial Package", was published in the Official Gazette dated 12 March 2024 and numbered 32487. In this article, we will discuss the amendments to the Criminal Procedure Code No. 5271 (" CPC"), Turkish Criminal Code No. 5237 ("TCC"), Turkish Civil Code No. 4721 ("TCC"), Enforcement and Bankruptcy Code No. 2004 ("EBC") and Law No. 6384 on the Duties and Working Procedures and Principles of the Compensation Commission.
-
12.3.2024
Changes In The PDPL Was Published In THE Official Gazette
Law No. 7499 on Amendments to the Code of Criminal Procedure and Some Laws ("Law No. 7499") including critical amendments to the Law No. 6698 on the Personal Data Protection Law ("PDPL") was published in the Official Gazette on March 12, 2024.
-
9.2.2024
Amendments Were Made To The Regulations Based On The Occupational Health And Safety Law
In the Official Gazette dated 4 February 2024 and numbered 32450, amendments were made to some regulations issued based on the Occupational Health and Safety Law No. 6331:
-
1.2.2024
Turkish Competition Board Mergers And Acquisitions Outlook Report For 2023 Has Been Published
On January 5th, 2024, the Turkish Competition Authority has published the Report prepared by the Competition Board on Mergers, Acquisitions And Privatisation Transactions in 2023 ("Report").
-
31.1.2024
Important Principle Decision From The Advertising Board Regarding Discount Sale Advertisements
At the first meeting of the year held on January 9, 2024, the Advertising Board made an important principle decision regarding discount sale advertisements by amending the "Guideline on Advertisements Containing Price Information and Discount Sale Advertisements and Commercial Practices" in order to prevent consumer victimization through misleading advertisements and practices that lead to unfair competition in the retail trade sector.
-
17.1.2024
The Authority to Decide on Trademark Cancellation Passed to the Turkish Patent And Trademark Office!
In Article 192/1 (a) of the Industrial Property Law ("IPL") published in the Official Gazette dated 10 January 2017 and numbered 29944, the enforcement of Article 26 of the Law titled "Cancellation Cases and Cancellation Request" was postponed until seven years later, and with the Provisional Article 4 of the IPL, it was stipulated that the authority to decide on the cancellation of trademarks would be directly exercised by the Intellectual and Industrial Rights Civil Courts until 10 January 2024.
-
16.1.2024
Egemenoğlu Hukuk Bürosu / Internship Application
We are pleased to announce the opening of internship applications at Egemenoğlu Hukuk Bürosu. Legal Internship Application Deadline: March 15 Summer Internship Application Deadline: March 29 Prospective candidates are requested to submit their CVs either through our website www.egemenoglu.av.tr or by sending them to info@egemenoglu.av.tr.
-
12.1.2024
Turkish Sustainability Reporting Standards (TSRS) And Scope Of Application Of TSRSs Were Puslished In The Official Gazette
In the Official Gazette dated 29.12.2023 and numbered 32414, the Public Oversight, Accounting and Auditing Standards Authority (POA) announced the Turkish Sustainability Reporting Standards and determined the principles to be followed in sustainability reports.
-
11.1.2024
Important Regulations Which Are Effective As Of 2024 And/ Or Has Been Made Subject To Time Extension
Laws No. 5746 and No. 6550 extended the regulation on higher depreciation (showing expenses related to depreciation) and calculation rates and periods for new machines acquired for use in R&D, innovation and design activities.
-
19.12.2023
The Principles and Rules to be Applied in Retail Trade have been reorganize
With the "Regulation Amending the Regulation on Principles and Rules to be Applied in Retail Trade" prepared by the Ministry of Commerce and published in the official gazette on 14.12.2023, significant changes were made in the principles and rules of retail trade.
-
18.11.2023
Warning From The Authority On Sending Verification Codes To Customers Via Sms During Shopping
The Personal Data Protection Authority ("Authority") published a Public Announcement ("Announcement") on the Processing of Personal Data by Sending a Verification Code via SMS to the Data Subjects during Shopping in Stores.
-
14.11.2023
Communiqué Amending the Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102 has been published
In order to regulate the procedures and principles to be followed in cases of loss of capital or insolvency of joint stock companies, limited liability companies and limited partnership companies with capital divided into shares within the scope of Article 376 of the Turkish Commercial Code No. 6102 (Law), the Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102 (Communiqué) was first published in the Official Gazette dated 15/09/2018 and numbered 30536, and with the Provisional Article 1 of this Communiqué until 01/01/2023, Within the scope of Article 376 of the Law, it was stated that foreign exchange losses arising from foreign currency denominated liabilities that have not yet been fulfilled may not be taken into account in the calculations regarding capital loss or insolvency.
-
3.11.2023
Law No. 7464 on the Leasing of Houses For Tourism Purposes And Amendment To Certain Laws Has Been Published
Published in the Official Gazette dated 2.11.2023 and numbered 32357 and published in the Official Gazette dated 2.11.2023 and numbered 32357, the Law on the Leasing of Houses for Tourism Purposes and Amendments to Certain Laws (No: 7464) aims to determine the procedures and principles regarding the leasing of houses to real and legal persons for tourism purposes.