Data about someone’s health are sensitive. This is why the Personal Data Protection Act BES(PDPA BES) provides that these data are so-called special personal data and that organizations may only use them if special conditions are met. Medical data include not only data found and recorded by doctors, but any data relating to a person’s physical or mental health.
Duty of Confidentiality
People who work with medical data by virtue of their profession are subject to a duty of confidentiality. This means that, in principle, they are not allowed to disclose patient data to others. Different types of confidentiality duties apply to different types of occupations.
Healthcare providers such as doctors, nurses, and psychotherapists are subject to medical confidentiality as provided by law. Some other care providers, such as social workers, are subject to a duty of confidentiality by virtue of their professional code. Staff employed by a healthcare institution (such as a hospital) where someone is undergoing treatment are bound by a duty of confidentiality through their employment contract.
On the other hand, using and disclosing medical data does not always require the involvement of a doctor. Medical data can also be used and exchanged by non-healthcare organizations, provided the PDPA BES or another law provides a basis for such use or exchange.
No, in principle this is not allowed. Only in exceptional situations is your healthcare provider allowed to share your medical data. As a patient, you should be able to trust the healthcare provider to keep secret whatever confidential information you share with him or her. This is why healthcare providers are subject to a duty of confidentiality, as are other employees of healthcare institutions, such as hospitals.
Doctors, dentists, healthcare psychologists, psychotherapists, physical therapists, obstetricians, and nurses are subject to medical confidentiality. If a healthcare provider violates medical confidentiality, you can take disciplinary or criminal action against him or her.
Duty of Confidentiality by Virtue of a Professional Code
Some other professionals, such as social workers, are not subject to medical confidentiality as provided by law. Nevertheless, they do have a duty of confidentiality by virtue of their professional code. In some cases, (internal) disciplinary rules may also apply.
Duty of Confidentiality for Healthcare Institution Staff
There also is a duty of confidentiality if you enter into a treatment agreement with a healthcare institution (Article 7:457 of the BES Civil Code). Such agreement provides that you will receive treatment at the healthcare institution.
The institution employs people who are subject to medical confidentiality or a duty of confidentiality by virtue of a professional code. However, some of the employees are not subject to such a duty, such as secretaries or financial assistants. These employees nevertheless have a contractual obligation to treat your data as confidential. The term “data” refers to anything they know about you and your treatment due to their involvement in your treatment.
There are several conditions under which your healthcare provider (such as your family doctor, dentist, or hospital specialist) may breach medical confidentiality. In such cases, your healthcare provider is allowed to disclose your medical data to others. The three main conditions are stated below.
Your healthcare provider can share your medical data at his or her own initiative, or someone else may ask your healthcare provider for your medical data. In either case, your healthcare provider is allowed to disclose your data if you have given your consent to do so.
Before you can give consent, you should have been fully informed of the reason why your data will be disclosed. You should be informed either by the healthcare provider himself (possibly on behalf of the person or organization requesting your data) or by this person/organization.
Your healthcare provider is allowed to breach medical confidentiality if this is required by law. Examples are the provisions in the BES Burial Act and the BES Cremation Act, the BES Health Insurance Decree and the BES Special Medical Expenses General Insurance Act.
Conflict of Duties
Your healthcare provider may breach medical confidentiality in the event of a conflict of duties. Such conflict arises if complying with medical confidentiality would result in serious damage or danger to you or someone else. A conflict of duties will only exist in very exceptional cases, when an emergency exists. An example could be reported child abuse.
Your healthcare provider should have tried everything possible to solve the problem without breaching medical confidentiality. Likewise, your healthcare provider should first try to get your consent to share your medical data. Your healthcare provider should be able to justify the breach of medical confidentiality.
Your healthcare provider may breach medical confidentiality if you have given your consent to do so, if there is a legal obligation to do so, or in the event of a so-called conflict of duties. In addition, there are three other situations in which your healthcare provider is allowed to disclose your medical data without your consent.
People Directly Involved
Your healthcare provider is allowed to share information with those directly involved with your treatment and with their substitutes or the people filling in for them. These may be other healthcare providers, but also, for example, secretaries or financial assistants.
Your data may only be shared to the extent this is required for their work. You are assumed to consent to this. If you object, your healthcare provider is not allowed to disclose your medical data.
Does your healthcare provider use a national or regional electronic patient file to exchange your medical data? In the case of a national exchange, this is only allowed if you previously consented to it. Regional exchanges sometimes require your previous consent, too.
Your healthcare provider is allowed to disclose information to legal representatives to the extent this is required to ask for their consent to a treatment, such as a treatment for a patient of age who is incapable of giving informed consent, or for a child under the age of 16. The healthcare provider will then ask for the consent of the patient’s or child’s legal representative(s). In the case of a child, this is usually one or both parents.
Healthcare providers are not allowed to disclose data to legal representatives if this is contrary to good healthcare providership, e.g. if disclosure is contrary to the interests of the legally incapable patient or the child.
Generally speaking, your medical data may only be used for Scientific research if you have consented to this. In some cases, and subject to further conditions, this is also allowed without your consent, e.g. if it is reasonably impossible to ask for your consent. In addition, a number of guarantees should be in place to protect your privacy.
Yes, this is allowed. Your healthcare provider has a legal obligation to provide your health insurer with certain medical data. This includes data that are required to settle the bills for your treatment.
JYes, this is allowed. Healthcare providers often do not prepare and collect the bills for their patients themselves, but hire an administrative office or factoring company to do this for them, or even a collection agency if you do not pay your bill on time. Those organizations need medical data to be able to prepare itemized bills.
Your healthcare provider is only allowed to provide the organization with data that are necessary to prepare and collect the bill. Likewise, the organization may subsequently use these data only for this purpose.
If you have a question or complaint, e.g. because you feel your healthcare provider has breached medical confidentiality, you should first discuss your question or complaint with your healthcare provider.
Can’t you sort it out?
If you are unhappy with the outcome of the interview, or you do not want an interview, there are several ways you can file a complaint.