Turkey publishes regulation on personal health data
The Regulation on Personal Health Data, prepared by the Ministry of Health, was published in the Official Gazette on June 21. The Regulation annuls the Regulation on Processing and Ensuring the Privacy of Personal Health Data and sets forth the principles and procedures regarding the processing of personal health data by real persons and private legal entities as well as public organizations and institutions.
The Regulation contains general and detailed provisions regarding the general principles and rules for processing health data as well as health data on the e-Pulse (e-Nabiz) system; health data requiring a higher level of privacy; access to children’s health data; and access to health data by third persons, including healthcare professionals.
In this respect, healthcare professionals may access the personal health data of patients only on the condition that such access is limited to the purpose of providing healthcare services. Patients will not be in any way required to submit or disclose their medical history unless it is necessary for the provision of such services.
The Regulation also contains various provisions regarding health data on the e-Nabiz system established by the Ministry of Health, which provides patients and third persons with access to health data. Accordingly, the health data of data patients with e-Nabiz accounts will only be accessible within the framework
of patients’ privacy preferences. Patients may change their privacy settings through the e-Nabiz system in case they do not want their medical history to be accessible to anyone.
Furthermore, the Regulation limits access to the health data of patients without e-Nabiz accounts. Accordingly, such data may only be accessed by (i) practitioners in the family doctor system, without any time limitation; (ii) practitioners until the end of the health services or any other procedures provided; (iii) practitioners working at the relevant health service provider, for 24 hours starting from the time the patient registers to receive services; and (iv) practitioners working at the healthcare service provider where the patient is hospitalized,
until the patient is discharged.
The Regulation requires healthcare service providers to implement anonymization and masking measures for hard copy materials such as files and reports that contain patients’ health data, such as test and clinical examination results.
The Ministry of Health will also determine certain health data which require a higher level of privacy and pose a significant risk of impacting patients’ social lives and mental health if others come to know or access this data. The Ministry of Health may introduce new restrictions regarding the access to such data.
As per the Regulation, lawyers may request to receive their clients’ health data only by submitting a special power of attorney containing the clients’ explicit consent.
The processing of health data, a special category of data under the law, is subject to strict conditions. In this respect, considering that failure to comply with data security obligations may be subject to administrative fines ranging from TRY 15,000 to 1,000,000, the relevant organizations and institutions must carefully review the Ministry of Health and the Personal Data Protection Authority’s regulations and take the necessary steps to ensure compliance.