Frequently asked questions about health care
Rectifying patient records
If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care unit whose operations the records concern. If necessary, you can ask the unit's Data Protection Officer or Patient Ombudsman for advice.
You can request the rectification of the inaccurate data. The request is made to the health care service provider whose operations the records concern. Kela cannot rectify records viewed through My Kanta.
Read more on My Kanta on the Kanta service website. Also see the Kanta service FAQ on the service's website.
Evaluating the correctness of medical assessments does not fall within the competence of the Data Protection Ombudsman. For this reason, the Data Protection Ombudsman does not order the rectification of, for example diagnosis data. Neither can the Data Protection Ombudsman order the rectification of a medical assessment entered in the patient records on the basis of a medical report obtained from elsewhere.
Patients who are unsatisfied with their treatment or the actions of a health care professional can file the objection provided for in the Act on the Status and Right of Patients with the health care unit's chief physician or the equivalent.
You can request the entry to be supplemented with your view of the course of events or your words. In most cases, the information in the entry still cannot be erased or amended if it corresponds to the opinion of its author at the time of the events. As a rule, such data is not considered to be inaccurate for the purpose of patient records, since it is specifically the duty of health care professionals to record their observations in the patient records.
The Data Protection Ombudsman has recommended the entries to be supplemented by the patient’s understanding of the course of events or their own words, particularly if the patient's version would have or could in future influence decisions on the patient’s treatment. The information added to entries must be necessary with regard to the purpose of patient records.
Disclosure of data
Patient records are confidential. They can be disclosed to third parties, i.e. persons who are not involved in the patient’s care or related tasks at the same health care unit, only with the patient's consent or if the right to disclose or obtain the data is provided for in law.
The party disclosing the data is responsible for the legality of the disclosure. If necessary, the disclosing party should ask the recipient to provide additional information on the purpose for which the data is necessary and on the legal provisions on which the request is based.
Patient records are confidential and may not be disclosed to third parties without the patient's consent or a legal provision that makes the disclosure possible. Members of the patient's family are also third parties, and patient records cannot normally be disclosed to them without the patient’s consent.
If an adult patient cannot decide on his or her own treatment due to mental illness, mental disability or other reasons, the patient's legal representative, family member or other person close to the patient must be heard before making important treatment decisions in order to determine which treatment would best correspond to the patient’s will. In such cases, the treatment also requires the consent of the patient’s legal representative, family member or other person close to the patient. In order to be able to decide whether to give such consent, the person is entitled to receive any information regarding the patient's state of health that may be required to enable them to express an opinion and give their consent.
If an underage patient is not able to decide on his or her treatment, the patient must be treated in mutual understanding with his or her custodian or other legal representative. In such cases, this person has the right to receive information on the underage child’s state of health, the significance of the treatment, various alternative forms of treatment and their effects and about other factors related to the child's treatment that are significant when decisions are made on the treatment given to the child.
If the age and level of development of an underage patient permit the patient to decide on the treatment given to him or her, the patient has to be treated in mutual understanding with him or her. In such cases, the underage patient can forbid the disclosure of information on his or her state of health and treatment to the patient's custodian or other legal representative.
Information on the health and medical care of a deceased person may be given to persons who need the information in order to find out and fulfil their vital interests or rights. The justified information request shall be made in writing to the health care unit or professional in question. In such cases, the right to receive information is not limited to the patient’s family.
The Act on Determination of the Cause of Death specifically provides for the right of family members to receive information from documents concerning the determination of the cause of death.
You can obtain information on who has used your patient records or to whom they have been disclosed. The request should be made in writing to the health care service provider in whose operations you suspect the baseless processing to have occurred. The information from the log file will be provided without delay and free of charge.
The information cannot be disclosed if it would cause serious danger to the health or treatment of a patient or to the rights of another individual. Information on processing that took place more than two years ago can only be obtained on special grounds.
If you feel that your patient records have been used or disclosed without sufficient grounds, the service provider that used or received the data must, upon request, provide you with a report on the basis for the use or disclosure of the data.
This right is based on the Act on the Electronic Processing of Social Welfare and Health Care Customer Records. The Data Protection Ombudsman is not competent to evaluate the realisation of this right or to order such information to be delivered to patients.
If you have cause to suspect that a crime has taken place in the processing of patient records, please turn to the police.
According to the Patient Injury Act, the Patient Insurance Centre has the right to obtain information required for determining the grounds for compensation and the extent of liability. This right is not limited by provisions on secrecy obligations or the disclosure of data from personal data files issued in other legislation.
Information that is not necessary for the processing of the patient injury case may not be disclosed to the Patient Insurance Centre. For example, the patient’s complete case history may only be disclosed to the Patient Insurance Centre in exceptional circumstances.
According to the Data Protection Ombudsman’s established decision-making practice, user log data is related to the access management of a data subject’s personal data and does not concern the individual themselves. Rather, user log data can concern, for example the employees who processed the individual’s data. Article 15 of the General Data Protection Regulation provides for the data subject’s right of access to data concerning him or her. Since log data concerns access management and not the data subject on whose data it is accumulated, that individual is not entitled to log data by virtue of this right of access.
he Client Data Act, or Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007), specifically provides for the right of patients and social welfare clients to log data. You can obtain information on who has used your patient records or social welfare client records, or to whom they have been disclosed. The Data Protection Ombudsman is not competent to evaluate the realisation of this right or to order such information to be delivered to patients or clients. More information on the disclosure of log register data is available in the Frequently asked questions about health care section under ”I suspect that my patient records have been processed without basis”.
Section 11 of the Act on the Openness of Government Activities concerning parties’ right of access can also be applied to log data, also enabling access to secret information from logs kept by authorities. The Data Protection Ombudsman is not competent to evaluate the realisation of the right of access to information by virtue of the Act on the Openness of Government Activities or to order such information to be delivered by virtue of the Act.
Erasure of patient records
Article 17 of the General Data Protection Regulation (GDPR) provides for the right of data subjects to request the controller to erase personal data concerning them. Patients are also entitled to exercise this right. Accepting the erasure request is not often possible, however, since the law requires patient records to be stored for a certain period of time.
No. Health care professionals have a duty to draw up patient records of all services provided to patients. These records must be kept for the period of time specified in the table appended to the Patient Records Decree. The statutory obligation to process (in practice, store) patient records excludes the possibility of erasing someone’s patient records completely.
Neither can individual entries concerning a service be erased completely. Entries can nevertheless be rectified where inaccurate, completed where incomplete and erased where unnecessary. Inaccuracy, incompleteness and necessity is assessed in relation to the purpose of the patient records. The assessment is made using the information available when the entry was made.
The erased data must have been unnecessary at the time of recording. Necessity is assessed in relation to the purpose of the patient records, using the information available when the entry was made.
The purpose of patient records is the arrangement, planning, implementation and monitoring of the patient's treatment. Entries whose necessity cannot be justified by this purpose must be erased from the patient records. According to the established decision practice of the Data Protection Ombudsman, such information includes stigmatising or otherwise inappropriate data.
As a rule, data entered in patient records by a health care professional on the basis of a professional assessment cannot be considered unnecessary. Such data cannot be erased from the patient records even if later revealed to be inaccurate.
Address the request to the controller of the patient records and specify, word-for-word, the section of your patient records you wish to have erased. Justify your request.
You can request more detailed instructions on exercising your right of erasure from the organisation's Data Protection Officer.
Occupational health care
The payer of the invoice, i.e. the employer, must be able to make sure that the occupational health care services have been used by an employee of the employer, and that the services provided are covered by the occupational health care agreement. Patient records are nevertheless confidential. The occupational health care agreement should specify in a sufficiently unambiguous manner how the requirements of confidentiality will be taken into account in the invoicing procedures.
The Data Protection Ombudsman recommends that, for the verification of correct invoicing, the occupational health care provider should append a separate list of employees who have used occupational health care services during the invoicing period and a separate listing of the procedures performed (e.g. 5 blood pressure measurements, or the number of physician's appointments or laboratory visits by type). It should not be possible to connect the procedures to specific employees. It would be justified to extend the invoicing period if only a single employee or a few employees have used occupational health care services during the period and the information concerning a specific individual could be connected to procedures.
Alternatively, the occupational health care provider could disclose the information concerning the employee so that only the type of service (e.g. physician's appointment, laboratory visit) is indicated on the invoice, without revealing the nature of the illness or condition. The appointment date can also be indicated if the information is necessary for verifying the correctness of invoicing and with regard to the rights and obligations related to the employment relationship.
If the employer delivers a medical certificate from its HR file to the occupational health care provider, this constitutes a change in the purpose of use of the data and a disclosure of data from one controller to another. The employer is entitled to deliver a medical certificate or statement, which has been given to the employer by the employee and concerns the employee’s own ability to work, to the occupational health care provider unless the employee has prohibited such disclosures. In other cases, confidential information can only be disclosed with the data subject’s specific consent. The employee must be informed of the right to object to the processing in advance.