Frequently asked questions about health care
Rectifying patient records
If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care unit whose operations the records concern. If necessary, you can ask the unit's Data Protection Officer or Patient Ombudsman for advice.
You can request the rectification of the inaccurate data. The request is made to the health care service provider whose operations the records concern. Kela cannot rectify records viewed through My Kanta.
Read more on My Kanta on the Kanta service website. Also see the Kanta service FAQ on the service's website.
Evaluating the correctness of medical assessments does not fall within the competence of the Data Protection Ombudsman. For this reason, the Data Protection Ombudsman does not order the rectification of, for example diagnosis data. Neither can the Data Protection Ombudsman order the rectification of a medical assessment entered in the patient records on the basis of a medical report obtained from elsewhere.
Patients who are unsatisfied with their treatment or the actions of a health care professional can file the objection provided for in the Act on the Status and Right of Patients with the health care unit's chief physician or the equivalent.
You can request the entry to be supplemented with your view of the course of events or your words. In most cases, the information in the entry still cannot be erased or amended if it corresponds to the opinion of its author at the time of the events. As a rule, such data is not considered to be inaccurate for the purpose of patient records, since it is specifically the duty of health care professionals to record their observations in the patient records.
The Data Protection Ombudsman has recommended the entries to be supplemented by the patient’s understanding of the course of events or their own words, particularly if the patient's version would have or could in future influence decisions on the patient’s treatment. The information added to entries must be necessary with regard to the purpose of patient records.
Disclosure of data
Patient records are confidential. They can be disclosed to third parties, i.e. persons who are not involved in the patient’s care or related tasks at the same health care unit, only with the patient's consent or if the right to disclose or obtain the data is provided for in law.
The party disclosing the data is responsible for the legality of the disclosure. If necessary, the disclosing party should ask the recipient to provide additional information on the purpose for which the data is necessary and on the legal provisions on which the request is based.
Patient records are confidential and may not be disclosed to third parties without the patient's consent or a legal provision that makes the disclosure possible. Members of the patient's family are also third parties, and patient records cannot normally be disclosed to them without the patient’s consent.
If an adult patient cannot decide on his or her own treatment due to mental illness, mental disability or other reasons, the patient's legal representative, family member or other person close to the patient must be heard before making important treatment decisions in order to determine which treatment would best correspond to the patient’s will. In such cases, the treatment also requires the consent of the patient’s legal representative, family member or other person close to the patient. In order to be able to decide whether to give such consent, the person is entitled to receive any information regarding the patient's state of health that may be required to enable them to express an opinion and give their consent.
If an underage patient is not able to decide on his or her treatment, the patient must be treated in mutual understanding with his or her custodian or other legal representative. In such cases, this person has the right to receive information on the underage child’s state of health, the significance of the treatment, various alternative forms of treatment and their effects and about other factors related to the child's treatment that are significant when decisions are made on the treatment given to the child.
If the age and level of development of an underage patient permit the patient to decide on the treatment given to him or her, the patient has to be treated in mutual understanding with him or her. In such cases, the underage patient can forbid the disclosure of information on his or her state of health and treatment to the patient's custodian or other legal representative.
Information on the health and medical care of a deceased person may be given to persons who need the information in order to find out or fulfil their vital interests or rights. The data may be disclosed to the extent that it is necessary to establish or enforce these interests or rights.
The justified information request shall be made in writing to the health care unit or professional in question. In such cases, the right to receive information is not limited to the patient’s family.
The Act on Determination of the Cause of Death specifically provides for the right of family members to receive information from documents concerning the determination of the cause of death.
You can obtain information on who has used your patient records or to whom they have been disclosed. The request should be made in writing to the health care service provider in whose operations you suspect the baseless processing to have occurred. The data are provided free of charge based on the log file within a reasonable period, two months from the request being made at the latest.
The information cannot be disclosed if it would cause serious danger to the health or treatment of a patient or to the rights of another individual. Information on processing that took place more than two years ago can only be obtained on special grounds. If the service provider does not think that the log data can be disclosed to you, the provider must make a decision on the refusal in writing. If you believe that there are no grounds for the refusal, you can submit the case to the Office of the Data Protection Ombudsman for processing.
If you feel that your patient records have been used or disclosed without sufficient grounds, the service provider that used or received the data must, upon request, provide you with a report on the basis for the use or disclosure of the data. In addition, the service provider must present a justified opinion on whether the use or disclosure of data has been legal.
If you have cause to suspect that a crime has taken place in the processing of patient records, please turn to the police.
According to the Patient Injury Act, the Patient Insurance Centre has the right to obtain information required for determining the grounds for compensation and the extent of liability. This right is not limited by provisions on secrecy obligations or the disclosure of data from personal data files issued in other legislation.
Information that is not necessary for the processing of the patient injury case may not be disclosed to the Patient Insurance Centre. For example, the patient’s complete case history may only be disclosed to the Patient Insurance Centre in exceptional circumstances.
Non-disclosure for personal safety and the processing of personal data subject to such non-disclosure is provided for in the Act on the Population Information System and the Digital and Population Services Agency’s Certificate Services (Laki väestötietojärjestelmästä ja Digi- ja väestötietoviraston varmennepalveluista 661/2009). The municipality of residence, place of residence, address and other contact details of someone subject to non-disclosure for personal safety may only be disclosed to an authority that has the right to process such data for the performance of a statutory duty or measure, or for the purpose of exercising the rights or fulfilling the obligations of the person subject to the non-disclosure.
An authority that has received data subject to non-disclosure for personal safety from the Population Information System may not pass such data on or allow it to be accessed or processed by a third party, unless otherwise provided for in the law.
Non-disclosure for personal safety applies to the disclosure of personal data subject to it from the Population Information System, as well as the right of authorities receiving such data to pass it on. Non-disclosure for personal safety does not apply to the disclosure of data in other circumstances. Neither does non-disclosure for personal safety affect the processing of data disclosed from the Population Information System before the non-disclosure entered into force, nor to data already stored by another party.
Non-disclosure for personal safety also applies to the disclosure of the identifying and geographical data of real estate, buildings and residences owned or controlled by the person, if it cannot be processed separately from the data subject to non-disclosure for personal safety.
The Data Protection Ombudsman cannot grant a non-disclosure for personal safety. In matters concerning non-disclosure for personal safety, the competent authority is the Digital and Population Services Agency.
Erasure of patient records
Article 17 of the General Data Protection Regulation (GDPR) provides for the right of data subjects to request the controller to erase personal data concerning them. Patients are also entitled to exercise this right. Accepting the erasure request is not often possible, however, since the law requires patient records to be stored for a certain period of time.
No. Health care professionals have a duty to draw up patient records of all services provided to patients. These records must be kept for the period of time specified in the table appended to the Patient Records Decree. The statutory obligation to process (in practice, store) patient records excludes the possibility of erasing someone’s patient records completely.
Neither can individual entries concerning a service be erased completely. Entries can nevertheless be rectified where inaccurate, completed where incomplete and erased where unnecessary. Inaccuracy, incompleteness and necessity is assessed in relation to the purpose of the patient records. The assessment is made using the information available when the entry was made.
The erased data must have been unnecessary at the time of recording. Necessity is assessed in relation to the purpose of the patient records, using the information available when the entry was made.
The purpose of patient records is the arrangement, planning, implementation and monitoring of the patient's treatment. Entries whose necessity cannot be justified by this purpose must be erased from the patient records. According to the established decision practice of the Data Protection Ombudsman, such information includes stigmatising or otherwise inappropriate data.
As a rule, data entered in patient records by a health care professional on the basis of a professional assessment cannot be considered unnecessary. Such data cannot be erased from the patient records even if later revealed to be inaccurate.
Address the request to the controller of the patient records and specify, word-for-word, the section of your patient records you wish to have erased. Justify your request.
You can request more detailed instructions on exercising your right of erasure from the organisation's Data Protection Officer.
Occupational health care
The payer of the invoice, i.e. the employer, must be able to make sure that the occupational health care services have been used by an employee of the employer, and that the services provided are covered by the occupational health care agreement. Patient records are nevertheless confidential. The occupational health care agreement should specify in a sufficiently unambiguous manner how the requirements of confidentiality will be taken into account in the invoicing procedures.
The Data Protection Ombudsman recommends that, for the verification of correct invoicing, the occupational health care provider should append a separate list of employees who have used occupational health care services during the invoicing period and a separate listing of the procedures performed (e.g. 5 blood pressure measurements, or the number of physician's appointments or laboratory visits by type). It should not be possible to connect the procedures to specific employees. It would be justified to extend the invoicing period if only a single employee or a few employees have used occupational health care services during the period and the information concerning a specific individual could be connected to procedures.
Alternatively, the occupational health care provider could disclose the information concerning the employee so that only the type of service (e.g. physician's appointment, laboratory visit) is indicated on the invoice, without revealing the nature of the illness or condition. The appointment date can also be indicated if the information is necessary for verifying the correctness of invoicing and with regard to the rights and obligations related to the employment relationship.
If the employer delivers a medical certificate from its HR file to the occupational health care provider, this constitutes a change in the purpose of use of the data and a disclosure of data from one controller to another. The employer is entitled to deliver a medical certificate or statement, which has been given to the employer by the employee and concerns the employee’s own ability to work, to the occupational health care provider unless the employee has prohibited such disclosures. In other cases, confidential information can only be disclosed with the data subject’s specific consent. The employee must be informed of the right to object to the processing in advance.
Conversations during treatment
Data protection legislation does not restrict spoken conversations between patients and health care professionals. Such conversations are subject to the rules regarding professional confidentiality. Individuals who process confidential patient records are under an obligation of confidentiality and may not disclose patient data to third parties.
The treatment of a patient in a health centre, hospital or other health care unit imposes certain limits on the patient’s private life. However, the protection of a patient's privacy may not be overridden by the maintenance of order and security at the unit or, for example, the demands of other patients. Health care units should strive to take their patients’ need for privacy into consideration, such as by making arrangements for receiving visitors and providing opportunities for private conversations.
The Office of the Data Protection Ombudsman cannot comment on the specific resources or, for example, premises required to enable confidential conversations. You can contact the health care organisation's patient ombudsman or data protection officer if you feel that the protection of privacy has not been sufficiently addressed.
Personal data breaches
In certain situations, the controller has an obligation to communicate a personal data breach to the supervisory authority and the persons affected by the breach. The controller must assess how high a risk the personal data breach poses to the persons affected by the breach. The level of risk determines whether the controller should notify both the Office of the Data Protection Ombudsman and the data subjects of the personal data breach. The controller must internally document all personal data breaches.
When a personal data breach is likely to result in a risk to the data subject, it must be communicated to the Office of the Data Protection Ombudsman. If the personal data breach is likely to result in a high risk to the person affected by the breach, the controller must also communicate the personal data breach to the persons affected as well.
Read more about personal data breaches, risk assessment and the notification obligation
Examples of situations in health care in which personal data breaches should be communicated to both the Office of the Data Protection Ombudsman and the person affected by the personal data breach:
- An employee sent information on a client’s/patient’s health (e.g., substance abuse plan or medical certificate) by email or by letter to a wrong address. The information was received by an outsider.
- In a meeting, the speaker of an audio unit had been connected via Bluetooth to the equipment in the adjacent room. As a result, an outsider heard a call. Patient data was discussed at the meeting. It is not known for how long the outsider had been listening in.
- Medical records of a hospital were unavailable for the period of 30 hours due to a cyber-attack.
- In connection with routine operations control, the controller noticed that an employee in the unit had processed (i.e., pried into) an individual patient’s data as an outsider based on personal reasons.
- An employee uploaded to social media a photograph where personal data of an individual patient was visible. Image processing software makes it possible to enhance the patient data even if the photo is blurry. It is not known whether the photo was downloaded by any outsiders.
- An employee lost a client list containing information on the state of health of clients on a parking lot. The employee noticed the mistake but could not find the list. It is not known whether any outsiders got hold of the list.
- Some of the patient data stored in the system was destroyed permanently due to a human error. No backups exist, and the data cannot be retrieved.
- At reception desk, a client who came from a doctor’s appointment reported having received a sickness allowance form belonging to another person.
- The itemization to an invoice from an occupational health care provider revealed the cause of an employee’s appointment, which unnecessarily revealed information on the person’s health. The invoice recipient represented the employer.
- When visiting a client (A), a home care employee had accidentally left another client’s (B) information form at the client’s (A) home. The client’s (A) family member found the information among her own family member’s papers.
- A health care professional accidentally entered information on patient A’s drug allergy into patient B’s records. In other words, no allergy data was entered into patient A’s records. Patient B does not have any allergies. In the health care system, another health care professional (unaware of patient A’s allergy) administers patient A the drug patient A is allergic to. This causes a health risk to patient A.
- Suspicions have arisen that person A has presented himself as person B (identity theft), made a doctor’s appointment in his name and seen the doctor. The doctor treated the client based on the personal data given and made an entry into patient B’s records. Person B personally contacted the controller having noticed entries in My Kanta that did not concern him. The controller removed the false information from patient B’s records.
- A health care organisation makes patient entries on paper in a notebook. The notebook was stolen in connection with a break-in.
The controller must assess the level of risk caused by personal data breaches to the individuals concerned. The level of risk determines whether the controller is to communicate the personal data breach to the Office of the Data Protection Ombudsman and the data subjects. The controller must internally document all personal data breaches.
The Office of the Data Protection Ombudsman must be notified of personal data breaches when they are likely to cause a risk to data subjects. However, if the breach is unlikely to cause a high risk, it does not need to be communicated to the persons whose personal data have been affected by the personal data breach.
No notification to the data subjects is required, for example, when the controller has taken appropriate protection measures or subsequent measures to ensure that the high risk is no longer likely to materialise.
Read more about personal data breaches, risk assessment and the notification obligation
Examples of situations in health care in which personal data breaches should be communicated to the Office of the Data Protection Ombudsman but no notification to the persons affected by the breach is required:
- A cleaner emptied a waste bin, which the department employees used for temporarily storing confidential paper materials to be destroyed, to a wrong container. The container was taken to an insecure space. The controller has no knowledge of who were patients whose data the breach concerned. The controller ensured with the waste management that the data had been destroyed without them having been disclosed to outsiders.
- An operational health care unit (A) sent information concerning surgical treatment of several patients to another operational health care unit (B). The data was sent for the purposes of scientific research. No agreement had been drawn up between the units yet. Some of the patients could be identified from the data by combining information. The data was disclosed only to the health care professionals conducting the research study, who are subject to a duty of professional secrecy. The recipient destroyed the data. The patients had not been asked for their consent to being part of the study, which particularly affects how high the level of risk is assessed to be.
- A pharmacy delivered an order containing drugs for several patients intended to organisation A to organisation B. The pharmacy co-operates with both organisations, but the agreements made between the organisations do not define what would be the appropriate procedure to follow in a situation like this. Eventually, the drugs were delivered to the right patients in time.
- If the pharmacy has agreed with organisation B on an appropriate procedure for a situation like this, and B confirms to having followed the procedure, the pharmacy’s internal documentation of a personal data breach is probably sufficient. The procedures may include an obligation to communicate the incident to the pharmacy, to return or remove the data safely and to provide written confirmation of having taken these actions.
If a personal data breach is unlikely to cause a risk, it does not need to be communicated to the supervisory authority or the persons affected by the breach. Other situations in which communication of a personal data breach to the data subject is not required have been defined in paragraph 3 of Article 34 of General Data Protection Regulation (GDPR). Under GDPR, data subjects do not need to be notified in person if the controller has taken appropriate protection measures or subsequent measures to ensure that the high risk is no longer likely to materialise. The controller must internally document all personal data breaches.
Read more about personal data breaches, risk assessment and the notification obligation
Examples of situations in health care in which personal data breaches do not need to be communicated:
- Patient records were shared with a trusted recipient and established partner working at the same department. The recipient is subject to a legal obligation of professional secrecy, and they process the data as part of their work duties. In the situation, there is no reason to suspect that the data was or would be processed contrary to laws or instructions issued by the controller.
- Due to a system error, the referral of a patient (A) had been temporarily stored under a wrong patient’s (B) records. The error was local, and the information was not transmitted to Kanta. The laboratory that received the data was aware of the error. The error was cleared, and data integrity was restored quickly. It did not cause any harm to the patient.
-
A controller’s employee sent personal data in an unsecured email. There is no reason to suspect that the data would have been disclosed to outsiders.
-
A personal data breach concerned information on a deceased person only.
-
A system function allowed the main user to give themselves too extended level of access, which could have given them access to information they did not need to know based on their tasks. The controller could employ technical measures to ensure that the main user had not extended their level of access.
-
A controller saved an encrypted backup copy of an archive containing client data on a USB flash drive. The flash drive was stolen when the premises were broken into. The data was encrypted with a state-of-the-art algorithm, there are backups of the material, the unique encryption key is not compromised, and the data can be restored in time.
-
A text message about an appointment was sent to a wrong number. The message did not contain any identifiable personal data nor any health-related information.
-
A pharmacy employee gave client B a document displaying the name and personal identity code of client A. Client B noticed the incident immediately and returned the document to the pharmacy employee right away.
-
Patient A reported to health care that another person’s (B) data had been entered into her patient records. Based on the recorded data, person A cannot deduce who person B is. When the matter was confirmed, B’s data were removed from person A’s patient records and entered into patient B’s own patient records. Decisions related to patient A’s treatment were not made based on data concerning person B, and the incident did not affect patient B’s treatment.
-
A letter containing patient data was broken in a sorting centre. The post office notified the organisation that had sent the letter about the broken letter and returned it to the sender. Some patient data may have come visible to Posti employees.
-
In this case, it is likely that the recipient is considered a ’reliable recipient’. The controller can reasonably expect that the party does not read or use the data possibly revealed to them but complies with the existing instructions and returns them to the sender. It must be noted that if, in addition to loss of confidentiality, the incident has any other consequences for the data subject, all such consequences shall be taken into account when assessing the level of risk. For example, if the incident has adverse effects on the realisation of the data subject’s treatment, the risk to the rights and freedoms of the data subject is probably high.
-