If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care unit whose operations the records concern. If necessary, you can ask the unit's Data Protection Officer or Patient Ombudsman for advice.
You can request the rectification of the inaccurate data. The request is made to the health care service provider whose operations the records concern. Kela cannot rectify records viewed through My Kanta.
Evaluating the correctness of medical assessments does not fall within the competence of the Data Protection Ombudsman. For this reason, the Data Protection Ombudsman does not order the rectification of, for example diagnosis data. Neither can the Data Protection Ombudsman order the rectification of a medical assessment entered in the patient records on the basis of a medical report obtained from elsewhere.
Patients who are unsatisfied with their treatment or the actions of a health care professional can file the objection provided for in the Act on the Status and Right of Patients with the health care unit's chief physician or the equivalent.
Disclosure of data
Patient records are confidential. They can be disclosed to third parties, i.e. persons who are not involved in the patient’s care or related tasks at the same health care unit, only with the patient's consent or if the right to disclose or obtain the data is provided for in law.
The party disclosing the data is responsible for the legality of the disclosure. If necessary, the disclosing party should ask the recipient to provide additional information on the purpose for which the data is necessary and on the legal provisions on which the request is based.
Patient records are confidential and may not be disclosed to third parties without the patient's consent or a legal provision that makes the disclosure possible. Members of the patient's family are also third parties, and patient records cannot normally be disclosed to them without the patient’s consent.
If an adult patient cannot decide on his or her own treatment due to mental illness, mental disability or other reasons, the patient's legal representative, family member or other person close to the patient must be heard before making important treatment decisions in order to determine which treatment would best correspond to the patient’s will. In such cases, the treatment also requires the consent of the patient’s legal representative, family member or other person close to the patient. In order to be able to decide whether to give such consent, the person is entitled to receive any information regarding the patient's state of health that may be required to enable them to express an opinion and give their consent.
If an underage patient is not able to decide on his or her treatment, the patient must be treated in mutual understanding with his or her custodian or other legal representative. In such cases, this person has the right to receive information on the underage child’s state of health, the significance of the treatment, various alternative forms of treatment and their effects and about other factors related to the child's treatment that are significant when decisions are made on the treatment given to the child.
If the age and level of development of an underage patient permit the patient to decide on the treatment given to him or her, the patient has to be treated in mutual understanding with him or her. In such cases, the underage patient can forbid the disclosure of information on his or her state of health and treatment to the patient's custodian or other legal representative.
Information on the health and medical care of a deceased person may be given to persons who need the information in order to find out and fulfil their vital interests or rights. The justified information request shall be made in writing to the health care unit or professional in question. In such cases, the right to receive information is not limited to the patient’s family.
The Act on Determination of the Cause of Death specifically provides for the right of family members to receive information from documents concerning the determination of the cause of death.
You can obtain information on who has used your patient records or to whom they have been disclosed. The request should be made in writing to the health care service provider in whose operations you suspect the baseless processing to have occurred. The information from the log file will be provided without delay and free of charge.
The information cannot be disclosed if it would cause serious danger to the health or treatment of a patient or to the rights of another individual. Information on processing that took place more than two years ago can only be obtained on special grounds.
If you feel that your patient records have been used or disclosed without sufficient grounds, the service provider that used or received the data must, upon request, provide you with a report on the basis for the use or disclosure of the data.
This right is based on the Act on the Electronic Processing of Social Welfare and Health Care Customer Records. The Data Protection Ombudsman is not competent to evaluate the realisation of this right or to order such information to be delivered to patients.
If you have cause to suspect that a crime has taken place in the processing of patient records, please turn to the police.
According to the Patient Injury Act, the Patient Insurance Centre has the right to obtain information required for determining the grounds for compensation and the extent of liability. This right is not limited by provisions on secrecy obligations or the disclosure of data from personal data files issued in other legislation.
Information that is not necessary for the processing of the patient injury case may not be disclosed to the Patient Insurance Centre. For example, the patient’s complete case history may only be disclosed to the Patient Insurance Centre in exceptional circumstances.
Occupational health care
The payer of the invoice, i.e. the employer, must be able to make sure that the occupational health care services have been used by an employee of the employer, and that the services provided are covered by the occupational health care agreement. Patient records are nevertheless confidential. The occupational health care agreement should specify in a sufficiently unambiguous manner how the requirements of confidentiality will be taken into account in the invoicing procedures.
The Data Protection Ombudsman recommends that, for the verification of correct invoicing, the occupational health care provider should append a separate list of employees who have used occupational health care services during the invoicing period and a separate listing of the procedures performed (e.g. 5 blood pressure measurements, or the number of physician's appointments or laboratory visits by type). It should not be possible to connect the procedures to specific employees. It would be justified to extend the invoicing period if only a single employee or a few employees have used occupational health care services during the period and the information concerning a specific individual could be connected to procedures.
Alternatively, the occupational health care provider could disclose the information concerning the employee so that only the type of service (e.g. physician's appointment, laboratory visit) is indicated on the invoice, without revealing the nature of the illness or condition. The appointment date can also be indicated if the information is necessary for verifying the correctness of invoicing and with regard to the rights and obligations related to the employment relationship.
If the employer delivers a medical certificate from its HR file to the occupational health care provider, this constitutes a change in the purpose of use of the data and a disclosure of data from one controller to another. The employer is entitled to deliver a medical certificate or statement, which has been given to the employer by the employee and concerns the employee’s own ability to work, to the occupational health care provider unless the employee has prohibited such disclosures. In other cases, confidential information can only be disclosed with the data subject’s specific consent. The employee must be informed of the right to object to the processing in advance.