Frequently asked questions about health care

Rectifying patient records

No, it cannot if it corresponds to an assessment of your situation by the physician who treated you.

If the diagnosis recorded in the patient records corresponds to the physician’s assessment, it is not necessary to rectify the information because it describes the physician’s view of the patient’s health at the time of recording. In that case, the rectification cannot be made on the basis of a medical certificate received from elsewhere either.

Even if the patient’s diagnosis changes later, this does not mean that the data of the original diagnosis should be rectified. It is also important to find information about the patient’s previous diagnoses in the patient documents in order to know what kind of information has been used to treat them.

Instead, if, for example, the physician has accidentally recorded the patient’s diagnosis incorrectly or the diagnosis has been recorded for the wrong patient, this incorrect entry must be erased or rectified.

It is not within the competence of the Data Protection Ombudsman to assess whether the physician has made the correct assessment of the patient’s health or diagnosis. If the patient is dissatisfied with the treatment they have received or with the activities of a health care professional, they may submit an objection under the Act on the Status and Rights of Patients (785/1992) to the director of the health care unit in question. The patient may also file an administrative complaint about the professional practice of a physician to the Regional State Administrative Agency for the region or Valvira.

You can request the entry to be supplemented with your view of the course of events or your words. In most cases, the information in the entry still cannot be erased or amended if it corresponds to the opinion of its author at the time of the events. As a rule, such data is not considered to be inaccurate for the purpose of patient records, since it is specifically the duty of health care professionals to record their observations in the patient records.

The Data Protection Ombudsman has recommended the entries to be supplemented by the patient’s understanding of the course of events or their own words, particularly if the patient's version would have or could in future influence decisions on the patient’s treatment. The information added to entries must be necessary with regard to the purpose of patient records.

The information necessary and sufficient for the different uses of all patient records must be recorded in the patient documents. Patient records are used to organise, plan, implement, monitor, and supervise patient care. Provisions on these uses and data retention periods are laid down in the Act on the Processing of Client Data in Healthcare and Social Welfare (the Client Data Act, 703/2023).

Patient records must be available when needed for these purposes. Different information may also be required to organise and monitor patient care. As a rule, the original entry must also be available at least for monitoring the treatment. In practice, the original entry can be retained, for example, so that it is not available in the patient's treatment situation.

For the consideration of the case, the Office of the Data Protection Ombudsman needs the following information:

Information on the time when you have submitted a request for rectification of data to a health care actor
State verbatim
- the information you have requested to be changed
- the changes you have requested to the data
- the information you have requested to be completed in the documents
Justifications why you think the information in question is incorrect or incomplete in terms of the organisation, planning, implementation, monitoring or supervision of your treatment
Your request to the health care actor and the response you have received if they are still available

Erasure of patient records

Article 17 of the General Data Protection Regulation (GDPR) provides for the right of data subjects to request the controller to erase personal data concerning them. Patients are also entitled to exercise this right. Accepting the erasure request is not often possible, however, since the law requires patient records to be stored for a certain period of time.

No, you cannot. Not all patient records concerning you can be erased, as the obligation to store patient records is laid down by law. Health care professionals are obliged to enter all patient service events in the patient documents. These entries shall be retained for as long as required by law. Further provisions on the retention period are laid down in the Act on the Processing of Client Data in Healthcare and Social Welfare (the Client Data Act).

The entry for an individual doctor’s appointment or other service event cannot be completely erased either. However, individual erroneous data may be corrected. Incomplete data can also be supplemented and unnecessary data erased.

You can erase unnecessary data from patient records. Information that is not necessary for the organisation, planning, implementation, monitoring and supervision of patient care is unnecessary. These are the purposes of use of patient records specified in law for which patient records must be retained.

Necessity is assessed based on whether the information was necessary at the time when it was entered in the patient’s records. In order to be erased, the data must have been unnecessary already at the time of creation. If such details have been entered in the patient records the necessity of which cannot be justified by the purpose of use of the patient records, these data must be erased. Such data includes, for example, information that inappropriately stigmatises the patient or otherwise inappropriate entries.

In principle, information that the health care professional has assessed to be related to the patient’s state of health or otherwise to the organisation, planning, implementation or monitoring of treatment is not superfluous. As a rule, such data cannot be erased from patient records even if they later prove to be inaccurate (e.g. a changed diagnosis).

For the consideration of the case, the Office of the Data Protection Ombudsman needs the following information:

Information on the time when you have requested the erasure of data from a health care actor
State verbatim the entries and the parts of the entries that you have requested to be erased
Justifications why you think the information in question is unnecessary in terms of the organisation, planning, implementation, monitoring or supervision of your treatment
Your request to the health care actor and the response you have received if they are still available

Right of access to own patient records

As a rule, a fee may not be charged for the exercise of the right of access under the General Data Protection Regulation. Instead, the patient may access their patient records free of charge. This information also includes MRI images and other reproductions of imaging studies.

A person must have the opportunity to exercise their right of access to their own data at reasonable intervals so that they can remain aware of the processing of their data and check its legality.

If the patient’s request to access the imaging examination data is manifestly unreasonable or unfounded, the health care actor may charge a reasonable fee for fulfilling the request, based on administrative costs, such as labour, materials and postage. The requesting client must be notified of the fee in advance. The amount of the fee must also be described as accurately as possible.

The request may be considered unfounded or unreasonable, in particular if the patient repeatedly requests the same data and the data has not changed since it was last provided to the patient. The request may also be unfounded if, for example, the controller does not process the requested data. The controller may refuse to execute an unreasonable or unfounded request, but this is a last resort option. In such a situation, the controller must inform the patient of the refusal and justify why the request is unfounded or unreasonable.

Disclosure of data

Disclosure of patient records is in question when the data is made available to another external party, i.e. a third party. Disclosure of data does not occur with the use of patient records for the organisation and implementation of patient health services or related tasks within the same health care actor or on its assignment.

On the other hand, disclosure occurs if, for example, data is disclosed within the same actor for different purposes, i.e. in a wellbeing services county, social welfare data is disclosed to health care or patient data is intended to be used for some other purpose than tasks related to the organisation or implementation of health services.

Disclosure of data must be based on law or consent given by the patient. The party disclosing the data is responsible for ensuring that the disclosure occurs lawfully. If necessary, the person requesting the information should be asked for what purpose and on what grounds the information is requested.

The Act on the Processing of Client Data in Healthcare and Social Welfare (the Client Data Act) contains more detailed provisions on the disclosure of data in health care. Under the Client Data Act, a health care service provider may disclose patient records to another health care service provider if it needs the data for the organisation and implementation of health care services. The recipient of the data must have the right to use the disclosed data. In other words, the processing of data must be based on the work tasks of a health care professional or other person processing the data, and the service provided to the patient. Even then, only data necessary for the work tasks may be processed.

In a typical disclosure situation, patient records are needed to treat the patient in the receiving unit. In practice, data is often disclosed so that a health care professional can view the data of other health care actors through the Kanta services. The Client Data Act requires that the data is primarily disclosed through the Kanta services. However, if necessary, data may also be disclosed in other ways, such as on paper or electronically through information systems.

In addition, a prerequisite for the disclosure of patient records is a consent to data sharing given by the patient. It is a declaration of intent by which the patient accepts the sharing of their data. Consent can be given in the Kanta services, for example.

Before giving the consent to data sharing, the patient must be told how their personal data is processed in social welfare and health care and how they can influence the disclosure of their data. With one consent to data sharing, the patient can allow all their patient records to be shared among different health care providers who are treating them. The consent to data sharing is valid until further notice, but it can be cancelled at any time. You can also give the consent again if you wish.

If the patient does not want the data of a certain service provider to be disclosed, they may restrict the consent to data sharing by denials of consent of variable scope. With an extensive denial of consent to data sharing, the patient may prohibit the sharing of all patient records concerning them. In public health care and occupational health care, the patient may prohibit the disclosure of all data from a service provider or information from an individual service event. In private health care, the disclosure of data can only be prohibited on a case-by-case basis.

However, a patient’s consent to data sharing is not required, for example, if the person is unable to understand the significance of the consent to data sharing due to a memory disorder or intellectual disability, and they do not have a legal representative who could grant the consent to data sharing on their behalf. Consent to data sharing is also not required in situations where the responsibility for care is transferred. In such cases, it is permissible to share the patient records necessary for arranging the treatment to the service provider continuing the treatment through a referral or treatment summary. Care feedback can also be handed over to the referring service provider.

Another exception is the sharing of patient records between the wellbeing services counties of the Uusimaa regions, the City of Helsinki and the HUS Group, where the disclosure of data is possible directly by virtue of law without consent to data sharing. The disclosure can be made after the patient has been informed about the processing of their data in social welfare and health care and about the possibility of influencing the disclosure of their data. However, in Uusimaa patients also have the right to prohibit the disclosure of their patient records.

In addition to the Client Data Act, it may also be possible to disclose patient records by virtue of other legislation that entitles to access the data. The patient cannot restrict the authorities' statutory right to information by means of denials of consent to data sharing, for example.

Read more about granting consent to data sharing, issuing a denial of consent to data sharing, disclosing data without consent to data sharing and exceptional situations:

Kanta services website: How will my data be shared within the wellbeing services counties?

Kanta services website: Consent to patient data sharing in health care

Kanta services website: Denial of consent to sharing patient data

Application guide on the Client Data Act (on the yhteistyötilat.fi website of the Finnish Institute for Health and Welfare)

Patient records are permanently confidential and cannot, as a rule, be disclosed to third parties. In health care, a third party refers to persons who do not in any way participate in tasks related to the patient’s health services in the employment of the service provider or pharmacy, on its behalf, or on its assignment. Thus, third parties include employees working in the same wellbeing services county who do not participate in the organisation or implementation of health services for the patient in question. They do not have the right to process the patient's data.

For example, in a wellbeing services county, the nurse or physician treating the patient is not a third party, but has the right to process the patient records necessary for the implementation of the patient’s treatment.

The organisation and implementation of the service is not limited to patient care, but tasks related to health care services can also be carried out by others than social welfare and health care professionals. These may include administrative tasks, such as invoicing. For administrative tasks, patient data that is necessary for the performance of the task may be disclosed.

Patient records are confidential and may not be disclosed to third parties without the patient's consent or a legal provision that makes the disclosure possible. Members of the patient's family are also third parties, and patient records cannot normally be disclosed to them without the patient’s consent.

If an adult patient cannot decide on his or her own treatment due to mental illness, mental disability or other reasons, the patient's legal representative, family member or other person close to the patient must be heard before making important treatment decisions in order to determine which treatment would best correspond to the patient’s will. In such cases, the treatment also requires the consent of the patient’s legal representative, family member or other person close to the patient. In order to be able to decide whether to give such consent, the person is entitled to receive any information regarding the patient's state of health that may be required to enable them to express an opinion and give their consent.

If an underage patient is not able to decide on his or her treatment, the patient must be treated in mutual understanding with his or her custodian or other legal representative. In such cases, this person has the right to receive information on the underage child’s state of health, the significance of the treatment, various alternative forms of treatment and their effects and about other factors related to the child's treatment that are significant when decisions are made on the treatment given to the child.

If the age and level of development of an underage patient permit the patient to decide on the treatment given to him or her, the patient has to be treated in mutual understanding with him or her. In such cases, the underage patient can forbid the disclosure of information on his or her state of health and treatment to the patient's custodian or other legal representative.

Information on the health and medical care of a deceased person may be given to persons who need the information in order to find out or fulfil their vital interests or rights. The data may be disclosed to the extent that it is necessary to establish or enforce these interests or rights.

The justified information request shall be made in writing to the health care unit or professional in question. In such cases, the right to receive information is not limited to the patient’s family.

The Act on Determination of the Cause of Death specifically provides for the right of family members to receive information from documents concerning the determination of the cause of death.

You can obtain information from a health care service provider, the Social Insurance Institution of Finland or a pharmacy on who has used or to whom patient records concerning you has been disclosed and on the reason for their use or disclosure (so-called log data). You must submit the request in writing. Based on the log data you have received, it is possible to assess whether your patient records have been processed lawfully and appropriately.

If, on the basis of the log data, you suspect that patient records concerning you have been used or disclosed without sufficient grounds, you can ask the party who used the data or received the data for an explanation on the grounds for the use or disclosure of the data. They shall also provide a reasoned view of whether the use or disclosure of the data has been lawful. If they consider that the processing of the data has been unlawful, they must also take the necessary measures on their own initiative.

If an individual health care professional has acted in violation of the law and the instructions issued by their employer, this constitutes a criminal offence that falls under the purview of the police. The Office of the Data Protection Ombudsman supervises the legality of the organisation’s operations and can only impose sanctions on the organisation. As a rule, therefore, the Office of the Data Protection Ombudsman does not investigate the incorrect activities of individual professionals. The Data Protection Ombudsman may start investigating the matter if the safeguards used in the organisation have been inadequate. This may be the case, for example, if the employer has not properly instructed their employees on the processing of patient data.

According to the Patient Injury Act, the Patient Insurance Centre has the right to obtain information required for determining the grounds for compensation and the extent of liability. This right is not limited by provisions on secrecy obligations or the disclosure of data from personal data files issued in other legislation.

Information that is not necessary for the processing of the patient injury case may not be disclosed to the Patient Insurance Centre. For example, the patient’s complete case history may only be disclosed to the Patient Insurance Centre in exceptional circumstances.

Non-disclosure for personal safety and the processing of personal data subject to such non-disclosure is provided for in the Act on the Population Information System and the Digital and Population Services Agency’s Certificate Services (Laki väestötietojärjestelmästä ja Digi- ja väestötietoviraston varmennepalveluista 661/2009). The municipality of residence, place of residence, address and other contact details of someone subject to non-disclosure for personal safety may only be disclosed to an authority that has the right to process such data for the performance of a statutory duty or measure, or for the purpose of exercising the rights or fulfilling the obligations of the person subject to the non-disclosure.

An authority that has received data subject to non-disclosure for personal safety from the Population Information System may not pass such data on or allow it to be accessed or processed by a third party, unless otherwise provided for in the law.

Non-disclosure for personal safety applies to the disclosure of personal data subject to it from the Population Information System, as well as the right of authorities receiving such data to pass it on. Non-disclosure for personal safety does not apply to the disclosure of data in other circumstances. Neither does non-disclosure for personal safety affect the processing of data disclosed from the Population Information System before the non-disclosure entered into force, nor to data already stored by another party.

Non-disclosure for personal safety also applies to the disclosure of the identifying and geographical data of real estate, buildings and residences owned or controlled by the person, if it cannot be processed separately from the data subject to non-disclosure for personal safety.

The Data Protection Ombudsman cannot grant a non-disclosure for personal safety. In matters concerning non-disclosure for personal safety, the competent authority is the Digital and Population Services Agency.

Data generated in health care can be used for scientific research, i.e. for a so-called secondary purpose.

As a rule, the use of data for research purposes is carried out in such a way that the researcher cannot directly identify persons whose data is contained in the research data. If a scientific study reveals a significant finding that would make it possible to prevent a risk to a certain person’s health or significantly improve the quality of treatment, the patient’s identity can be determined and they can be contacted by health care.

The patient has the right to prohibit contact based on such a clinically significant finding. The denial of consent can be made in MyKanta and in public health care. More detailed information on making denials of consent to contact are available on the Kanta services website:

Denial of consent to contact based on register research findings (kanta.fi)

Provisions on the use of information for this purpose and the denial of consent to contact are laid down in section 55 of the Act on the Secondary Use of Health and Social Data (555/2019).

Personal data breaches

In certain situations, the controller has an obligation to communicate a personal data breach to the supervisory authority and the persons affected by the breach. The controller must assess how high a risk the personal data breach poses to the persons affected by the breach. The level of risk determines whether the controller should notify both the Office of the Data Protection Ombudsman and the data subjects of the personal data breach. The controller must internally document all personal data breaches.

When a personal data breach is likely to result in a risk to the data subject, it must be communicated to the Office of the Data Protection Ombudsman. If the personal data breach is likely to result in a high risk to the person affected by the breach, the controller must also communicate the personal data breach to the persons affected as well.

Examples of situations in health care in which personal data breaches should be communicated to both the Office of the Data Protection Ombudsman and the person affected by the personal data breach:

An employee sent information on a client’s/patient’s health (e.g., substance abuse plan or medical certificate) by email or by letter to a wrong address. The information was received by an outsider.
In a meeting, the speaker of an audio unit had been connected via Bluetooth to the equipment in the adjacent room. As a result, an outsider heard a call. Patient data was discussed at the meeting. It is not known for how long the outsider had been listening in.
Medical records of a hospital were unavailable for the period of 30 hours due to a cyber-attack.
In connection with routine operations control, the controller noticed that an employee in the unit had processed (i.e., pried into) an individual patient’s data as an outsider based on personal reasons.
An employee uploaded to social media a photograph where personal data of an individual patient was visible. Image processing software makes it possible to enhance the patient data even if the photo is blurry. It is not known whether the photo was downloaded by any outsiders.
An employee lost a client list containing information on the state of health of clients on a parking lot. The employee noticed the mistake but could not find the list. It is not known whether any outsiders got hold of the list.
Some of the patient data stored in the system was destroyed permanently due to a human error. No backups exist, and the data cannot be retrieved.
At reception desk, a client who came from a doctor’s appointment reported having received a sickness allowance form belonging to another person.
The itemization to an invoice from an occupational health care provider revealed the cause of an employee’s appointment, which unnecessarily revealed information on the person’s health. The invoice recipient represented the employer.
When visiting a client (A), a home care employee had accidentally left another client’s (B) information form at the client’s (A) home. The client’s (A) family member found the information among her own family member’s papers.
A health care professional accidentally entered information on patient A’s drug allergy into patient B’s records. In other words, no allergy data was entered into patient A’s records. Patient B does not have any allergies. In the health care system, another health care professional (unaware of patient A’s allergy) administers patient A the drug patient A is allergic to. This causes a health risk to patient A.
Suspicions have arisen that person A has presented himself as person B (identity theft), made a doctor’s appointment in his name and seen the doctor. The doctor treated the client based on the personal data given and made an entry into patient B’s records. Person B personally contacted the controller having noticed entries in My Kanta that did not concern him. The controller removed the false information from patient B’s records.
A health care organisation makes patient entries on paper in a notebook. The notebook was stolen in connection with a break-in.

The controller must assess the level of risk caused by personal data breaches to the individuals concerned. The level of risk determines whether the controller is to communicate the personal data breach to the Office of the Data Protection Ombudsman and the data subjects. The controller must internally document all personal data breaches.

The Office of the Data Protection Ombudsman must be notified of personal data breaches when they are likely to cause a risk to data subjects. However, if the breach is unlikely to cause a high risk, it does not need to be communicated to the persons whose personal data have been affected by the personal data breach.

No notification to the data subjects is required, for example, when the controller has taken appropriate protection measures or subsequent measures to ensure that the high risk is no longer likely to materialise.

Examples of situations in health care in which personal data breaches should be communicated to the Office of the Data Protection Ombudsman but no notification to the persons affected by the breach is required:

A cleaner emptied a waste bin, which the department employees used for temporarily storing confidential paper materials to be destroyed, to a wrong container. The container was taken to an insecure space. The controller has no knowledge of who were patients whose data the breach concerned. The controller ensured with the waste management that the data had been destroyed without them having been disclosed to outsiders.
An operational health care unit (A) sent information concerning surgical treatment of several patients to another operational health care unit (B). The data was sent for the purposes of scientific research. No agreement had been drawn up between the units yet. Some of the patients could be identified from the data by combining information. The data was disclosed only to the health care professionals conducting the research study, who are subject to a duty of professional secrecy. The recipient destroyed the data. The patients had not been asked for their consent to being part of the study, which particularly affects how high the level of risk is assessed to be.
A pharmacy delivered an order containing drugs for several patients intended to organisation A to organisation B. The pharmacy co-operates with both organisations, but the agreements made between the organisations do not define what would be the appropriate procedure to follow in a situation like this. Eventually, the drugs were delivered to the right patients in time.
- If the pharmacy has agreed with organisation B on an appropriate procedure for a situation like this, and B confirms to having followed the procedure, the pharmacy’s internal documentation of a personal data breach is probably sufficient. The procedures may include an obligation to communicate the incident to the pharmacy, to return or remove the data safely and to provide written confirmation of having taken these actions.

If a personal data breach is unlikely to cause a risk, it does not need to be communicated to the supervisory authority or the persons affected by the breach. Other situations in which communication of a personal data breach to the data subject is not required have been defined in paragraph 3 of Article 34 of General Data Protection Regulation (GDPR). Under GDPR, data subjects do not need to be notified in person if the controller has taken appropriate protection measures or subsequent measures to ensure that the high risk is no longer likely to materialise. The controller must internally document all personal data breaches.

Examples of situations in health care in which personal data breaches do not need to be communicated:

Patient records were shared with a trusted recipient and established partner working at the same department. The recipient is subject to a legal obligation of professional secrecy, and they process the data as part of their work duties. In the situation, there is no reason to suspect that the data was or would be processed contrary to laws or instructions issued by the controller.
Due to a system error, the referral of a patient (A) had been temporarily stored under a wrong patient’s (B) records. The error was local, and the information was not transmitted to Kanta. The laboratory that received the data was aware of the error. The error was cleared, and data integrity was restored quickly. It did not cause any harm to the patient.
A controller’s employee sent personal data in an unsecured email. There is no reason to suspect that the data would have been disclosed to outsiders.
A personal data breach concerned information on a deceased person only.
A system function allowed the main user to give themselves too extended level of access, which could have given them access to information they did not need to know based on their tasks. The controller could employ technical measures to ensure that the main user had not extended their level of access.
A controller saved an encrypted backup copy of an archive containing client data on a USB flash drive. The flash drive was stolen when the premises were broken into. The data was encrypted with a state-of-the-art algorithm, there are backups of the material, the unique encryption key is not compromised, and the data can be restored in time.
A text message about an appointment was sent to a wrong number. The message did not contain any identifiable personal data nor any health-related information.
A pharmacy employee gave client B a document displaying the name and personal identity code of client A. Client B noticed the incident immediately and returned the document to the pharmacy employee right away.
Patient A reported to health care that another person’s (B) data had been entered into her patient records. Based on the recorded data, person A cannot deduce who person B is. When the matter was confirmed, B’s data were removed from person A’s patient records and entered into patient B’s own patient records. Decisions related to patient A’s treatment were not made based on data concerning person B, and the incident did not affect patient B’s treatment.
A letter containing patient data was broken in a sorting centre. The post office notified the organisation that had sent the letter about the broken letter and returned it to the sender. Some patient data may have come visible to Posti employees.
- In this case, it is likely that the recipient is considered a ’reliable recipient’. The controller can reasonably expect that the party does not read or use the data possibly revealed to them but complies with the existing instructions and returns them to the sender. It must be noted that if, in addition to loss of confidentiality, the incident has any other consequences for the data subject, all such consequences shall be taken into account when assessing the level of risk. For example, if the incident has adverse effects on the realisation of the data subject’s treatment, the risk to the rights and freedoms of the data subject is probably high.

Occupational health care

The payer of the invoice, i.e. the employer, must be able to make sure that the occupational health care services have been used by an employee of the employer, and that the services provided are covered by the occupational health care agreement. Patient records are nevertheless confidential. The occupational health care agreement should specify in a sufficiently unambiguous manner how the requirements of confidentiality will be taken into account in the invoicing procedures.

The Data Protection Ombudsman recommends that, for the verification of correct invoicing, the occupational health care provider should append a separate list of employees who have used occupational health care services during the invoicing period and a separate listing of the procedures performed (e.g. 5 blood pressure measurements, or the number of physician's appointments or laboratory visits by type). It should not be possible to connect the procedures to specific employees. It would be justified to extend the invoicing period if only a single employee or a few employees have used occupational health care services during the period and the information concerning a specific individual could be connected to procedures.

Alternatively, the occupational health care provider could disclose the information concerning the employee so that only the type of service (e.g. physician's appointment, laboratory visit) is indicated on the invoice, without revealing the nature of the illness or condition. The appointment date can also be indicated if the information is necessary for verifying the correctness of invoicing and with regard to the rights and obligations related to the employment relationship.

If the employer delivers a medical certificate from its HR file to the occupational health care provider, this constitutes a change in the purpose of use of the data and a disclosure of data from one controller to another. The employer is entitled to deliver a medical certificate or statement, which has been given to the employer by the employee and concerns the employee’s own ability to work, to the occupational health care provider unless the employee has prohibited such disclosures. In other cases, confidential information can only be disclosed with the data subject’s specific consent. The employee must be informed of the right to object to the processing in advance.

Conversations during treatment

Data protection legislation does not restrict spoken conversations between patients and health care professionals. Such conversations are subject to the rules regarding professional confidentiality. Individuals who process confidential patient records are under an obligation of confidentiality and may not disclose patient data to third parties.

The treatment of a patient in a health centre, hospital or other health care unit imposes certain limits on the patient’s private life. However, the protection of a patient's privacy may not be overridden by the maintenance of order and security at the unit or, for example, the demands of other patients. Health care units should strive to take their patients’ need for privacy into consideration, such as by making arrangements for receiving visitors and providing opportunities for private conversations.

The Office of the Data Protection Ombudsman cannot comment on the specific resources or, for example, premises required to enable confidential conversations. You can contact the health care organisation's patient ombudsman or data protection officer if you feel that the protection of privacy has not been sufficiently addressed.

Frequently asked questions about health care

Rectifying patient records

How can I rectify my patient records?

I noticed in My Kanta that there are errors in my patient records. What can I do?

I consider my diagnosis to be incorrect. Can it be rectified?

The events at my appointment or my words were recorded inaccurately. What can I do?

If patient documents are rectified, should the original entries be retained?

My patient records will not be rectified and I would like the Office of the Data Protection Ombudsman to assess the matter. What information do I need to provide?

Erasure of patient records

Can I have all patient records concerning me erased?

What information can be erased from patient records?

How can I request the erasure of my data?

They refuse to erase data from my patient records that I consider unnecessary. I would like the Office of the Data Protection Ombudsman to assess the matter. What information do I need to provide?

Right of access to own patient records

Can the patient be charged a fee when they request to receive the imaging examination images?

Disclosure of data

What does disclosure of data mean?

When may patient records be disclosed?

What is meant by "third party" in health care?

Can I receive the patient records of family members?

Can I receive patient records that concern my underage child?

Can I receive information after the person's death?

I suspect that patient records concerning me have been processed without justification. What can I do?

Can patient records be disclosed to the Patient Insurance Centre?

When can the data of someone subject to non-disclosure for personal safety be disclosed?

Can I prohibit health care from contacting me because of a finding in scientific research?

Personal data breaches

In what kind of situations must both the Office of the Data Protection Ombudsman and the clients/patients affected be notified of a personal data breach?

When is a personal data breach communicated to the Office of the Data Protection Ombudsman but not to the person affected?

When is it not necessary to notify of a personal data breach?

Occupational health care

What information is the occupational health care provider entitled to disclose to the employer in connection with invoicing?

Does the employer have the right to deliver a medical certificate obtained from a non-occupational health care physician to the occupational health care provider without the employee's consent?

Conversations during treatment

How should my privacy be taken into account in conversations with a physician or nurse?

Common topics