Personal Health Data Regulation Has Been Published 25 June 2019
According to the Law on Protection of Personal Data (“Law”), The Regulation on Personal Health Data (“Regulation”), concerning activities of private real and legal persons and public legal persons that process personal health data, which is related to the processes and practices carried out by the Ministry of Health (“the Ministry”) has been published in the Official Gazette dated 21 June 2019 and numbered 30808.
We would like to inform you of the Regulation in details here below.
1) What are the norms and principles to be followed during process of Personal Health Data?
During process of personal data, all data processing principles in the Law shall be observed, especially the general principles partaking in Article 4 of the Law. In addition to these principles, according to the Regulation;
- No one shall be compelled to submit or show past health data, except when it is necessary for health service delivery.
- Necessary physical, technical and administrative measures will be taken by health service providers, to prevent unauthorized persons from entering in departments such as counters, pay desks and desks and at the same time to prevent clients from hearing, seeing, learning or seizing each other’s personal data.
- Health service providers will implement the necessary partial de-identification or masking measures on printed material containing personal health data of the patient, such as analysis and examination results; and take other precautions on the material in question to make it difficult to identify who it belongs to, if it’s occupied by an unauthorized person.
2) How and to what extent will medical personnel have access to these data?
Persons, who are in charge of health service delivery; may access to the health data of the person concerned, limited to the requirements of medical services.
- Health data of people owning e-Nabız accounts; may be reached within the framework of their privacy preferences. Related persons are informed in detail about their privacy preferences and its consequences. The Ministry of Health will not be liable for any malfunctions and damages that may occur in medical service delivery, due to the preference of confidentiality and the inability to display past health data.
- Health data of people not owning e-Nabız accounts; may be reached limited to exceptional purposes, which are stated in Article 6 Paragraph 3 of the Law, yet;
- Without any time limit, by the family doctor to whom the person is registered,
- Limited to the day of appointment, by the doctor whom the person has made an appointment for health care, until the end of the procedures directly related to the health service received.
- Limited to 24 hours, by the doctors who are working at the medical service provider, in which the person enters to receive health care.
- By the doctors who are working at the medical service provider, to which the persons admission has been done, until the patient is discharged from the health care provider.
The above-listed access rules may be reassessed by General Directorate according to the requirements of the Ministry for health service provision and within the scope of Article 6/3 of the Law. In such case, what is necessary will be done within the scope of disclosure requirement.
For those who do not want to allow access by anybody to their past health data, the privacy preference will be provided via e-Nabız. Past health data of people, who use this privacy preference, can only be accessed, if the code, which will be sent to the phone number declared by the person, is shared with the doctor and entered by the doctor into the system.
Personal health data, which has a higher level of privacy, and which are at risk of adversely affecting the social life and mental health of the individuals in case of being seen and known by third parties, will be determined by the Ministry and restrictions may be placed on access of medical personnel to such data.
3) How and to what extent will the Ministry units provide access to these data?
Unit Chiefs of the Ministry determine the persons individually, who are authorized to match the health data, which is sent by the health service providers after de-identification to the central health data system with the persons they belong to, through the relational database separately and request the authorization of these persons from the General Directorate.
Users authorized by the General Directorate upon the request of the unit chief, can only exercise this authority in accordance with the principles of Personal Data Protection Legislation in the context of planning, managing, supervising and regulating of health care services and financing tasks.
The limits of the purpose of planning and managing health care services and financing are determined by the duties assigned to the relevant unit in legal and administrative regulations.
4) Who can access to the health data of children?
Parents can access their child's health records via e-Nabız without any need for approval. Children with ability to distinguish, may subject parental access to their health history to permission through e-Nabız.
In case of divorce of the parents, the party that has not been left on custody rights, has access to child’s health data in accordance with the legislation on protection of personal data and within the limits set by the General Directorate, taking into account the benefit of the child and the guardian.
5) How can the relatives access the patient’s health data?
By sharing of personal health data with the relatives of the patients, the third paragraph of Article 18 of the Patient Rights Regulation, which is published in the Official Gazette dated 01/08/1998 and numbered 23420, shall be followed in such a manner that does not contradict the principles of the Law.
6) Do lawyers have access to their clients' health data?
Lawyers are not entitled to request their client's health data by general proxy.The power of attorney issued for the transfer of the client’s health data to its lawyer should include a special provision indicating the express consent of the person concerned for processing and transferring of its special quality personal data.
7) Who can access the health data of a deceased person and for how long?
The legal heirs of the testator are individually authorized to receive the health data of the decedent by submitting their certificate of inheritance.
The health data of a deceased person is stored for at least 20 years.
8) How and by whom will the health data of people, who have been given a confidentiality order, be hidden?
The request for confidentiality of the health data of people, who have been given a confidentiality decision, and the warrant sent by the judicial authorities will be fulfilled by the local health authority.
The action taken by the local health authority will directly be reflected in the Identity Sharing System.
ll necessary technical and administrative measures shall be taken to ensure that confidentiality order are known only by persons who are required to know them by their duties.
9) How can the improperly process data be corrected?
The person concerned shall apply to the local health authority, to which the health care provider is affiliated, in order to correct the wrong health data about himself. If the local health authority reaches the information that the health data is created by mistake, as a result of the research on the relevant health service provider, it shall apply to the General Directorate with an official letter and ask for the correction of the health data, which created by mistake. The operation to be established by the General Directorate is also performed in the database of the health service provider.
The General Directorate determines the date, on which the wrongly created health data by the health service providers can be corrected and updates this date as required. Health data, which is created after this specific date given by the General Directorate, shall be corrected by the relevant health service provider; the health data, which is created before this date, shall be corrected by the General Directorate upon the request of the relevant provincial health directorate.
10) What is the procedure for transferring personal health data to other institutions?
One shall observe the article 8 of the Law for domestic transfer and the article 9 of the Law for international transfer of personal health data. A protocol shall be prepared for transferring personal health data to public institutions and organizations within the scope of these articles. The general principles of personal data protection legislation and the provisions regarding data security and information about data which will be transferred under the protocol, should be included in this Protocol. If the technical infrastructure is suitable, data will be transferred through KamuNET.
Demands for the transfer of personal health data are evaluated by the Ministry department, to which the requested health data is related, in terms of the Law and other relevant legislation. The process is established by the General Directorate according to the evaluation result.
11) Who can handle personal health data for scientific purposes and to what extent?
In the scope of article 28/1b of the Law; “Processing of personal data for purposes such as research, planning and statistics through anonymization with official statistics”, scientific studies can be carried out with health data, which is anonymized by the data officer.
In the scope of article 28/1c of the Law; “Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national crime, national security, public security, public order, economic security, privacy or privacy rights or constitute a crime”
Personal health data may be processed for scientific purposes within the framework of technical and administrative measures to be taken provided that they;
- do not violate the privacy or personal rights of the persons concerned or
- do not constitute a crime.
12) For which purposes and by whom can personal health data be made accessible to everyone?
By taking into account the regulations on data privacy and data security of the data contained in the systems used by the central and provincial organizations of the Ministry and its affiliated and related institutions, by the General Directorate, with some specific purposes such as;
- ensuring transparency and accountability in the health system,
- directing policies and strategies for health care delivery;
- supporting scientific research in the field of health; and
- ensuring the development of health-related products and services;
The Ministry shall determine the principles and procedures for making it accessible to everyone through a dedicated website.
13) How is the security of personal health data and information ensured?
Data security obligations in Article 12 of the Law will be observed. By taking technical and administrative measures, the Personal Data Security Guideline prepared by the Authority will be predicated on.
In the event that the processed personal data is seized by others by unlawful means, the notification to be made to the Council by the data officer shall be based on the provisions of the Law and the regulatory procedures of the Council regarding this matter.
Information security processes performed in the central units of the Ministry and provincial organizations and affiliated and related institutions are determined by the Information Security Policies Directive prepared by the General Directorate.
14) What is the sanction of non-compliance with the Regulation?
For the crimes and misdemeanors related to personal data protected by this Regulation, the procedure shall be carried out in accordance with Article 17-18 of Law.
Public officials who do not fulfill the requirements of this Regulation will be notified to the disciplinary authority to which they are registered and their authority will be cancelled, if they have any. Real persons and private legal entities shall be treated in accordance with the relevant legislation.
The health service providers that do not send data to the central health data system in accordance with the procedures and principles determined by the Ministry shall be warned twice. A penalty which is amounted of 1% of the gross income in the previous month hall be applied to the providers that do not follow the warnings .
15) When will the Regulation enter into force?
The Regulation has entered into force on 21 June 2019.
Other News
-
21.11.2024
The Procedure of Sale by Auction and The Legal Aspect of New Regulations Brought by the 9th Judicial Package
By new regulations brought by the 9th Judicial Package, a new legal frame for the sale of seized goods electronically is instructed according to Enforcement and Bankruptcy Law Article 111/b. Transactions about the sales of seized goods are made via a sale portal integrated with the National Judicial Network Information System (UYAP) by auction. However, because of the legal gaps of the law, an application about the sale transactions cannot be displayed. The amendments introduced by legislators to the law regarding electronic sales in the 8th and 9th Judicial Packages, as well as the newly established regulations, are considered an important step toward making foreclosure processes faster and ensuring that sales transactions are conducted in a safer and more transparent environment.
-
14.11.2024
Law Numbered 7531 On Amendments To Certain Laws Was Published
Law1 No. 7531 on the Amendment of Certain Laws ("Law"), also known as the 9th Judicial Package, was published in the Official Gazette dated 14.11.2024 and numbered 32722 and contains significant amendments to 17 different laws.
-
12.11.2024
E-Government Era Begins In Lease Agreements!
The Ministry of Treasury and Finance ("Ministry") announced in the 2023-2025 period of its 2022 Action Plan for Combating the Informal Economy ("Action Plan") that lease agreements could be concluded through the e-Government portal to support the decision-making processes of the parties involved and conduct risk analysis studies. The first phase of this activity was launched on November 4, 2024, through the e-Government portal, and the second phase is expected to be implemented by the end of the year.
-
10.11.2024
A New Era in Digital Markets: The Competition Authori's The Competition Authority's 2024-2028 Strategic Plan Published
The Competition Authority ("the Authority") has published its 2024-2028 Strategic Plan ("the Strategic Plan") with the aim of adapting to the rapidly evolving dynamics of digital markets and maintaining a competitive economic order. Developed in light of recent shifts in the global competitive environment, the Strategic Plan focuses on new regulations in digital markets and emerging technologies. The Authority aims to ensure fair and competitive markets through this plan, with a clear focus on enhancing consumer welfare.
-
30.10.2024
Public Announcement on Standard Contract Notification Module Published
Public Announcement on Standard Contract Notification Module published on 24.10.2024 on the official website of Personal Data Protection Authority ("Authority"). By the decision dated 17.10.2024, the Personal Data Protection Board ("Board") created "Standard Contract Notification Module" ("Module") in order to carry out standard contract notification processes in a faster and more efficient manner and decided that the notifications could also be carried out online via the Module.
-
27.10.2024
Warning To Research Companies: Inform First, Then Obtain Consent
After the number of complaints to the Personal Data Protection Authority ("Authority"), the Authority published a Public Announcement on "Personal Data Processing Activities of Research Companies by Using "Random-Digit Dialing as a Method of Telephone Sampling" for the purpose of Statistical Research" ("Public Announcement").
-
20.10.2024
EU Data Act
In today's world, where digitalization is gaining significant pace, data sharing and management are of vital importance for all sectors. In this context, the European Union has adopted the EU Data Act, which reshapes the regulations on data sharing. It aims to promote the wider use of data generated by digital devices and services while introducing new rules for a fair data economy.
-
1.10.2024
Regulation No.2023/1115 on the Prevention of Deforestation and Rules for Companies Exporting Products to the European Union
According to data from the United Nations Food and Agriculture Organization, it has been determined that the world's forests decreased by 178 million hectares over the 30-year period from 1990 to 2020.
-
30.9.2024
SEC Climate Disclosure Rule
For the sake of a livable environment and the future of our world, sustainability and ecosystem protection are becoming increasingly important. In this context, governments are introducing environmental reporting standards for companies, which are among the actors that most significantly impact the ecosystem.
-
25.7.2024
2024-2025 Action Plan For The National Artificial Intelligence Strategy Has Entered Into Force
Presidency of the Republic of Türkiye Digital Transformation Office published 2024-2025 Action Plan for the National Artificial Intelligence Strategy within the framework of the 12th Development Plan in order to further Turkey's progress in the field of artificial intelligence and to achieve the set targets.
-
29.5.2024
Important Amendments Introduced to the Turkish Commercial Code by Law No.7511
The Law on Amendments on Turkish Commercial Code and Certain Laws (the "Law") was published in the Official Gazette dated 29 May 2024 and numbered 32560.
-
7.5.2024
Law Proposal on the Amendments on the Turkish Commercial Code Numbered 6102 and Certain Laws in Offered to the Parliament
Law Proposal on the Amendments on the Turkish Commercial Code and Certain Laws is offered to the parliament. Within the scope of the proposal, it is planned to make important amendments to a number of laws, particularly the Turkish Commercial Code, the Cooperatives Law, the Law on the Protection of Competition and the Law on Consumer Protection.
-
18.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
7.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
4.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.