Medical Documentation – Protection of Confidential Data
Proper management of health documentation and records is one of the key conditions for the provision of health care and it is the basis for the functioning of an integrated health information system.
Health documentation and records have numerous, very important functions, and they serve not only for monitoring the patient’s health condition but also for monitoring and studying the health condition of the population, environmental risk factors, resources in the field of health care, for improving the quality and financing of health care, conducting statistical and scientific research, informing the public, fulfilling international obligations in the field of health care, as well as for the development of the system of health care and health insurance. Special attention is paid to the handling of medical documentation, bearing in mind that it contains data that should have the highest protection.
Although the regulations stipulate a high level of protection of medical documentation, in reality, there are frequent cases of abuse or, more often, accidental mistakes when handling medical documentation.
Thus, in reality, we often have the following situations:
1. delivery of medical documentation to the wrong patient by replacing the papers during the handover;
2. sending medical documentation to the wrong email address;
3. replacement of data during the preparation of medical documentation (for example: the patient receives documentation with his personal data but with the results of another patient, which causes a delusion regarding the health condition, so that a person who is completely healthy thinks he has a serious illness, and vice versa, which can lead to severe consequences).
In accordance with the Law on health documentation and records in the field of health care (“Official Gazette of RS”, no. 123/2014, 106/2015, 105/2017, 25/2019 – other law), all health institutions, private practice as well as other legal entities are obliged to keep health documentation and records, in the manner and according to the procedure as well as within the deadlines established by law, which is an integral part of their professional medical work.
What exactly is medical documentation?
It is any document that contains observed, measurable, and reproducible findings obtained during a patient examination, as well as laboratory and diagnostic tests, assessments, or diagnostic formulations. Medical documentation chronologically records patient care, supports diagnostics or reasons for visiting a health facility, supports preventive procedures, screening, treatment procedures and documents them precisely. Given that the medical documentation is also a forensic medical document, it must be complete, accurate and accessible. It also represents a group of means for coordinated recording and collection of data on events and activities in the health care system.
Medical documentation inevitably contains personal data, which is any information related to a natural person, regardless of the form in which it is expressed and the information carrier (paper, tape, film, electronic media), regardless of on whose orders, on whose behalf, or for whose account, the information is stored, date of creation of the information, place of storage of the information, method of finding out the information (directly, through listening, observing, etc., i.e., indirectly, through the viewing of the document in which the information is contained, etc.) and regardless of other property of the information.
Personal data contained in medical and health documentation are processed in accordance with the principles of personal data protection, and this implies the legal, appropriate and proportionate processing of personal data, which must be accurate, up-to-date and adequately protected against loss, destruction, unauthorized access, alteration, publication and any other abuse. Data from the patient’s medical documentation represent particularly sensitive personal data. For this reason, health institutions, private practice and other legal entities are obliged to collect and process patient’s personal data in a manner that ensures the exercise of the right to privacy and the right to confidentiality of personal data, in accordance with the law governing the patients’ rights and the law governing the protection of personal data.
Health institutions, private practice and other legal entities, as well as the competent health worker, i.e., health associate and other authorized person, who keep medical documentation and records, are obliged to protect patients’ medical documentation and records from unauthorized access, viewing, copying and misuse, regardless of the form in which the data from the medical documentation is stored (paper, microfilm, optical and laser discs, magnetic media, electronic records, etc.).
Who has the right to view medical documentation?
The Law on Patients’ Rights (“Official Gazette of RS”, No. 45/2013, 25/2019 – other law) prescribes that the patient has the right to view his medical documentation. In the case when the patient is a child, i.e., a person deprived of business capacity, the legal representative has the right to view the medical documentation, except in the case of a child who has reached the age of 15 and is capable of reasoning, who has the right to the confidentiality of the data contained in his medical documentation. A child, who has reached 15 years of age and is capable of reasoning, has the right to view his medical documentation. The competent healthcare worker, despite the child’s request that information about his health condition should not be disclosed to his legal representative, is obliged to disclose information about his health condition to his legal representative in case of serious danger to the child’s life and health.
The members of the patient’s immediate family only have the right to access the medical documentation of their family member in exceptional cases, and that is if this data is important for their treatment. The competent healthcare worker may disclose information about the patient’s health condition to an adult member of the immediate family, even in the case when the patient has not given consent to the disclosure of information about his health condition, but the disclosure of such information is necessary to avoid health risks for the family member.
From all of the above, we can conclude that, in addition to strict legal regulations and prescribed punitive measures for violating legal provisions, there are a large number of opportunities for violating the right to the protection of this confidential data. In such situations, patients often decide to protect their rights in court, demanding a certain amount of money in the name of compensation for material and non-material damage. Health institutions, private practices, as well as other legal entities that handle medical documentation, aware of their responsibility, often decide to conclude judicial and extrajudicial settlements, in order to avoid additional court costs.