The Regulation on Personal Health Data (“Regulation“), prepared by the Ministry of Health on the basis of the Law No. 6698 on Personal Data Protection (“Law“), was published in the Official Gazette No. 30808 on June 21, 2019. The Regulation annuls the Regulation on Processing and Ensuring the Privacy of Personal Health Data and sets forth the principles and procedures regarding the processing of personal health data by real persons and private legal entities as well as public organizations and institutions.
The Regulation contains general and detailed provisions regarding the general principles and rules for processing health data as well as health data on the e-Pulse (e-Nabız) system; health data requiring a higher level of privacy; access to children’s health data; and access to health data by third persons including healthcare professionals.
In this respect, pursuant to the Regulation, healthcare professionals may access the personal health data of data subjects only on the condition that such access is limited to the purpose of providing healthcare services to the relevant data subject. Data subjects will not be in any way required to submit or disclose their medical history unless it is necessary for the provision of such services.
The Regulation also contains various provisions regarding health data on the e-Nabız system established by the Ministry of Health, which provides the relevant data subjects and third persons with access to the health data. Accordingly, the health data of data subjects with e-Pulse (e-Nabız) accounts will only be accessible within the framework of data subjects’ privacy preferences. Relevant data subjects may change their privacy settings through the e-Nabız system in case they do not want their medical history to be accessible to anyone.
Furthermore, the Regulation limits access to the health data of data subjects without e-Nabız accounts. Accordingly, such data may only be accessed by (i) practitioners in the family doctor system, without any time limitation; (ii) practitioners until the end of the health services or any other procedures provided; (iii) practitioners working at the relevant health service provider, for 24 hours starting from the time the patient registers to receive services; and (iv) practitioners working at the healthcare service provider where the patient is hospitalized, until the patient is discharged.
The Regulation requires healthcare service providers to implement anonymization and masking measures for hard copy materials such as files and reports that contain patients’ health data, such as test and clinical examination results.
The Ministry of Health will also determine certain health data which require a higher level of privacy and pose a significant risk of impacting data subjects’ social lives and mental health if others come to know or access this data. The Ministry of Health may introduce new restrictions regarding the access to such data.
As per the Regulation, lawyers may request to receive their clients’ health data only by submitting a special power of attorney containing the clients’ explicit consents regarding the processing and transfer of the client’s special categories of personal data.
The processing of health data, a special category of data under the Law, is subject to strict conditions. In this respect, considering that failure to comply with the data security obligations may be subject to administrative fines ranging from TRY 15,000 to 1,000,000, the relevant organizations and institutions must carefully review the Ministry of Health and the Personal Data Protection Authority’s regulations and take the necessary steps to ensure compliance.