Healthcare sector

No. The patient is always the data subject of their personal data, and specifically of the data contained in their medical record. The healthcare centre, the doctor, the private health insurer, etc., who compile our medical record are responsible for the information they process, and must safeguard, retain and protect it.

Medical records may be kept on paper or electronic media, provided that the authenticity of the content is guaranteed and they can be consulted in the future. All accesses to or modifications of a medical record must be recorded, as must the doctors and healthcare professionals who have accessed or modified it.

For paper-based medical records, secure containers should be used to prevent unauthorised persons from recovering the information, and paper shredders. It may be appropriate to outsource the disposal to companies that guarantee secure destruction with a certificate.

For electronic health records, healthcare centres or professionals must securely redact the information or, where appropriate, physically destroy the medium or device.

Healthcare centres, archives and documentation centres must keep a record of the disposal of health records.

Healthcare centres and services that close down, and professionals who cease practising permanently, must guarantee access to the medical records they hold, for the benefit of medical care and patients' rights.

When a self-employed doctor retires, they should notify their patients so they can take their clinical records with them and, where appropriate, hand them over to a new professional. The doctor can consult their professional body on how to manage this situation, without jeopardising their patients' rights and, where appropriate, destroying the relevant information by secure methods.

No. These are two different information rights:

Informed consent in the healthcare context refers to the duty to obtain the consent of patients who are to undergo certain more or less invasive interventions on their bodies (examinations, clinical analyses, biopsies, surgical procedures, dressings, medical treatments, etc.). The patient must be informed of what the procedure will involve so that they can decide and give their consent to undergo it or not.
The right to information provided for in data protection legislation is a right for all patients. Healthcare centres do not need to ask for consent to process the data provided by patients for the purpose of their care, but they are obliged to explain how they will use their data.

The information provided to patients must be concise, transparent, intelligible and easily accessible, using clear and plain language, in particular any information specifically addressed to children. Information must be provided in writing or by other means, including, where appropriate, electronic means.

The patient has the right to request any clarification they need. To do so, they may contact the data protection officer of the responsible body.

No. Asking a patient for a signature without first informing them which data will be collected, for what purpose, to whom it will be disclosed, etc., and without allowing them to clarify any doubts, is not correct. The information required by law must be provided in a way that a record is kept of it, and the patient must be able to understand it. You should never sign a blank form if you do not know what the signature is for. The patient has the right to receive a copy of any document they have signed.

Yes, the APDCAT considers that, depending on the circumstances of the specific case, a patient may have a legitimate interest in knowing the traceability of accesses to their medical record.

You can find further information on this matter in the document “Interpretative Criteria on the Application of Regulatory Norms and the Processing of Individuals” Access Requests for the Traceability of Their Clinical History', jointly approved by the Catalan Data Protection Authority. (APDCAT) and the Commission for the Guarantee of the Right of Access to Public Information (GAIP).

Yes. If you suspect that your medical record has been accessed unlawfully, you can request the access log or audit trail for your medical record from the responsible body or institution. Within a maximum of one month, they must provide you with a list detailing each access. If they do not provide you with the access log, you have the right to lodge a complaint with the Catalan Data Protection Authority. Once you have the list, if you detect any accesses not justified by clinical or administrative reasons, you can file a complaint with the Catalan Data Protection Authority for a breach of the regulations.

On occasion, the patient does not need to know everything contained in their medical record, either in the interest of their own well-being or that of others (for example, when their healthcare professionals consider there to be a therapeutic necessity or when it contains subjective notes).

No. As the person concerned, the patient has the right to obtain a copy of their entire medical record. There is no obligation to explain the reason for the request to the clinic, and even if the patient does so, this does not justify the refusal to provide the information. If the clinic refuses to provide it, the patient can file a complaint with the APDCAT.

Yes. The right to know one's biological origins includes the right to know the identity of the biological parents. This right is recognised for children and young people in care (adopted, fostered or formerly in care), once they have reached the age of majority or have been emancipated. Applicants must be able to access certain information from the biological mother's medical history that may be relevant to their own health.

No. In cases of rectification or deletion of data, data protection regulations impose a duty to block. This entails the identification and reservation of data outside the usual work circuits and the adoption of measures that prevent its processing, so that it is only available to judges and courts, the public prosecutor's office or the competent public administrations; in particular, data protection authorities, to demand possible responsibilities derived from the processing and only until these responsibilities are prescribed.

No. Healthcare provided by the centres and services of the public health network is not based on patients' consent, but on laws establishing that we all have the right to receive this service (section 4.1 of this guide).

By contrast, portability can indeed be requested from the controllers (private health insurers, private-practice doctors, etc.) who process the data automatically and in accordance with a prior decision by the patient who has contracted this service.

Healthcare regulations stipulate that patient record data should only be accessible, for care purposes, to the healthcare professionals who are treating the patient; these professionals must protect and respect the confidentiality of this information.

Through the right of objection, the patient may request, on grounds relating to their particular situation, that only certain professionals have access to this episode of care. However, this right may be limited if the healthcare centre can demonstrate that there are compelling legitimate grounds that must prevail (for example, if it could jeopardise the patient's healthcare or the proper functioning of the health system).

Granting the right of objection does not necessarily mean that the information will be deleted, but that, by requirement of the Patient Autonomy Act, it must be retained for certain specified periods (section 1 of this guide).

The fact that the exercise of a right does not have to have the effect intended by the applicant (the effective deletion of data, for example), does not justify the lack of response. On the contrary, you must respond within one month and explain why the request is rejected. Since the right has not been respected, a claim for protection of rights can be filed with the APDCAT.

You can contact the data protection officer (DPD) of the data controller. You can find their contact details in the information clause that the person responsible must provide you with when collecting the information.

Alternatively, and also if you do not agree with the response given by the data protection delegate, you can contact the APDCAT.

Communicating health data by telephone carries the risk of providing information to a third party attempting to impersonate the patient. For this reason, this should be avoided, unless protocols are in place to securely identify the person requesting the information.

No. Unless these individuals are involved in the patient's medical care, access would be inappropriate and would breach the principle of confidentiality. The mere fact of working in a healthcare centre does not permit access to a colleague's information without their consent. The centre should provide its staff with appropriate instructions on this matter. The patient can lodge a complaint with the APDCAT or the judicial authorities.

No, unless they have the free, specific and unequivocal consent of the parents (or the children, from the age of 14), and provided they were adequately informed. Furthermore, if the photograph makes it possible to infer that the child has some kind of illness, consent must be explicit. The advertising purpose may be legitimate, but healthcare does not imply that patients' images can be disseminated.

The law allows family members who request it to receive a note with information about the patient they have accompanied. However, this note should only contain the minimum information necessary for the employee to request and enjoy the time off allowed by labour legislation to accompany a family member to the doctor.

The hospital can provide the room number (which is part of the patient's medical record) only to people who are related to the patient by blood or marriage, or to those accompanying them during their treatment. For all other visitors, the patient must give their permission.

When, in a doctor's opinion, a patient lacks the capacity to make decisions about their health (for example, due to a serious accident or a mental illness), people who have power of attorney for them, or who are related to them or are their de facto partner, can access their information.

Yes, people linked to the deceased for family reasons or in fact, as well as their heirs, can request access to their medical history. This unless the deceased had expressly prohibited it. Access by a third party to the medical history motivated by a risk to one's own health must be limited to the relevant data. Information that affects the privacy of the deceased person or the subjective notes of professionals, or that harms third parties, should not be provided.

No. Access to a medical record without the patient's consent or without a healthcare reason that justifies it constitutes a violation of the principle of confidentiality of patient information. Therefore, medical professionals who, despite working in the same CAP, hospital, social health center, residence, etc., are not involved in the healthcare treatment of a patient, should not access their personal data.

When they attend to a patient referred by a collaborating social security insurer, healthcare centres may disclose the worker's diagnosis without their consent, for the purpose of managing financial benefits and the healthcare provided for occupational contingencies, as well as for monitoring and controlling the worker's temporary disability.

Yes. In the case of compulsory insurance, the law allows healthcare centres to claim from insurance companies the cost of the medical care provided to their policyholders. To do so, the entity must be able to disclose patient data to prove that the claimed healthcare has been provided.

Yes. If the data are necessary for the exercise of the right of defence or for compliance with the insurance contract, the hospital may disclose the patient's health data to its lawyers or to the insurer of the hospital itself or of the doctors concerned.

No. The provision of health-related data is strictly voluntary.

Yes. In this case, the recording of a surgical intervention does not serve a healthcare purpose, but rather has teaching purposes, so the patient can authorize the processing of the images. Recording cannot be done if the patient does not consent. To use images or other data in teaching or scientific publications, the patient must not be identifiable.

Patients, or their representatives, can give permission for trainee students to be present during their care (for example, during an examination or medical review). Doctors should limit the presence of trainees when it is considered inappropriate due to the patient's clinical, emotional or social situation.

Healthcare sector

Does the healthcare centre own my medical record?

How should my medical history be kept? In paper format or in electronic format?

Once the retention period has passed, how is the information deleted?

What happens to my medical record when a healthcare centre or professional stops practising?

Is the right to information provided for in data protection legislation the same as informed consent in the healthcare context?

What should the information provided to me as a patient be like?

Does data protection legislation allow you to find out which professionals have accessed your medical record?

I suspect that my medical records have been accessed without a clinical or administrative justification. Is there any way to find out for sure?

Can information be excluded from the right of access to the medical record?

I want to file a complaint against a clinic for possible medical negligence in my healthcare and I need them to provide me with a detailed report on the surgical procedure I underwent. Can they refuse?

Do I have the right to know my biological origins, even if this means accessing information about my biological mother?

A couple undergoes treatment at an assisted reproduction clinic. Can they both access the same medical information?

When there is a cause for deletion, must the data be physically destroyed at that time?

In a report incorporated into my medical history there is an error in the date of a surgical intervention and in the medical team that assisted me. Can I request that it be modified?

Can I request the portability of my medical history at the CAP?

Years ago I suffered from a serious mental illness. I'm concerned that this information is accessible to any healthcare professional. Can I object to certain professionals accessing it? Can I insist that any reference to this episode be removed from my medical record?

I requested the deletion of a piece of data from my medical record two months ago and I haven't had a reply. What can I do?

Where can I contact if I have any questions about the processing of my personal data or if they have not addressed any of the rights I have exercised?

Can the medical centre that has treated me provide me with information I request by telephone about my health status or the results of the tests they have carried out on me?

I am a nurse and at the same time a patient in a hospital. Can my colleagues access information about my surgery?

A paediatric clinic that treats my children has published a photograph of them on its website to promote the speech therapy services it offers. Are they allowed to do this?

I am accompanying a family member to a medical appointment at their GP's surgery. Am I entitled to a note for my employer?

I called a hospital to ask for information about a relative who is a patient, but they wouldn't give it to me. Did they act correctly?

Does the hospital where a relative is a patient have to provide me with their room number?

I have a family member admitted to a healthcare facility who lacks the capacity to make decisions about their own medical treatment. Who can access their information to decide what to do?

Can I request the medical history of a relative who has died?

Can any doctor at the CAP where I usually go see my medical information?

Can healthcare centres disclose my data to the Social Security collaborating mutual insurance companies?

Can the hospital that treated me for a road traffic accident pass on my details to my vehicle's insurance company without my consent?

If I have filed a claim against the hospital where I was treated, can it communicate my details to an external lawyer?

Is it compulsory to provide information about my health in a survey considered of interest by the Generalitat to be part of the Statistical Plan?

They have asked me for permission to record images of the surgical intervention I am about to undergo, for university teaching purposes. Is that correct?

Can students in training be present during hospital visits?