The applicable regulations allow the electronic sharing of medical records both to patients and their legal representatives or authorized persons.

Therefore, older people who want to obtain such documentation without paying a visit to a healthcare facility during a pandemic, but do not have the necessary technical means themselves, can use the services of other people. They just have to authorize them.

According to the president of the Office for Personal Data Protection, legal rules are sufficient to exercise the patient’s right to obtain medical documentation regarding his state of health and the health services provided to him (referred to in Article 23 (1) of the Act of 6 November 2008. on patient rights and the Patient Ombudsman).

Article 26 (1) 1 of this Act provides that the entity, providing health services, provides medical documentation to the patient or his statutory representative or a person authorized by the patient.

According to article 27 section 1 of the Act on Patient Rights, it specifies ways to share patient records and it indicates the ability to share documentation via electronic means of communication.

The Regulation of the Minister of Health of April 6 2020 on the types, scope and specimens of medical documentation and the method of its processing indicate the article 70 paragraph 1, that the documentation is made available preserving its integrity, confidentiality and authenticity, without undue delay, while in article 71 it is stated that in the event that access to documentation is not possible, the refusal is provided in electronic or paper form, as requested by the authorized body or entity. In all cases, the reason for the refusal is required. It should be noted that the provision of medical records via electronic means of communication should take place in accordance with security principles enabling verification of the applicant and guaranteeing the security of the data transmitted.

In the opinion of the President of UODO, a solution in the form of sending medical documentation at the request of not only the patient, but also his legal representative, or a person authorized by the patient, via the ePUAP profile, while maintaining the procedures resulting from the provisions of the Act on Patient Rights and the Patient Ombudsman, is acceptable in the light of the provisions of the GDPR. This solution allows to exercise the patient’s right to access medical records regarding his state of health and the health services provided to him while reducing the risk of direct receipt of documentation during the COVID-19 epidemic.

If other electronic means of communication are used, the hospital as an administrator should assess whether they guarantee an adequate level of security of transmitted data contained in medical records.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA POLONIA – UODO