Is it possible to know the names of the professionals who have accessed my medical records?
Do you wonder if it is possible to know the names of the professionals who have accessed my medical records? Many court rulings have sentenced physiotherapists, doctors, nurses, etc. to several years’ imprisonment and even more disqualification for accessing medical records without authorisation.
Headlines such as the following abound in our daily lives:
“The Supreme Court upheld the sentence of two years and six months for two physiotherapists from a public hospital who entered the clinical record of a colleague and commented on it in front of other patients”.
“The Pontevedra High Court sentences a nurse to three years and ten months in prison for accessing the medical records of her ex-boyfriend and her partner more than 300 times”.
If Law 41/2002 regulating patient autonomy establishes that access to medical records is limited to healthcare personnel directly involved in the patient’s treatment, and that, therefore, this data cannot be consulted by healthcare personnel without a cause justified by law, how can we know if healthcare personnel are in breach of this Law?
Although it seems simple, or rather it should be, it is by no means simple, and in this article we will see why.
Who can access my medical records?
As we have already mentioned, access to a patient’s health data, as medical records, by healthcare personnel for their own purposes may entail liability, not only for the professional, but also for the entity where they work.
However, there are some exceptions to this general rule, in the following cases:
- On the occasion of an investigation by order of the competent judicial authority, and only for the specific purposes of such investigation.
- For epidemiological reasons, to prevent serious health risks or dangers to the population.
- To plan and evaluate the quality of care, provided that it is carried out by accredited healthcare personnel.
However, as a general rule, only the healthcare professional treating the patient will be able to see your medical records.
Right of access to medical records and data protection
The Spanish Data Protection Agency (AEPD) in legal report 171/2008 and in Resolution R/00948/2011 included this important limitation to the right of access to medical records, warning that, unless a law expressly permits it, the right of access does not include the identification of the healthcare professionals who access the medical records.
In other words, when a patient exercises his or her right of access on the grounds of suspicion of non-consensual access, such information does not include knowing who has access to the medical record.
This has been criticised on several occasions by the industry as contradicting privacy regulations. As a result, you can access the information contained in your medical records, but not who has had access to them.
Alternatives for accessing the data of healthcare professionals who have visited my medical records without authorisation
If you are aware that your medical records have been improperly accessed, you can submit a request for review of this data to the health inspectorate of the corresponding autonomous community, whose functions include reviewing and assessing this type of request and, if it considers it necessary, requesting this data for study and taking any action it deems necessary in view of the data.
However, this does not mean that, a priori, the body responsible for analysing such improper access will provide us with the personal data of the healthcare professionals who have accessed the medical records, but rather that these data will only be accessible to the inspecting staff, who will take the appropriate measures in accordance with the applicable regulations.
Alternatively, the Provincial Court of Las Palmas, sec. 6ª, A 07-12-2022 in a case in which a patient had indications that his relatives had improperly accessed his medical records that although “the Complainant requests the Canary Islands Health Service to provide him with information on the persons who have accessed his medical data and they inform him of when it was accessed and from where, but not the identity of the person who did it, as this is prevented by the Data Protection Agency, and from where, but not the identity of the person who did it, because the Data Protection Agency prevents it, and a complaint is filed so that the judicial authority can order the administrative authority to provide the identity details of the persons who have accessed the patient’s medical records in case the facts constitute a crime. “
(…) “In the case under examination, there is no reason or motive to justify, in principle and for the sole purpose of this resolution, access from Arucas to the medical records of a patient in Vecindario.
For this reason, and due to the fact that the simple unjustified access is already a criminal offence, the appeals are justified in order to investigate the offence, in other words, to order the SCS to provide the identity of the persons who accessed the complainant’s medical records at the Arucas Health Centre on 30 August, 20 September, 11 October and 2 November, all of these dates in 2021.
Likewise, the examining magistrate will also investigate any access carried out on other dates from this or any other hospital centre that he considers suspicious and unfounded, that is to say, where there are indications that there is no reason to justify it”.
It follows that, in the event of well-founded suspicions, the judge investigating the case (following a complaint by the interested party) may request the competent administrative body to forward to the court the personal data of those persons who have improperly accessed the patient’s medical records.
At Letslaw by RSM our team of data protection lawyers, can advise you if you need help with who have accessed to your medical records or any other enquries regarding digital legal aspects.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.