Patient Privacy

People who need to benefit from health services have rights guaranteed by the Constitution of the Republic of Turkey, international treaties, laws and other legislation, regardless of their citizenship, simply because they are human beings. In the face of this right, institutions and organizations providing health services and personnel providing health services have an obligation to provide services in accordance with justice and equity.

In addition to the right to benefit from health services and the right to receive information about their health status, patient privacy is one of the important topics included in these obligations.

What is Patient Privacy?

Patient privacy is one of the most important issues in the Patient Rights Regulation. The obligation of healthcare personnel to protect patient privacy has been made compulsory and secured by legal regulations.

The World Health Organization’s definition of patient privacy also includes the phrase “the individual’s right to determine access to personal health information”. In the Guidelines on Quality Standards in Health published by the Ministry of Health, the concept of patient privacy is defined as “The living space that the patient has to disclose for the purpose of care and treatment (test results, information about his/her disease and treatment) or for any other reason, but wants to hide from the knowledge of all other individuals in the society”.

According to the explicit statement in the Patient Rights Regulation, “It is essential to respect the patient’s privacy. For this reason, the patient has the right to explicitly request the protection of his/her privacy. The situations covered by this request for protection of privacy are as follows:

• Conducting medical evaluations regarding the patient’s health status in confidentiality
• That the examination, diagnosis, treatment and other procedures requiring direct contact with the patient are carried out in an environment of reasonable confidentiality,
• Allowing a relative to be present in cases where there is no medical inconvenience,
• People who are not directly involved in the treatment should not be present during the medical intervention,
• Not to intervene in the patient’s personal and family life unless the nature of the disease requires it,
• Keeping the source of health expenditures confidential.

In addition, health personnel should know and understand the psychology of the patient and act accordingly. For example, some of the patient’s different demands arising from his/her socio-cultural structure or the patient’s sensitivities arising from the patient’s fear of the opposite sex health personnel should be taken into account and acted accordingly.

In health institutions where education is provided, the consent of the patient must be obtained in order for people who are not directly involved in the treatment of the patient to be present during the medical intervention. Otherwise, only health personnel who have a direct relationship with the treatment can be present.

We need to examine the procedures of patient privacy practices under different headings and take measures according to that environment. These headings are as follows:

• Privacy practices in outpatient clinics
• Privacy practices in doctors’ rooms
• Privacy practices in imaging units
• Privacy practices in clinics
• Privacy practices in intensive care units
• Privacy practices in dialysis centers
• Privacy practices in emergency services
• Privacy practices in public areas

When it comes to patient privacy, the first thing that comes to mind is the patient’s physical privacy or the privacy of patient information, but in fact we need to address it more comprehensively than that. When addressing these patient privacy practices listed above, they should be taken in all dimensions and structured in that way. We can list these dimensions as follows:

• Cognitive Privacy
• Physical Privacy
• Psychological Privacy
• Social Privacy

Privacy and Security of Patient Information

While obtaining the patient’s medical information, this process should be carried out in confidentiality. Healthcare personnel should take care to protect patient privacy not only when obtaining this information but also when ensuring its flow and recording. The transfer of patient information to other institutions or to persons not directly involved in the treatment constitutes a major breach of patient privacy.

Patients’ medical information stored in the system can only be viewed and processed by authorized healthcare personnel. Each authorized healthcare personnel has their own special user passwords, and in case of resignation or transfer to another position, their passwords are directly canceled and their access is cut off.

How should the patient’s health data be accessed?

Regulation No. 6698 on Personal Health Data regulated within the scope of the Law No. 6698 on the Protection of Personal Data addresses topics such as access to patient information and the concealment, correction, destruction and transfer of this information. Let us briefly summarize these headings.

A-) Access to Patient Data

We will examine access to patient data in six different ways.

1. Access to Data by Health Personnel

Healthcare personnel assigned with access to this information can only access it in a manner limited to the need for service. If the person has an e-papiz record, they can set the privacy preferences of their own health data. Individuals are informed in detail about the consequences of these preferences.

For persons who do not have an e-pulse record, limited to the exceptional purposes specified in Article 6/3 of the LPPD

a) Without any time limit by the family physician to whom the person is registered,

b) By the physician with whom the person has made an appointment to receive health care services, provided that it is limited to the day of the appointment and until the procedures directly related to the health service received are completed,

c) by the physicians working in the health service provider where the person enters to receive health care, provided that it is limited to a period of twenty-four hours,

d) It can be accessed by the physicians working in the health service provider where the patient is hospitalized, until the patient is discharged from the health service provider. These access rules may be re-evaluated by the Directorate General as long as the Ministry needs.

2. Access to Data by Ministry Units

Health data sent to the central health data system must be de-identified (anonymized). In order to match this information with individuals, certain persons are authorized by the General Directorate. These authorized persons may only exercise their powers in accordance with the Personal Data Protection Law, provided that they are limited to the planning and management of health services and financing, and to their duties of supervision and regulation.

3. Access to Children’s Health Data

Parents are not subject to any permission to access their children’s health information in e-papiz, but if the child has the power of discernment, he/she may request permission from his/her parents.

4. Access to Health Data by Relatives of Patients

Relatives of the patient can only be informed if the patient agrees, with his/her signature and written consent, to provide information to someone else. This signature and written consent must be recorded.

When the physician discloses the diagnosis of the patient, the patient may disclose this information to the patient’s relatives if the patient will be negatively affected by this information.

5. Access to Health Data by Lawyers

A general power of attorney is not sufficient for a lawyer to request a client’s health information. A special regulation is required. In this regulation, there must be a special provision indicating the explicit consent of the data subject regarding the processing and transfer of special categories of personal data.

6. Access to Health Data of the Deceased

The death of a person does not result in the loss of patient privacy. The health data of a deceased person must be kept for at least 20 years. The legal heirs of the deceased person can obtain the health data of the person by submitting the certificate of inheritance.

B-) Confidentiality of Patient Health Data

The person may request that no one is informed about his/her health condition. This request of the person shall be received in writing. All necessary technical and administrative measures are taken to ensure that the decisions to confidentialize the data of the persons for whom confidentiality decisions are made are only known by the persons who need to know as required by their duties.

C-) Correction of Personal Health Data

The person concerned should apply to the Provincial Directorate of Health to which the health service provider is affiliated for the correction of the health information about him/her. The correction process is realized upon the application of the Provincial Directorate of Health to the Directorate General.

D-) Destruction of Personal Health Data

Article 7 of the Personal Data Protection Law and the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data shall apply.

E-) Transfer of Personal Health Data

Requests for transfer of personal health data are divided into domestic and international. The provisions of Article 8 of the LPPD for domestic and Article 9 of the LPPD for international transfers should be applied. These transfer requests are evaluated by the Ministry within the framework of the relevant legislation and are established by the Directorate General as a result of this evaluation.

Under which circumstances can patient information be disclosed?

Patient privacy may be disclosed in certain circumstances. This information cannot be disclosed except as permitted by law. Even if it is based on the consent of the person in some cases, the responsibility of the person disclosing the information does not disappear in cases that result in the complete renunciation of personal rights, transfer of these rights to others or excessive limitation.

Disclosure of information that is likely to harm the patient without a legally and morally valid and justifiable reason also entails the civil and criminal liability of the personnel and other persons. In activities carried out for research and education purposes, the patient’s identity information cannot be disclosed without his/her consent.

In some cases, the patient’s health data loses its confidential nature. Some situations such as anonymization, consent of the person concerned, archiving can be given as examples. Except for these;

• Suspicious death and forensic case,
• Incident of domestic violence

In such cases, it is mandatory for staff to report this situation. In addition, the physician may disclose this information to the patient’s relatives if the patient will be negatively affected by this information.

What can be done if patient privacy is violated?

The principle of “respect for private and family life”, which is guaranteed by the European Convention on Human Rights and the Constitution of the Republic of Turkey, and the issue of “respect for patient privacy”, which is protected by the published regulations, is of great importance in our country. Patient privacy is subject to great penalties, no matter by whom, by which means or means it is committed.

Patient rights are addressed within the scope of the Patient Rights Regulation, which was finalized with the amendments made in 2014. These patient rights should be placed by the authorities of health institutions and organizations in a list, signboard or brochure in health institutions and organizations in a way that can be easily read.

In case of patient violations, the patient or the patient’s relatives who are related to the patient have the right to apply, complain and sue. The person can exercise these rights within the framework of the responsibilities of institutions and organizations, physicians or health personnel. We can examine these responsibilities according to three different sanctions: administrative, civil and criminal. First, let us examine the responsibilities of institutions and organizations.

1. Responsibility of Institutions and Organizations

We can evaluate these institutions and organizations in two different ways as public and private. If the institution and organization that employs the personnel in violation of patient rights is private, the person whose rights are violated may file a lawsuit against that institution and organization for material or moral or both material and moral compensation. However, if the authority to be sued is a public institution and organization, the provisions of the Administrative Judicial Procedure Law No. 2577 shall apply.

According to the relevant provision of the relevant law, if the person whose right has been violated due to an administrative act, the person whose right has been violated due to an administrative act, may file a full judgment lawsuit directly to those concerned, or may file annulment and full judgment lawsuits together, or may first file an annulment lawsuit and file a full judgment lawsuit within the period of filing a lawsuit upon the decision of this lawsuit.

In addition, pursuant to Article 13 of the same Administrative Judicial Procedure Law, the person may apply to the administration within one year at the latest from the date of learning of the damaging act, showing the amount of compensation requested as pecuniary and non-pecuniary compensation separately, and if this request is explicitly or implicitly rejected (rejection by leaving it unanswered), he/she may file a lawsuit before the administrative judicial authorities within the legal period.

2. Liability of Physicians and Health Personnel

The physician’s obligation to keep confidentiality is a responsibility within the obligation of loyalty. The basis of this responsibility is the right to inviolability of the person under Article 17 of the Constitution. In addition, according to Article 24 of the Turkish Civil Code, any attack on personal rights is against the law.

We can divide the responsibility of physicians and health personnel into those working in the public sector and those working in the private sector.

• Physicians or auxiliary personnel working in a public hospital have the status of public personnel. The relationship established as a result of the patient’s application to the hospital is between the patient and the hospital. If the hospital is a public hospital, this relationship is a public law relationship. In other words, the person with whom the patient establishes a legal relationship is not the physician but the administration.
• As mentioned above, the legal liability of civil servants and other public officials cannot be realized through a lawsuit filed directly against the civil servant. The lawsuit can only be filed against the administration, and if a compensation decision arises as a result of this lawsuit, only then the legal responsibility of the public personnel comes to the agenda.
• Depending on the nature of the act of the public employee, if a disciplinary penalty is proposed by the investigator, the disciplinary penalties stipulated by the legislation are duly assessed by the authorized supervisors or boards. If the violation of rights in question constitutes a criminal offense, the decision of necessity of judgment to be given by obtaining permission from the supervisor is sent to the Chief Public Prosecutor’s Office and a criminal case is initiated.
• If the hospital is a private hospital, the contract is also established between the patient and the private hospital in question. This contract is called the ‘Hospital Admission Contract’. For this reason, the responsibility of physicians and health personnel working in private hospitals is evaluated within the framework of the Turkish Code of Obligations. In addition, these persons may be punished with disciplinary penalties upon the direct complaint of the patient whose rights have been violated or upon separate detection.
• In addition to disciplinary penalties, these persons may be sued directly or against the institutions and organizations that employ them or against both themselves and their employers in accordance with the general provisions. If there is a situation that constitutes a crime according to criminal law, persons may be subjected to criminal sanctions through a denunciation or complaint to be made directly to the public prosecutor’s office in accordance with the general provisions.

Where Can I Apply If Patient Privacy is Violated?

As mentioned above, we need to examine these violations under different headings depending on whether they are public or private. Both the sanctions to be applied and the types of lawsuits against the two differ.

In cases where the patient’s right to respect privacy, which is a patient’s right, is violated, the person has the right to apply, complain and sue within the framework of the legislative rules. In order to exercise these rights, a Patient Rights Unit and a Patient Rights Board are established in hospitals, regardless of whether private or public. These two structures work in coordination with each other.

If there is a violation of privacy, the person should go to the Patient Rights Unit and fill out a form. If this application is of a nature that can be solved on the spot, it is solved by the unit. Otherwise, the unit records this form and sends it to the Patient Rights Committee. Patient rights boards are obliged to evaluate the application files in terms of violation of patient rights and present their opinion to the administration. The administration takes necessary measures and initiatives. The Board evaluates the incoming application files within 15 days and makes a final decision within the framework of the patient rights legislation. This period starts from the receipt of the application by the unit. A file is prepared for the health worker who has been subjected to more than 2 rights violation decisions in the last 6 months and this file is sent to the Health Professions Board.

Applications that are subject to judicial proceedings or administrative investigations are not discussed by the board. In this case, if the violation of patient privacy occurs in a private institution and organization, both material and moral compensation lawsuits can be filed against this place. In this case, the competent court is the Consumer Courts. If it occurs in a public institution and organization, a full judgment or annulment lawsuit or both can be filed at the Administrative Court.

In addition, if there is a breach of the physician’s obligation to keep secrets, then breach of contract, unlawful infringement of personal rights and violation of the privacy of private life will come to the fore.

Why Us?

As Güneş & Güneş Law Office, we offer professional legal advice to our clients with our expert team of lawyers, deep experience and extensive knowledge in the field of Personal Data Protection Law. We work meticulously to ensure that our clients achieve the best result by effectively defending their rights in personal data breach claims. We are at your side with our mission to provide our clients with a reliable and effective solution by minimizing the complexity of legal processes.

Frequently Asked Questions