THE RIGHT OF PATIENTS TO ACCESS THEIR MEDICAL RECORDS DOES NOT INCLUDE IDENTIFYING THE MEDICAL PROFESSIONALS WHO HAVE ACCESSED THIS INFORMATION
A recent ruling by the First Section of the Administrative Litigation Chamber of the Spanish National Court concludes that the right granted to patients to access their medical records only covers the knowledge of the information under treatment but does not include, under any circumstances, knowing which individuals within the responsible organization have had access to that information. The Spanish Data Protection Agency (AEPD) has resolved similar issues in recent legal reports to address such discrepancies.
The First Section of the Administrative Litigation Chamber of the Spanish National Court ruled on January 10, 2024, in case number 223/2022, that access to patients' medical records does not include knowing the identity of the third parties who have accessed the information. The ruling stems from an appeal by an individual against a decision by the AEPD, which dismissed the claimant's request to require the Aragonese Health Service to identify the persons who had accessed the patient's electronic medical record.
The crux of the controversy is resolved in this ruling, which reiterates the AEPD's stance on this matter in similar cases. The patient's request to identify the third parties who accessed their medical record was denied by the Aragonese public health service, citing previous resolutions by the AEPD that denied the possibility of identifying the third parties who accessed the information: “In response to the request for the names of the persons who have accessed your electronic medical record, please be informed that, upon consulting the Spanish Data Protection Agency in a situation similar to this, it issued a report on April 24, 2012, stating: 'The right of access is one of the rights of individuals regarding personal data regulated in Title III of the LOPD. Within this framework, Article 15.1 LOPD states: The interested party shall have the right to request and obtain free of charge information about their personal data undergoing processing, the origin of such data, as well as the communications made or planned to be made with them. Therefore, in accordance with this definition, the right of access encompasses the knowledge of the data under treatment, their origin, and possible transfers. But it does not include determining which individuals, in the data processing, have accessed the information. Thus, the right granted to the interested party by law would only cover the knowledge of the information under treatment, but not which individuals within the organization of the data controller have had access to said information, as the Spanish Data Protection Agency has already indicated in resolving issues similar to the one raised in the present case.'”
Subsequently, the patient filed claims with the AEPD against the Valencian Ministry of Health and the Aragonese Health Service. The Spanish Agency dismissed this claim, which was then the subject of an administrative appeal resolved in the ruling analyzed in this article.
The patient's appeal was based on the vagueness and generality of the AEPD's response to the submitted claims, considering that the resolution lacked sufficient reasoning and was detrimental to their right to effective judicial protection.
The National Court analyzed the content of the challenged resolution, finding it pertinent and sufficient in its content, as it addresses the claimant's essential concern: “In response to this, it must be indicated that indeed the challenged Resolution, after generally invoking the treatment of health data, referencing the patient's medical record, the custodians responsible, and the rights to rectification, erasure, and opposition, with specific reference to the right of access to such medical record, concludes by succinctly reasoning, concerning the specific case, that: '(...) after analyzing the documents provided and the concurrent circumstances, there are no rational indications of an infringement within the competence of the AEPD, so, in accordance with the provisions of Article 65.2 of Organic Law 3/2018, of December 5 (Law 19303/2018), it is decided to dismiss the claim.'”
The Chamber supports the AEPD when it states that the essence of the right of access to patients' medical records is not configured as a way to obtain information about the identity of a third party who, within the organization of the data controller, might have accessed the medical record, nor as a means to evaluate whether the accesses were adequately justified.
At this point, we recall that the right of access to patients' medical records is configured in Law 41/2002, of November 14, which regulates patient autonomy and rights and obligations in terms of clinical information and documentation. This law regulates the right to healthcare information as a right of patients to know, due to any action in the realm of their health, all available information about it, except in cases excluded by law. Furthermore, everyone has the right to have their wish not to be informed respected, and the information, which as a general rule will be provided verbally, should be documented in the medical record, including at least the purpose and nature of each intervention, its risks, and consequences. Clinical information is part of all healthcare actions, should be truthful, communicated to the patient in a comprehensible and suitable manner for their needs, and help them make decisions according to their own free will; the doctor responsible for the patient also guarantees the fulfillment of their right to information. Professionals attending to the patient during the care process or applying a specific technique or procedure are also responsible for informing them.
The medical record and its access are configured in Article 15 of this Law, which indicates that it will include the information considered crucial for the truthful and updated knowledge of the patient's health status. Every patient or user has the right to have the information obtained in all their healthcare processes, carried out by the health service in both primary and specialized care, recorded in writing or the most appropriate technical support, aimed primarily at facilitating healthcare, recording all data that, under medical criteria, allow the truthful and updated knowledge of the health status.
The medical record is also an instrument mainly intended to guarantee adequate patient care, and healthcare professionals at the center who diagnose or treat the patient have access to the patient's medical record as an essential instrument for adequate care. The law itself establishes who can access medical record data when it indicates that administrative and management staff of healthcare centers can only access the data related to their functions, that duly accredited healthcare personnel performing inspection, evaluation, accreditation, and planning functions can access medical records in the performance of their duties of verifying the quality of care, respecting patient rights, or any other obligation of the center regarding patients and users or the healthcare administration itself. Furthermore, personnel accessing medical record data in the performance of their duties are subject to confidentiality obligations.
Access to the medical record is regulated in Article 18, which establishes that the patient has the right to access the documentation in the medical record and to obtain copies of the data it contains. Healthcare centers will regulate the procedure to ensure these rights are observed.
In line with this, and regarding who can or has the right to access the medical record, it can be summarized as follows:
Access by the physician: healthcare professionals who diagnose or treat the patient. If there is no justified healthcare reason, they would be violating the patient's privacy. Only personnel directly involved in the patient's care process can access the medical record.
Access by the patient, the owner of their medical record: upon a patient's request for their medical record, healthcare centers are obliged to deliver it through a procedure ensuring the observation of basic rights regulated in Article 18 of Law 41/2002 on Patient Autonomy and Rights and Obligations regarding clinical information and documentation. All centers must preserve clinical documentation in conditions that guarantee its confidentiality, correct maintenance, integrity, and security. They should have mechanisms to facilitate user management, typically through Patient Care Services (SAP), responsible for receiving the request and forwarding it to the archive/documentation departments to be resolved within 30 days of the request; Delivery is preferably personalized, with written acknowledgment of receipt.
Access by third parties: Article 18.2 of the Patient Autonomy Law allows third-party access through duly accredited representation or in the case of a declared incapable patient, as well as emancipated persons and those aged 16 and over.
To understand the context of this ruling, one must consider the AEPD's position on the right of access to the "data record". The National Court repeatedly refers to previous reports by this Agency, which, in general terms, has a consistently reiterated stance in its legal reports and explicit resolutions that patients do not have the right to know who has accessed their medical record.
In Legal Report 171/2008, it is clearly stated: “It must be considered that knowing the specific users within the organization who have accessed the personal data in the medical record cannot in any case be understood as included within the right of access attributed to the affected party by Organic Law 15/1999, as this Spanish Data Protection Agency has had the opportunity to indicate in repeated resolutions, (…). Therefore, the revelation of the data of the healthcare professionals or staff who attended to the affected parties will not be covered by the exercise of the right of access, and it is not appropriate to grant it regarding this point.”
The same criteria are upheld in Resolution R/02036/2010 of October 7, 2010 (Procedure TD/01057/2010). The interested party had requested from a hospital center “the data of the persons who had accessed their electronic medical record”. The hospital denied the request, prompting the submission of a claim to the Data Protection Agency, alleging that their right of access had not been addressed. The resolution dismisses the claim, arguing solely that “according to the LOPD, the claimant can only request their personal data or those of persons they represent.”
The Data Protection Agency of the Community of Madrid maintains the same stance, stating: “In no case do the accesses made by users of the medical record in the exercise of healthcare activities constitute personal data or data transfers. The criteria expressed by this Agency in previous reports have always been that access tracking to files containing personal data should not be provided to the requester exercising the right of access.”
Moreover, the laws require the unequivocal and personal identification of all individuals who access a medical record. Each access must record, at a minimum, the user's identification, the date and time it was made, the accessed file, the type of access, and whether it was authorized or denied. At this point, it can be affirmed that to guarantee patients' right to privacy, the legal framework mandates that there be a register that must be kept for at least two years, recording the identification of all individuals who have accessed the medical record.
From the set of rules governing data protection and medical records, it is clear that patients have the right to ensure the confidentiality of their health data and that no one can access it without prior authorization sanctioned by law. The laws strictly regulate who can access a medical record and for what reasons, and require the unequivocal and personal identification of all individuals accessing it, which must be recorded in a register.
In conclusion, while the medical record is always and exclusively the patient's property, and they have the right to access and use it within the legal terms and limits, this right is not unlimited. It involves a series of restrictions that protect other rights of third parties and does not include, among other things, identifying the medical professionals (by name and surname) or other persons who have accessed the medical record.
Thus, the right to access the medical record should be understood as a legally protected right in all areas but, like most rights, limited and restricted to protect not only third parties who might be harmed but also regarding its content, which is determined not by the patient’s choice but by specific legal regulations. And it does not include, as seen in the National Court ruling and other public body provisions, determining the medical professionals or third parties who may have accessed it.