Single Blog Title

This is a single blog caption

Sharing Patient Records and Test Results at a Private Hospital

1. Introduction: The Question "Should We Tell Your Family About Your Results?" at a Private Hospital

Almost everyone who visits a private hospital knows that their personal information, phone number, address, payment details, and test results related to their illness are stored in a system during registration. However, it often remains unclear with whom this information is shared, how it is shared, and on what legal basis

  • The test results should be given to the spouse, parents, employer, and insurance company
  • Results will be sent via SMS, email or WhatsApp
  • Hospital staff having "excessive" access to patients' health information,

Such practices the Personal Data Protection Law No. 6698, the Regulation on Personal Health Data, the Patient Rights Regulation , and other relevant legislation.

This article will detail the conditions under which private hospitals can share patient records and test results , the limits they should not exceed , and patients' rights under the Turkish Personal Data Protection Law (KVKK )


2. The Personal Data Protection Law (KVKK) and the Legal Nature of Personal Health Data

2.1. What are personal data and special categories of personal data?

According to Law No. 6698 on the Protection of Personal Data (KVKK), personal data is any information relating to an identified or identifiable natural person . Health data, however, falls under the category of "special categories of personal data" listed in Article 6 of the Law

Special categories of personal data include data on a person's:

  • health,
  • sexual life
  • biometric data,
  • genetic data

It includes information such as this, and this data to a stricter protection regime .

Therefore, those held in a private hospital:

  • patient's diagnosis,
  • laboratory test results
  • imaging (MRI, CT scan, X-ray, etc.),
  • epicrisis reports,
  • prescriptions,
  • medications the patient is using,
  • surgical notes,

All of this is sensitive personal health data.

2.2. Regulation on Personal Health Data

The Regulation on Personal Health Data , published in the Official Gazette on June 21, 2019 , regulates the detailed rules regarding the processing of health data.

This Regulation:

  • The principles according to which health data will be processed,
  • Who can access the data and at what level of authorization?
  • How long the data will be stored,
  • Transferring data to a central health data system (e.g., e-Nabız),

It details and connects all healthcare providers, including private hospitals.


3. What are the patient records and test results kept in private hospitals?

Private hospitals process a large amount of patient data into their systems for every healthcare service they provide. This data typically includes:

  1. Identity and contact information
    • Full name, Turkish National Identity Number/Passport number
    • Address, phone number, email, etc.
  2. Demographic data
    • Date of birth, gender, marital status, occupation, etc.
  3. Medical records
    • Application complaint, medical history,
    • Examination findings,
    • Examination and imaging requests and results,
    • Consultation notes, medical summary reports.
  4. Financial and administrative data
    • Payment information, insurance information,
    • SGK provision records,
    • Invoices, receipts.
  5. Electronic access data
    • Patient portal/e-Nabız login logs,
    • Transactions within the hospital's mobile application.

This data is protected under both patient rights (privacy, right to information) and the Personal Data Protection Law (KVKK ). The Patient Rights Regulation also explicitly emphasizes that the patient's private life and health information will be protected in confidentiality


4. Conditions for Processing and Sharing Patient Data

4.1. General principles of the Personal Data Protection Law (KVKK)

According to Article 4 of the KVKK (Law on Protection of Personal Data), the following principles must be observed when processing personal data:

  • Compliance with the law and principles of honesty
  • Being accurate and up-to-date when necessary
  • Processing for specific, explicit and legitimate purposes
  • Being relevant to the purpose for which they are committed, limited and proportionate
  • Retention for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they were processed

Similarly, the Regulation on Personal Health Data stipulates that health data can only be processed in accordance with the procedures and principles set forth in the Law and the Regulation, and that the processing activity must be limited to the purpose and proportionate .

4.2. Conditions for processing special categories of health data

According to Article 6 of the KVKK (Law on Protection of Personal Data), health data can, as a rule, be processed with the explicit consent of the data subject ; however, it can be processed without explicit consent in the following cases :

  • Protecting public health,
  • Preventive medicine encompasses the provision of medical diagnosis, treatment, and care services
  • Planning and management of health services and their financing,

provided that and by persons or authorized institutions and organizations that are obligated to maintain confidentiality

This provision applies to private hospitals:

  • To be able to diagnose the patient,
  • Being able to plan the treatment,
  • Ability to manage the provision and payment processes with SGK (Social Security Institution) and private insurance companies

It also states that it can process health data without obtaining explicit consent . However, this does not mean that "all data can be shared with everyone"; sharing should only be done with individuals and institutions where it is necessary, and only for the intended purpose .


5. With Whom Can Test Results Be Shared at a Private Hospital?

5.1. The patient himself/herself

The primary recipient of test results and medical documents is the patient themselves. The patient:

  • By proving their identity,
  • By applying to the relevant department of the hospital,

The patient may request test results and medical documents. The hospital is obligated to fulfill the patient's right to access information and view their file under Article 11 of the Personal Data Protection Law and the Patient Rights Regulation

5.2. Legal representative (guardian, trustee)

  • For minors, parents (guardians),
  • Guardian for those under guardianship,

A doctor can request test results on behalf of the patient. In this case, sharing only be done with a legally authorized person . For example, in the case of divorced spouses, providing all health data about a child to the parent who does not have custody is a sensitive issue requiring case-by-case evaluation.

5.3. Patient's close relative (spouse, mother, father, sibling, etc.)

This is where the most problems arise in daily practice. Hospitals sometimes:

  • When looking for a partner, they'll say, "Your results are out, you have this diagnosis,"
  • When the parents call, they are told, "Your daughter's pregnancy test is positive."

They can share information such as this over the phone.

The basic principle here is:

Unless the patient has explicitly consented or instructed specific individuals (for example, by stating "you can share my results with my spouse"), their health data should not be shared even with family members.

Various decisions of the Personal Data Protection Board show that sharing health data with unauthorized third parties to administrative fines .

5.4. Sharing with the employer

Some private hospitals may wish to send reports and test results to employers as part of occupational health services or contracted healthcare agreements. The Personal Data Protection Board has deemed the sharing of highly sensitive data, particularly regarding addiction treatment, with employers as a serious violation.

As a rule:

  • The employer may be sent limited reports indicating the employee's suitability for the job (e.g., "suitable/unsuitable").
  • Details of an employee's health condition and test results without the employee's explicit consent .

5.5. Sharing with private insurance companies and the Social Security Institution (SGK)

  • Data sharing with SGK (Social Security Institution) is mandatory for the financing of health services and according to legislation, and can be done within the framework of the relevant Law and secondary regulations
  • private health insurance companies is often legally justified by provisions in the policy texts and the insured's consent; the principles of "proportionality" and "limitation to purpose" are crucial here.

Instead of sharing all the test results with insurance company employees, only the portion necessary for evaluating the compensation claim is a more compliant approach under the Turkish Personal Data Protection Law (KVKK).

5.6. Judicial authorities, prosecutor's office and law enforcement

Sending patient files and test results upon request from courts or prosecutors legal obligation . Here:

  • The scope of the request letter,
  • The file's confidentiality level,
  • Please send in a sealed envelope if possible

Methods such as these must be used to comply with both the Personal Data Protection Law (KVKK) and the privacy provisions in the Patient Rights Regulation.


6. Electronic Sharing: SMS, Email, WhatsApp, Patient Portals

6.1. Sending results via SMS and email

Many private hospitals notify users via SMS when test results are ready, while some also provide direct access to results via a link. Here:

  • The SMS was sent to the wrong number
  • The email being read by third parties,

Such risks a data breach . The Ministry of Health's guidelines specifically address these types of situations under the heading "Personal data inadvertently transmitted to another person."

Because:

  • Instead of directly writing the diagnosis and test results in the message,
  • Sending a one-time link or verification code to log in to a secure portal,

It is a safer method.

6.2. WhatsApp and similar messaging applications

Through apps like WhatsApp:

  • Please send the laboratory results as a PDF
  • Sharing MRI images,

This is frequently observed in practice. However, such practices are often considered by the Personal Data Protection Board as methods that unnecessarily increase risk . The hospital, as the data controller:

  • Even if the application has end-to-end encryption,
  • Data being viewed by third parties via the phone screen,
  • Losing or having your phone stolen,

It is responsible for preventing risks such as these. Therefore, institutional, auditable, and logable patient portals should be preferred.

6.3. Patient portals and e-Nabız (electronic health record system)

In Turkey, most public and private healthcare institutions transfer their data to the Ministry of Health's central health data system and e-Nabız platform. According to the Private Hospitals Regulation, personal health data recorded by private hospitals must be transferred to this system within the framework of the procedures and principles determined by the Ministry.

In this situation:

  • Patients can securely view their test results by logging into their e-Nabız account via the e-Government portal.
  • However, it is entirely up to the patient to share their e-Nabız password with their family or send a screenshot; this is outside the hospital's responsibility.

7. Obligations of Private Hospitals under the Personal Data Protection Law (KVKK)

7.1. Data security obligation (KVKK Article 12)

Data controller (private hospital) according to Article 12 of the KVKK (Turkish Personal Data Protection Law):

  • The unlawful processing of personal data,
  • Unlawful access,
  • Damage to the data,

They must take the necessary technical and administrative measures to prevent this .

In this context:

  • Role-based definition of access permissions (each employee should only be able to access records within their area of ​​responsibility, not all files),
  • Logging and monitoring unauthorized access attempts,
  • Personnel should undergo periodic training on GDPR and patient privacy
  • Keeping physical archives locked away,
  • Keeping systems and software up to date,

These are among the necessary measures.

In a decision by the Personal Data Protection Board, it was deemed a serious violation that all outpatient clinic personnel and doctors in the hospital had unrestricted access to the data of all patients in the system, and an administrative fine was imposed.

7.2. Obligation to inform

The hospital informs the patient before or at the latest when data is obtained, in case of any data processing activity:

  • Identity of the data controller,
  • The purpose for which the data will be processed,
  • To whom and for what purpose it will be transferred,
  • Collection method and legal basis,
  • Your rights under Article 11 of the KVKK (Personal Data Protection Law),

They are obliged to provide information on these matters . In practice, this is usually included in the "KVKK Information Text" and the "patient consent form".

7.3. Situations requiring explicit consent

The processing of health data is not always based on explicit consent; as mentioned above, processing is possible without explicit consent in diagnostic and treatment processes and in cases stipulated by legislation. However:

  • Advertising and promotional activities,
  • Using the patient's photo/video on social media and websites,
  • Transfer of health data to third parties such as employers,

Such situations often explicit consent . In its decision numbered 2023/787, the Personal Data Protection Board deemed it a serious violation for a private hospital to use images of its patients for advertising purposes and imposed an administrative fine.


8. Sharing Health Data in Light of the Decisions of the Personal Data Protection Law Board

The decisions of the Personal Data Protection Board constitute important precedents regarding how private hospitals should operate:

  • Decision No. 2018/143: The pharmacy's sharing of a patient's medication information with third parties was deemed a violation, emphasizing the extremely sensitive nature of health data.
  • Decision No. 2022/594: The reporting of data of a person undergoing addiction treatment to their workplace was deemed an unlawful transfer, as it could have serious consequences directly affecting the individual's work and social life.
  • Decision No. 2023/787: The hospital was held responsible for unlawful data processing and transfer because it used the patient's images not for informational purposes, but effectively as advertising; it was emphasized that the content of the "consent form" would not be automatically considered valid.

In light of these decisions:

  1. Medical examination results containing health data should not be shared with any person or platform that is not mandatory.
  2. The information and explicit consent texts clear, understandable, and specific .
  3. Patient consent should not be exploited through broad and vague language in areas such as advertising, campaigns, and commercial communications .

It is becoming particularly important.


9. Patient Rights under the Personal Data Protection Law (KVKK)

According to Article 11 of the KVKK (Turkish Personal Data Protection Law), the patient (data subject) may apply to the data controller (private hospital) by:

  • To find out whether your personal data is being processed,
  • Request information regarding processing, if applicable
  • To understand the purpose of data processing and whether it is being used appropriately for that purpose
  • Knowing the third parties to whom the data is transferred, domestically or internationally
  • Requesting correction if data has been processed incompletely or incorrectly
  • Even if processed in accordance with the Personal Data Protection Law (KVKK) and other relevant laws, you have the right to request the deletion or destruction of your personal data if the reasons requiring its processing no longer exist
  • Requesting that these processes be notified to third parties to whom the data is transferred,
  • The right to object to an outcome that is detrimental to oneself, resulting solely from the analysis of data by automated systems
  • The right to claim compensation for damages incurred as a result of the unlawful processing of data

They have rights.

For example:

  • If a patient believes that their test results have been transferred to their employer or an insurance company without their consent, they can first file a written complaint with the hospital .
  • If the hospital does not respond to the application within 30 days, or if the patient finds the response inadequate, they can file a complaint with the Personal Data Protection Board (KVKK )

10. Remedies in Case of Human Rights Violation

10.1. Application to the data controller

The first step a written application to the private hospital, which is the data controller according to the Turkish Personal Data Protection Law . The application:

  • The petition to be submitted to the hospital,
  • Via the KEP address,
  • Using UETS or e-signature,

It can be done. In the application:

  • The alleged violation occurred during an incident (e.g., informing a spouse of the results over the phone),
  • History and any evidence available,
  • Request (deletion, correction, compensation, etc.),

It should be clearly stated.

10.2. Complaint to the Personal Data Protection Board

If the data subject considers the response from the data controller inadequate or if no response has been given, a complaint with the Board. The Board, after conducting its investigation, will:

  • Detection of the violation,
  • Imposition of administrative fines,
  • Instructions to remedy the violation,

They can make decisions like these.

10.3. Liability for damages and penalties

Article 14 of the Personal Data Protection Law (KVKK) stipulates that data subjects a compensation lawsuit according to general provisions . In this context, the patient:

  • Material losses (e.g., loss of job),
  • Moral damages (violation of privacy),

can claim compensation.

In addition, offenses related to the recording, unlawful disclosure, or unauthorized acquisition of personal data under the Turkish Penal Code may also come into play (Turkish Penal Code, Articles 135 et seq.).


11. Compliance Recommendations for Private Hospitals

Private hospitals must take the following steps to comply with the Personal Data Protection Law (KVKK) and health legislation:

  1. Data inventory and process analysis
    • A detailed list should be compiled showing which data was collected where, who processed it, and to whom it was transferred.
  2. Putting policies and procedures in writing
    • Written procedures should be established for the processing, storage, destruction, and transfer of personal data.
  3. Authorization and access control
    • Role-based access rights should be defined for groups such as doctors, nurses, secretaries, and registration staff.
    • All access should be logged and audited periodically.
  4. Updating information notices and consent forms
    • The patient should be informed in clear terms about the purpose for which their data will be processed and to whom it will be shared.
    • Activities requiring explicit consent (such as advertising and promotion) should be obtained through separate texts and with free will.
  5. Trainings
    • All staff should receive GDPR and patient privacy training at least once a year, and this training should be mandatory during the orientation of new staff.
  6. Technical measures
    • Strong password policies,
    • Two-factor authentication,
    • Secure backup,
    • Up-to-date antivirus and security software.
  7. Breach management plan
    • Who will do what in the event of a data breach?
    • Notification processes to the Board and the relevant person,
    • An emergency action plan to mitigate the impact of the breach

It should be prepared in advance.


12. Practical Suggestions for Patients

Patients can ensure the protection of their patient data in private hospitals in the following ways:

  • Always read the documents you sign during registration.
    Especially check the GDPR information and explicit consent texts to see if your data will be used for advertising or marketing purposes.
  • Clarify in advance who your results will be shared with.
    Provide clear instructions such as "Share only with me" or "You can share it with my spouse as well," and if possible, request that this be documented.
  • If you do not wish to receive information by phone, state this.
    Especially for sensitive test results, specify that you only want to receive information in person or through a secure portal.
  • If you notice a suspicious post, take a screenshot.
    SMS/email or WhatsApp messages sent to the wrong person will be important evidence in future applications.
  • First, contact the hospital in writing.
    Submit an email, registered electronic mail (KEP), or written application explaining the situation and requesting that it be corrected and prevented from recurring.
  • If necessary, consider filing a complaint with the Board and pursuing a compensation lawsuit
    . Legal action is possible, especially in cases of data sharing that lead to job loss, reputational damage, or serious family problems.

13. Frequently Asked Questions (FAQ)

Question 1: Can my spouse call the private hospital on my behalf to inquire about my test results?
As a general rule, no. Your spouse cannot inquire about your test results unless you explicitly authorize them. The hospital can only provide information to your spouse if you have given explicit instructions or if there is a power of attorney/permission recorded in the file.


Question 2: Can my parents request reports and results from a private hospital on my behalf?
If you are an adult, your parents cannot request results on your behalf. Only minors or those under guardianship . Otherwise, sharing this information without your written/consent permission may be against the law.


Question 3: I requested my test results to be sent by email, but they were sent to the wrong address. What should I do?
This situation a data breach ). First, you can submit a written request to the hospital to have the breach recorded, corrected, and to take measures to prevent similar breaches. If necessary, you can file a complaint with the KVKK Board.


Question 4: Can a private hospital share my MRI images on social media for advertising purposes?
They cannot share them without your explicit consent. Explicit consent must be given freely and for a specific purpose; a vague clause in a "general consent form" or a signature obtained under duress is often insufficient. Such sharing has been deemed a serious violation in Board decisions.


Question 5: Can my employer access the contents of my report from the private hospital?
As a rule, the employer should only know limited information such as “fitness for work” or “duration of sick leave.” Your test results, diagnosis, or detailed health information can only be shared with your employer your explicit consent ; otherwise, unlawful data transfer may occur.


Question 6: Can I request the deletion of the file I have kept at a private hospital?
There are certain legal retention periods for health data. Therefore, the hospital may not be able to delete your data before the period stipulated by law expires. However, deletion, destruction, or anonymization . You can also always request the correction of inaccurate or outdated information.


14. Conclusion: The Heart of Privacy is the Protection of Health Data

Patient records and test results kept in private hospitals:

  • Personal Data Protection Law (KVKK),
  • Regulation on Personal Health Data,
  • Health data requires special protection under the Patient Rights Regulation and all related legislation .

Because:

  • Hospitals should establish and implement high standards regarding data security and privacy
  • Patients, on the other hand, should know their rights, object without hesitation when they see a suspicious post, and use the available legal avenues

It is necessary.

It is important to remember that the quality of healthcare is measured not only by the quality of medical intervention but also by the respect shown to patient privacy. In this context, the sharing of patient records and test results in private hospitals should be carried out in a measured and transparent manner, in compliance with the Personal Data Protection Law (KVKK).

Leave a Reply

Call Now Button