GUARANTEE OF PRIVACY: PROTECTION OF HEALTH DATA AND THE PATIENT’S RIGHT TO CONFIDENTIALITY
Last week, we discussed the topics of CONSENT and THE DUTY TO INFORM.
In this article:
· “What is patient privacy?”
· “With whom and when can personal health data be shared?”
· “What happens if the right to privacy is violated?”
We will discuss these topics.
1. WHAT IS PATIENT CONFIDENTIALITY?
Patient privacy refers to the protection of an individual’s health status, medical history, medical procedures, and personal data. This concept constitutes both an ethical and a legal responsibility.
In Turkey, the protection of patient privacy is considered to fall under the right to privacy, which is guaranteed by Article 20 of the Constitution.
Furthermore, under the Personal Data Protection Law No. 6698 (KVKK), health data is defined as special category personal data and is subject to strict protection. Everyone has the right to have the confidentiality of their health-related information respected. This right is guaranteed by laws and regulations in accordance with the Constitution and international treaties.
Information obtained from patients is confidential, and healthcare professionals are obligated to maintain this confidentiality. Healthcare personnel or authorized individuals may not share this information with third parties without the patient’s explicit consent.
Under the law, the information that physicians learn while practicing their profession constitutes professional confidentiality and may not be disclosed.
Similarly, Articles 23 and 24 of the Patient Rights Regulation explicitly stipulate that the patient’s privacy must be respected. In this context, ensuring that privacy is protected in a manner consistent with the patient’s gender, cultural values, and personal preferences while providing healthcare services is among the fundamental responsibilities of both healthcare institutions and their staff.
2. With whom and when can personal health data be shared?
Personal health data falls under the category of “sensitive personal data” as defined by the Personal Data Protection Law No. 6698 (KVKK), and the processing and sharing of such data are subject to strict regulations.
Pursuant to Article 6 of the Personal Data Protection Law, health data may not be processed without the explicit consent of the data subject. However, in exceptional circumstances, it may be necessary to disclose information regarding this patient.
Personal data may be processed and shared by individuals subject to a duty of confidentiality or by authorized institutions and organizations for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment, and care services, and planning and managing health services and their financing.
However, even in these cases, there is no question of disclosing this information. It is only shared with those who have a legitimate need to know.
In addition, in accordance with Articles 20 and 23 of the Patient Rights Regulation, a patient’s health information may be shared only with the patient’s explicit consent or when required by law.
For example, if keeping a secret would endanger the life of the patient or others, the physician is not obligated to keep that secret, provided that the patient’s personal rights are not violated.
3. WHAT HAPPENS IF THE RIGHT TO PRIVACY IS VIOLATED?
Patients’ right to privacy is safeguarded by regulations such as Article 20 of the Constitution, the Personal Data Protection Law No. 6698, and the Patient Rights Regulation. In this context, the unlawful disclosure, sharing, or revelation of personal health data may result in both administrative and criminal penalties.
In addition, the storage conditions for this data are safeguarded in accordance with the Personal Data Protection Law (KVKK). Failure to implement technical and administrative measures to ensure data security in violation of these obligations will also result in liability.
In this context, pursuant to Article 18 of the Personal Data Protection Law (KVKK), administrative fines may be imposed on natural and legal persons who act in violation of these obligations.
However, pursuant to Article 136 of the Turkish Penal Code, any person who unlawfully discloses, disseminates, or obtains personal data shall be punished by imprisonment for a term of two to four years.
In addition, the victim may file a lawsuit for damages on the grounds that their personal rights have been violated.
If a privacy breach is committed by a healthcare professional, the matter will also be evaluated in accordance with professional ethics and disciplinary regulations.
4. CONCLUSION
Patient privacy, the confidentiality of personal health information, and compliance with the law regarding its sharing are not merely ethical obligations; they are also the cornerstone of respect for patient rights and modern healthcare services.
Healthcare professionals and institutions must respect patients’ privacy, share data only within the limits specified by law and when necessary, and take the necessary technical and administrative measures to ensure data confidentiality. They should be aware that they may otherwise face both civil and criminal liability.
Violations of the right to privacy undermine individuals’ trust in healthcare services and pose serious risks to public health. Therefore, protecting privacy is the cornerstone of maintaining the relationship of trust between patients and healthcare providers.
“Privacy is a fundamental human right and is essential for maintaining one’s humanity with dignity and respect.” – Bruce Schneier
