Right to access, copy and log patient data: additional regulations in effect

The patient has as of today:

• The right to electronic access or copy of data digitally exchanged with other healthcare providers through an electronic exchange system or targeted messaging, for example, through the National Switch Point, access portals and the Edifact mailbox.

• The right to electronic inspection or copy of the (paper) medical record.

• The right to inspect or copy logging information.

1. Who do these new rules apply to?

The new rules are relevant to health care providers and to health care providers who use an electronic exchange system or exchange data electronically with other health care providers.

An electronic exchange system is - in short - a system that allows records or portions of records to be accessed electronically by other health care providers.

2. Why are additional rules needed for access and copy of patient data?

As of July 1, patients can request that health care providers provide electronic access to their medical records. But even before July 1, patients already had a number of rights regarding their medical records:

• Right of inspection under the AVG: The AVG provides for a general right of inspection (Article 15 AVG). A healthcare provider is required to provide a copy in a commonly used electronic form if the patient also submits the request for inspection electronically.

• Right to data portability under the AVG: Also, based on the AVG, the patient has the right to data portability (Article 20 AVG). The patient can request to receive a file in an electronic file in common format so that the personal data can be taken to another healthcare provider. However, this right applies only to personal data actively and knowingly provided by the patient himself, and not, for example, to diagnoses or treatment plans provided by the healthcare provider.

• Right of inspection under the WGBO: The Medical Treatment Agreement Act ("WGBO") contains additions to the general right of inspection regulated in the AVG. Also under the WGBO, the patient already has the right to inspect and copy medical records (Article 7:456 of the Civil Code).

The rights under the WGBO and the AVG remain in force. The rules from the Wabvpz are an addition to the existing rules. Even if the patient does not submit his request for inspection or copy electronically, the patient has the right - if desired - to receive or view an electronic copy.

3. Should healthcare providers start keeping electronic records?

Healthcare providers are not required by the bill to keep an electronic record of the patient, or to modify the content or form of the record. That obligation is already governed by the WGBO (Article 7:454(1) BW). However, the Wabpvz does oblige healthcare providers to provide an electronic version of a paper record if the patient requests it. So that may mean, for example, that a paper record must be scanned and provided on a usb. But if the patient does not want electronic access or a copy, the healthcare provider is free to provide the file physically.

4. What must the electronic transcript or inspection comply with?

The Wabvpz does not prescribe exactly how a healthcare provider must provide access or copies of the medical record. Nor does the Wabvpz explain whether this must be done through a particular functionality. A healthcare provider can set this up itself, but must ensure that providing a copy is done in a safe and careful manner and is in line with the Decree on Electronic Data Processing by Healthcare Providers. The Decree requires compliance with NEN standard 7510 and NEN standard 7512. NEN standard 7516 is also relevant in this context.

Options for providing a transcript include sending an e-mail with a hyperlink to a secure environment and providing data through a Personal Health Environment ("PBM") with a MedMij label. One option for facilitating electronic review is to allow the patient to view on the healthcare provider's screen.

5. What medical record information should be made viewable?

This depends on the patient's request. Under the new rules from the Wabvpz (Article 15d), the patient can request (i) a full or partial electronic copy of the medical record or (ii) access to the information made available through an electronic exchange system / the information sent to a specific healthcare provider with an established (or intended) treatment relationship. In addition, the patient is given the right to access logging data. For this, see question 6.

i. Inspection or copy of the medical record
The patient can request to receive an electronic version of his (paper) medical record. This request must be handled according to the rules on this in the AVG and WGBO. The Wabvpz adds to the existing rules that patient data must be provided electronically and/or the patient must be given the opportunity to view the file electronically if the patient requests this.

ii. Inspection or copy of data exchanged between healthcare providers
In addition, as of today, the patient has the right to inspect the information made available about the patient via an electronic exchange system to an (undefined) group of healthcare providers (pull traffic). The patient also has the right to access the information that is specifically sent by a source record holder to healthcare providers with an (intended) treatment relationship (push traffic).

The right to access and copy therefore applies both to message traffic via the Edifact mailbox, and to provision via the National Switch Point (push and pull traffic, for a brief explanation of these terms see my earlier blog).

6. What logging information must be provided with the transcript request?

The transcript described in question 5 should also include logging information at the patient's request (Article 15e Wabvpz). Again, this rule is an addition to already existing rules.

The healthcare provider is required to state:

• Who made certain information available through the electronic exchange system and on what date (this rule applies only to pull traffic);

• Who accessed or requested certain information and on what date.

The healthcare provider is also obliged to provide logging information about another healthcare provider. The patient has the opportunity to see which healthcare providers have accessed his or her data.

That logging information must be kept in healthcare already follows implicitly from Article 32 AVG and explicitly from the Electronic Data Processing in Healthcare Decree. Based on this, healthcare providers are generally already required to ensure that logging complies with the NEN standard 7513. Article 15 AVG also already required information about the origin of the data to be provided. In addition to these rules, patients also obtain the right to logging on the basis of the Wabvpz.

The healthcare provider only has to provide the information that the healthcare provider itself has made available. Data made available by another healthcare provider cannot be provided to the patient based on the Wabvpz. However, log data must be made available if the patient requests it, so that the patient can

In conclusion

Many healthcare providers receive inspection requests from patients. From July 1, 2020, the Wabvpz adds rules to the already existing obligations from the WGBO, AVG and the Electronic Data Processing in Healthcare Decree on electronic inspection, electronic copy and logging. These new rules expand patients' rights. The healthcare provider is responsible for ensuring that the patient can indeed invoke these rights.

More articles by SOLV Lawyers