Lots of people are suffering in medical disease, thus they often get in touch with health care institutions. They are not in aware with their rights and obligations. The patients often do not know what to do when he or she get in trouble, if his or her rights are violated during the cure or these rights are infringed by the health care institutions.
In Hungary the patients rights are regulated in lots of acts. For instance the Act CLIV of 1997 on Health Law or Act XCV of 2005 on Medicinal Products for Human Use and on the Amendment of Other Regulations Related to Medicinal Products (the Drug Economy Act), or the Decree No. 3/2009 (II. 25) of the Minister of Health on the Detailed Rules Relating to the Promotion of Medicinal Products and Medical Devices for Human Use, the Registration of Persons Performing Promotion Activities and the Commercial Practices Related to Medicinal Products and Medical Devices Aimed at Consumers etc. Hungary is also affected by the European Union regulations like for instance Directive 2001/83/EC (marketing of medical products), Directive 2017/2103/EU and etc.
It can be seen well, that the amount of the national and international regulations of the Health and Pharmaceutical Law are lot and the clients (who are the patients too) do not understand these regulations. Therefore in this heading, I want to publish articles and studies about medical, health and pharmaceutical issues to help the clients to understand the maze of the medical regulations in Hungary.

III. Basic concepts

III.1.
The definition of personal data

Pursuant to the GDPR personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The controller shall be fully liable for every damages that may occur to the data subject in connection with the data management. [GDPR Article 4, point 1]

III.2.
Processing of special categories of personal data 

Besides of the definition of personal data, the GDPR Article 9 gives a short list about the special categories of personal data which are revealing the follows:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;

The following data also belong:

  • the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
  • Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6 (1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. [GDPR Article 10]

The data management shall be progressed with caution during the processing of special categories of personal data.

The tasks of the controller and the processor are also especially the record of the data, the enumeration of the processed data, the safety data storage, and if it necessary, performing the impact assessment.

III.3.
The data subject (patient/patients)

The most important task and aim is the protection of the patients. It ensures their data shall be processed appropriately and the unauthorized person does not have access to these data.

Pursuant to the GDPR Article 4 data subject shall mean a natural person who has been identified or is identifiable by reference to any information. The legal persons data shall be not protected by the data protection regulation.

III.4.
Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. [GDPR Article 4, point 7]

III.5.
Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [GDPR Article 4, point 2]

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. [GDPR Article 26]

III.6.
Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. [GDPR Article 4, point 3]

During the data management, it can be occurred that the data process shall be restricted by the controller because of the request of the data subject.

III.7.
Processor

The processor assists for the controller work. It is worth to notice in connection with the data processing that the processor has not got individual decision-making power and the right to dispose. The processor does his/her work following the instructions of the controller. Data processor shall mean a natural or legal person or unincorporated organization that is engaged in processing operations within the framework of and under the conditions set out by law or binding legislation of the European Union, acting on the controller’s behalf or following the controller’s instructions. The Info Act Sec. 25/C states that where processing is carried out by a person or body, such processors must be able to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner to ensure the lawfulness of data processing and the protection of the rights of the data subject. Before the commencement of processing the data processor shall provide proof to the data controller of having such guarantees. Pursuant to the Info Act Sec. 25/D (3) point a) the data processor acts only on instructions from the controller made out in writing. Relating to the Info Act 25/D (3) point c) the processor assists the data controller by any appropriate means to ensure compliance with the provisions on the data subject’s rights. Basically this means that the processor assists the data controller’s work with auxiliary technical activities. These activities can be the followings for instance: collecting or transmission. [GDPR Article 4, point 8 with Info Act Sec. 25/C and Sec. 25/D (3) points a), c)]

III.8.
Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. All person shall be regarded as recipient, who get the data for any purpose. [GDPR Article 4, point 9]

III.9.
The consent of the data subject (patient)

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. [GDPR Article 4, point 11]

III.10.
Supervisory authority

In Hungary, the National Authority for Data Protection and Freedom of Information (NAIH) is responsible for carrying out supervisory and official tasks. The NAIH safeguards the security of the data, enforces the data protection laws, responsible for the appropriate functioning of the data protection and enforce the application of the GDPR and Info Act. Draws the attention of the controller and processor to their obligations and inform the affected persons to their rights. Besides this, the NAIH conducts the official investigation and keep inner records. [GDPR Article 4, and 51]

III.11.
Personal data breach

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. [GDPR Article 4, point 12]

III.12.
Genetic data

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. [GDPR Article 4, point 13]

III.13.
Biometric data

Biometric data means personal data resulting from specific technical processing relating to the physical, physio­logical or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. [GDPR Article 4, point 14]

III.14.
Data concerning health

Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. [GDPR Article 4, point 15]

III.15.
Psychological secret

The Ethics Code of the Psychologists (ECP) point 5.1. describes the concept of the psychological secret. The psychologists are burdened by the obligation of the psychological secret relating to every single psychological and personal data which came to his/her attention. The ECP states that the psychologist may only inform these data to an authorized person and he/she shall be obligated to handle the data confidentially. Besides the above-mentioned and described obligations, the ECP prescribes that the psychologists obligation of confidentiality still exist after the end of his/her relationship with client.

Pursuant the ECP point 5.1.1. psychologists secrets shall include all psychological and personal data which obtained in the course of their professional activities, as well as other data relating to the treatment that is required, ongoing or completed, and which is known in connection with the treatment regardless he/she has known these data with written or oral communication or during any other psychological care. [Ethics Code of the Psychologists point 5, 5.1, 5.1.1]

It important to notice that, in addition to the notion of the psychological data, the ECP use the term of the personal identification data in the concept of psychological secret. It can be said that the sphere of the processed data was narrowed, (specified) to the particular data, like as the personal identification data.

In the interpretation of the ECP, it can be preposterous because during the psychological care, not only the psychological and personal data will be recorded  but also the physical, physiological or intellectual data which can be connected to the patients psychological status. It would be better the use of the concept of personal data. This concept gives a wider sphere of the data to be stored. To avoid the confusion, the sphere of the personal identification data like as the name, residence, the dwelling place, the social security number, etc. should be mentioned as an example in the concept of personal data.

III.16
Psychological data

Pursuant to the ECP point 5.1.2. psychological data in particular are the follows: those data which are related to the data subject’s mental and psychical state, the behavior, the data which are also related to performing adoptive parenting, foster parents, guardian tasks, or those data which are related to exclusion the ability of performing the above-mentioned tasks, or aptitude or its exclusion or those data which are related to pathological passion, detected, examined, measured, mapped and derived data furthermore those data which can be related to the previous ones and also those data which influence the previous mentioned data. [Ethics Code of the Psychologists point 5.1.2]

During the psychological cares, the psychologist must ensure the right process, storage and protect of the patient’s personal data. Formerly it shall be applied the Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest. By making the Info Act the aforementioned act was repealed. In the health care from 25th May 2018 besides the Info Act, the GDPR is applicable primary in Hungary.

III.17.
Medical confidentiality

The HCA (Act CLIV of 1997 on the Health Care; Health Care Act) Sec. 25 (1)-(7) regulate the legal institution of the medical confidentiality. According to the Commentary, the rule of the medical confidentiality shall not only applied to the doctors but also to every single health care provider. The medical confidentiality include the patients all personal data, within is this particularly their health care data which are related to their health status and which are come to the knowledge of those persons who are involved in the health care during the patients treatment. The patients have the rights that these data, particularly those data which are related to their health status shall be communicated only to the authorized persons and these data shall be processed confidentially by those persons who are involved in the health care. All of these data are called uniformly medical confidentiality by the Health Law and the Medical Science. [HCA Sec. 25 (1); Commentary on the Health Care Act]

It is worth to note that the HCA also use the concept of personal identification data. In itself this is not a problem but it would be better to use the notion of personal data in the introduction of this chapter of HCA because this concept include a wider sphere of the patient health data. All in all it can bear on more report content than the previous notion.

III.18.
Enterprise, group of undertakings, supervisory authority

The GDPR determines the concept of enterprise in the following way: it is a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity. [GDPR Article 4, point 18]

The GDPR determines the concept of group of undertakings in the following way: it means a controlling undertaking and its controlled undertakings. [GDPR Article 4, point 19]

According to the GDPR the supervisory authority is an independent public authority to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. The public authorities are provided by the member States of the European Union. [GDPR Article 4, point 21 and Article 51 (1)]

III.19.
Right to information

Although the right to information is one of the patients fundamental rights during the treatment, it is still closely connected to the data management. Namely during the treatment the patient, the doctor and the health care provider exchange the information between each other. The patient asks questions to the doctor in relation with his/her health status or the treatment and the doctor answer them in connection with the aforementioned questions. Pursuant to the HCA the patient has the right to get detailed information about his/her health status, the treatments (interventions), planned schedule, the decision-making power related to the treatments, the possible alternative procedures, the methods, the process and outcome of the treatment, about the further treatments and the recommended lifestyle. Furthermore, the patient has the right to asks questions or get to know about his/her results of the performed health treatments and interventions, their failure and their different results and their reasons. The patient also has the right to get to know those doctors and persons name, qualification with their position who were contributed during the patient treatment. Here also belongs the consent based on information because the patient may only agree to the treatment if he/she has the proper information. The conditions required for information are provided by the health care provider. If the patient speaks in foreign language, he/she has a right to use the help of interpreter. Before the treatment, the doctor must inform the patient about the costs and fees of the treatment if the patient health status makes it possible. [HCA Sec. 13 (1)-(9)]

III.20.
The right to information of the health document

The patient has the right to get to know about his/her health document with its content like as the data related to his/her health treatments. The patient may make extract and copy about these documents. The patient also has a right to get the medical report or a written summarized opinion about his/her health status. The patient entitled to choose the authorized person who has the right to look into the documents behalf of him/her. [HCA Sec. 24 (1)-(13)]

The aforementioned list is not complete. It solely describes the basic concepts which occur during the health data management based on the GDPR, the Info Act and the Health Care Act. The concepts which were missed out from the GDPR are the following: main establishment, representative, binding corporate rules, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service, international organisation, third party, filing system, profiling, pseudonymisation. The missed concepts will be discussed in separate articles, if it necessary.

The third part of the article will discuss the legal base of the health data management and the prevailing basic principles which occur during the data management.

The following article is written about the personal data management in the health care and consists of four parts. The first part of the article gives a short introduction about the personal data management in connection with the health care.

The second part describes the concepts of the health data management. It is worth to note that, this part discussing not just the basic concepts of the data management but also those special notions which emerges rather in the field of the health care data management. First of all, the basic concepts of the GDPR will be discussed. These concepts are in the tight connection with the notions of the Info Act.

The third part of my article gives a short summary about the legal base of the health care data management and their applicable principles.

The fourth part of my article describes of the legal background of the health data management which shall be applied in the health care. This part also discuss those rules of the Health Care Act in force, which are in connection with the data management.

I. About the data management of the health care in general

In today’s information society it is indispensably important the accurate, adequate and safe personal data management. The secure personal data management as also important in the health care as in the other fields of the life. The safe health data management is very important in the health care, because every single (sensitive) personal data will be recorded here. The right to life and human dignity are fundamental rights and because of their delicate nature, they are benefited increased protection. Pursuant to the Fundamental Law of Hungary (hereinafter: FLH) Article II: ,,Human dignity shall be inviolable. Everyone shall have the right to life and human dignity; the life of the fetus shall be protected from the moment of conception.” The same statement can be found in the Act CLIV of 1997 on the Health Care (hereinafter: HCA or Health Care Act). According to the HCA Sec. 10 (1) ,,The right to human dignity of the human shall be kept in respect during the health care.” The patients fundamental rights are protected by the State in this way.

The human, in this case, the patients are embodied by the personal data. The personal data as personality rights show the human as living being, in their full complexity. In the health care the submitted personal data are very sensitive. These personal data make the patients completely identifiable during the health care from the birth data through the determined diagnosis to those data which are contained by the treatment plan. These personal data belong to the patients privacy. No one can know about these personal health data except the doctor or any health expertise.

The Life Science and Pharmaceutical Law (aka. Health Law) is a mixed field of law because it includes the main fields of law, such as: the Administrative Law, the Criminal Law and the Civil Law. In addition to the public law nature of the Health Law it must be taken account its private law nature in detail, during the personal data management too, because the patients are in civil law (aka. private law) relationship with the health care provider when they are receiving the treatment. On the other hand, in legal relationship of the health care institutions (aka. health care provider) and the patients, the primary standpoint is the enforcement of the patients personality rights (e.g.: personal data). These rights are not only fundamental rights, but personality rights too. In this legal relationship, the patients will be identified through their personal data.

The health care is available in the state sphere (aka. public health care sector) or in the private health care (aka. private health care sector). The patients choose any options, but the appropriate and safe data management is the obligation of every single health care provider given by the law.

As the result of the above-mentioned facts, in the further parts of my article will summarize in essence the concept of the personal data, the sphere of the personal data or the method of their storage and management.

Source: pexel.com

II. Legal alignment

Since 25th May 2018 the regulation of the data management has become stricter because the legal framework of the Member State were replaced by the uniform Union legislation. It means that the Data Protection Directive 95/46/EC was replaced by the uniform European Union General Data Protection Regulation No. 2016/679. (hereinafter: GDPR). This decree has been entered into force since 2016 but it shall be applied since last year, 25th May in the Member States of the European Union. During the legal alignment in Hungary, the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (aka. Info Act) was adjusted to the GDPR. The Info Act. Sec. 1 sets out its purpose. Pursuant to the Info Act. Sec. 1 ,,The purpose of this Act is to lay down the fundamental rules for data processing operations within the categories it covers with a view to ensuring that the right to privacy of natural personsis respected by data controllers, and to enforcing the right to have access to and disseminate information of public interest and public information to ensure the transparency of public affairs.” The Info Act Sec 1 is aligned to the GDPR Article 1 which is proved to us by the fact that this Act is intended to protect the right to privacy of the natural person or aka. data subject. The GDPR emphasize the same standpoint, when it describes that it protect personal data of the data subject. Both laws put the protection in the foreground. It can be seen well that the personal data are the part of the privacy. At the same time the concept of personal data and the concept of privacy are synonyms. It can be perceived a small difference between both words. The Info Act determines the notion of privacy in a broader sense because the privacy does not only just exactly includes the personal data of the particular natural person such as name, residence, phone number, political and religious views, body weight, blood type, etc. but it involves also other data which refer to the private life such as the right to protection of privacy or those data which refer to the family life of the particular person. However the legislator considered these two notions synonym in terms of the data protection legislation.

The Info Act follows the provisions of GDPR regarding to the basic concepts, the principles, the lawfulness of processing, the consent to the processing or the rights and obligations of the data subject taking into account its specific characteristic in its Sec. 3-19. These general rules and conceptual definitions shall be applied during the health care data management by the particular health care provider.

Next to the GDPR and the Info Act, the data management is regulated directly by the Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data (hereinafter: Health Personal Data Act, aka. HPDA) in Hungary while the other related decrees of the health care regulate indirectly the data management. The direct regulation means that the above-mentioned laws shall be applied to the data management in the health care. For instance: Fundamental Law of Hungary – FLH, Health Care Act – HCA, Health Personal Care Data Act – HPDA, Info Act and GDPR. The indirect regulation means that those laws shall be applied which are needed in a special-part field of the health care beyond the general data of the patients which are characterized to the particular field of health care. Basically the indirect regulation also intended to protect the personal data of the patients but here more special data will be given which are characterized to the professional field of the health care. The legislator also wants to protect these rights by the creation of the relevant legislation. Here is some examples from the sphere of the special data regulation: Decree of Ministry for Human Resources 5/2016 (29 Feb) on the Announcement and Order of the Related Interventions of Particular Prosthesis or Decree of Ministry for Human Resources 1/2014 (16 Jan) on the Report Order of the Infectious Diseases, etc.

It is very important that during the data management, the health personal data of the data subject, in this case, of the patients shall be respected maximally by the health care provider (e.g. clinic, hospital, private practice, center for diagnostic, etc.). Not only the related rules of data management and data subject belong here which are laid down in the GDPR and Info Act, but also those rules which are related to the rights to personality of the Act V of 2013 on the Civil Code (hereinafter: CCA). These rules can be found in its Sec. 2:42-55. Because of the sensitivity of the personal data especially the health care data, it is very important that the listed laws and decrees shall be taken account by the controller and processor.

During the health care data management, the following laws shall be applied by the health care provider:

  • Fundamental Law of Hungary (FLH);
  • European Union General Data Protection Regulation (Decree No. 2016/679 of The European Parliament and the Council);
  • Act CLIV of 1997 on the Health Care (HCA);
  • Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data (HPDA);
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act);
  • Act V of 2013 on the Civil Code.

In the second part of my article the general definitions will be discussed.

Source: GDPR, Info Act and the above-mentioned laws and decrees.