Personal data protection in medical institutions

Apply for SearchInform DLP TRY NOW

The rationale for electronic security is clear - now all medical records are carried out through office equipment. The use of computer equipment for processing personal data of patients and medical personnel is an extremely necessary measure in Russian realities. Expensive private clinics were the first to switch to this scheme, but with the reduction in the cost of computers and an increase in budget allocations, electronic accounting appeared even in district polyclinics in remote areas of the Far North. Accordingly, it was necessary to implement the latest security techniques.


The primary legal framework for the organization of security and protection of personal information in medical institutions, the implementation of all protective measures for this purpose are based on Law No. 152-FZ, adopted on July 27, 2006. General legal grounds for medical secrecy are spelled out in the "Fundamentals ... on health protection ...". This document contains the fundamental requirements for the protection of personal data.

The new integrated system for protecting personal data in medical institutions is required by law to be standardized according to the latest electronic security certificates. The procedure for inspections and the list of persons authorized to monitor the implementation of this provision is determined by special documents of the Ministry of Health, municipal authorities and supervisory bodies of justice.

The main standards that guide medical institutions when creating a personal data protection system:

  • Federal Law No. 149 on information, information technologies and methods of protecting this information;
  • Presidential Decree No. 188, which lists information classified as confidential;
  • Fundamentals of the legislation of the Russian Federation - Articles 31 and 61, describing the rights of patients, including those related to the processing of personal data using automated means;
  • Federal Law No. 5487 on the protection of the health of citizens on the territory of the Russian Federation;
  • Order No. 29n of the Ministry of Health of the Russian Federation on medical forms of accounting and reporting.

The list is incomplete, but any theoretically possible other way of collecting personal data is a priori based on the above standards.

Legal documents for the processing of personal data of medical staff

In addition to the above documents, medical organizations apply regulations on organizational support for the protection of personal data of medical personnel. These documents include:

  • Labor Code of the Russian Federation - Ch. fourteen;
  • Resolution of the State Statistics Committee of the Russian Federation No. 1 dated 01/05/2004, concerning the approval and execution of unified forms of registration of documents for the registration of labor relations, remuneration.

The terms of data processing are established by the order "On the introduction of the regulation on the medical archive of a medical institution."

The legal framework for medical staff and patients in general is functionally similar. The difference in practice arises at the moment when it is necessary to ensure confidentiality: most of the responsibility for the correct and safe work with personal data lies with authorized persons from the staff of clinics, outpatient clinics, sanatoriums and other medical institutions who are directly responsible for collecting information from patients and staff. Their list, as well as provisions on the collection, storage, processing and transfer of PD should be developed in each medical institution and communicated to the personnel responsible for working with the personal data of patients and employees of the organization.

The specifics of processing personal data in medical institutions

The first thing that should be taken into account by the operator (medical organization) when processing personal data in medical institutions is the exceptional role of the ethical component. Medical institutions are obliged to store data on the health of each patient, not to allow such information to be made public. Many diseases are considered socially taboo and should not be disclosed according to basic rules of medical ethics.

The analysis of patients' personal data is based on the principle that the patient's health is an extremely confidential category of information. Any arbitrary seizure of data is strictly prohibited.

An exception is made only in emergency situations. For example, we can talk about protecting the very life or health of the patient or third parties. Also, the ability to seize personal data without the consent of the person involved is allowed in the event of a complete physical impossibility to obtain such permission (the patient is incapacitated, unavailable for assurance of his will, or we are talking about an already deceased person). In any case, only health workers who have the appropriate qualifications and are certified according to the rules of the Ministry of Health are allowed to work with personal information.

The first technical aspect of organizing the processing of personal data of patients and personnel of medical institutions is the fulfillment of the requirements of Article 31 of the Fundamentals of Legislation on Health Protection. The patient must be necessarily informed about the state of health of his body (general history, symptoms of diseases, proposed therapy, all possible risks, side effects, additional financial costs, timing of procedures, correction of working hours due to disability, etc.). Moreover, this information must be submitted in a form that is understandable for the patient. This also applies to persons with disabilities. If necessary, a qualified translator is additionally appointed. This completely overlaps with the 143rd article of the law on personal data - a requirement that determines the right to access the personal data of both the patient and the medical staff.

Obligations of medical institutions as PD operators

When collecting PD, medical institutions as operators are obliged to provide each patient with the following information (if such a requirement is presented to them), which relates to PD:

  • confirmation of the fact of their processing, its purpose;
  • methods used by the operator during PD processing;
  • information about the persons who have gained access to this information and have the right to access it;
  • a list of personal data required for processing in a medical institution, the source of such data;
  • the period during which this information will be processed, including the period of its storage;
  • data on the consequences of a legal nature for the subject during the processing of personal data;
  • provision of clarifications on the consequences of a patient's refusal to provide his personal data, if this is established as an obligation of the subject by the relevant federal law.

When receiving PD not from their subject, the operator, before starting their processing, must acquaint the patient with the following information:

  • name (full name), address of the operator, his representative who provided the PD;
  • the purposes of their processing, the legal aspects of such actions;
  • who can access PD (who can use this data);
  • rights established by law in relation to the subject of personal data.

Patient rights

Ensuring the safety of personal data of visitors to private and municipal medical institutions is regulated not only by technical means. Any data that falls under the definition of medical secrecy can be disclosed only with the consent of the patient. Exceptions are described in Article 61 of the Basics of ... health protection. This requirement completely duplicates the sixth article of the Federal Law "On Personal Data". PD should be transmitted only through secure communication channels that allow protecting this information from leakage.

Patients have the right in relation to their PD to demand their blocking, clarification, destruction, if this information is incomplete, irrelevant, incorrect, illegally obtained, is not needed for the stated purposes of processing.

Also, the patient has the right to protect his rights provided for by law in relation to the processing, transfer, storage of personal data.

Upon request, access to PD can be provided to the patient's legal representative (RF Civil Code, Art. 26) - parents, adoptive parents, and trustees.

The legal representative has the right to perform any actions on behalf of the PD holder, as well as to determine the persons to whom information that is the patient's medical secret will be disclosed. The person who has the right to receive such data does not have any rights to enter into civil relations on behalf of the patient.

If it is necessary to provide the personal data carrier with urgent medical care, his consent to the processing of this information is not required (in case of man-made disasters, natural disasters, with a real threat to his life and health).

Technical part

The necessary office equipment is selected and supplied in accordance with the recommendations of the regulatory authorities. Data collection carried out in accordance with legally established methodologies must be protected at all stages. The specificity of the work of medical institutions is a relatively large base in comparison with municipal authorities of specialized terminals related to data storage, transmission via the Internet, over local networks of various types. Therefore, it is critically important to have perfectly tuned security barriers and timely update certified software and use effective antivirus protection.

The list of approved software is regularly updated by the Ministry of Health and local cybersecurity departments. The placement of information systems, the acquisition, installation, operation of special equipment, as well as the protection of such premises should be based on ensuring the complete safety of the carriers on which the PD is located, the means of protecting such information. The organization of work with PD should provide for all necessary measures to exclude the possibility of unauthorized entry or presence of unauthorized persons in such premises.