Did you know that patients’ have the right to access their medical records? In this post we address some news about health-related data in Argentina and the main issues that shall be considered by healthcare centers or professionals to comply with the local regulations.
In the context of repeated queries and complaints about issues related to the right of citizens to access their medical records, the Argentine Data Privacy Authority (“ADPA”) issued a statement on the regulations applicable to medical records. As follows, a summary of the ADPA’s statement and the most relevant issues to be considered:
- The patient’s or data subject’s right to access their medical records arises from the Argentine Data Privacy Act No. 25,326 (“Data Privacy Law”) and the Rights of the Patient in his or her Relationship with Health Professionals and Institutions Act No. 26,529 (“Patient’s Rights Law”).
- The Data Privacy Law guarantees the right to privacy by recognizing a comprehensive personal data protection system and by regulating the rights of data subjects to access, rectify and/or delete their personal data.
- Health data is especially regulated as it is considered sensitive data, thus, among some other prescriptions, it is provided that (i) no person may be obliged to provide sensitive data and (ii) sensitive data may only be collected and processed if there is a circumstance of general interest authorized by law, or for statistical or scientific purposes (in this case, the interested parties cannot be identified). It is worth mentioning that health establishments and health professionals are expressly authorized to collect and process this information from their patients, always under the principles of professional confidentiality.
- Health data is also regulated under the Patient’s Rights Act, so its specific provisions must be followed as well.
- Although the Data Privacy Law provides that the data controller has a term of ten calendar days to attend data subject’s access requests, the Patient’s Rights Law reduces this term to 48 hours in the case of medical records.
- Once the term to respond to the request has expired, data subjects are entitled to file complaints before the ADPA and/or to initiate legal actions.
Finally, the administrative sanctions for non-compliance with the data privacy regulations include warnings, suspensions, closures or cancellations of the databases and fines from $1,000 (one thousand Argentine pesos) to $100,000 (one hundred thousand Argentine pesos), which may be accumulated up to $5,000,000 (five million Argentine pesos). For the purposes of setting the penalty, the nature of the infringement and the category of data involved will be considered, being the treatment of sensitive data an aggravating factor.
For further information about the regulations applicable to health data, please contact us at [email protected].