In its decision of 6 December 2022, the Belgian Data Protection Authority (“BDPA”) issued a reminder of the limits attached to the right of access to medical records, including personal notes of the healthcare professional (“HCP”). Available in Dutch, this decision also puts into perspective the nature of personal notes, reiterating that they are not primarily a collection of personal data; they are, above all, the HCP’s work notes. We have set out below a summary of this decision and provided some key takeaways.
The complaint in question concerns the refusal by the HCP (the defendant) to grant access to the complete patient file, including the HCP’s personal notes, following the patient’s treatment programme under the HCP.
The patient (the plaintiff) was treated by the HCP for more than seven years, but then opted for a change. She asked for a copy of her “handwritten patient record”, which is kept separately in the patient file. Her request for such personal notes was refused, but she did receive a copy of her electronic patient record. As a result, she filed several complaints with the Ombudsman’s Office, the Healthcare & Health Agency (Agentschap Zorg & Gezondheid) and finally the BDPA (after failed mediation). Among other things, she alleged that she was provided with an incomplete answer because the notes form an integral part of her patient file.
The BDPA ultimately dismissed the complaint for the reasons set out below.
What are the personal notes (annotations) of the HCP?
The National Council of the Order of Physicians defines “personal notes” as “notes stored separately by the professional, which are never accessible to others, even co-involved in the care delivery sequence, and which are necessary for the personal use of the caregiver”.
Such notes, which are part of the patient file and cannot be used for health data, are in principle not accessible by the patient. For instance, the assessment of the patient’s health, the development and monitoring of diagnosis and treatment, and information about the patient’s health received from another HCP do not qualify as personal notes.
Regulation (EU) 2016/679 (the “GDPR”) applies to the case under consideration by the BDPA, which asserted that the handwritten notes taken by the HCP in the context of treatment and subsequently included in the patient file are to be considered personal data of the patient.
In this regard, the BDPA recalled that the notion of personal data under the GDPR covers a variety of types of information (including private and public data that derives from objective, verifiable and contestable facts, as well as objective or subjective information) about an identified or identifiable person.
This has also been confirmed by the Advocate General in his recent Opinion on 15 December 2022 (C-487/21): “The scope of the concept of ‘personal data’ resulting from [the GDPR] is very broad. Indeed, as the case law of the Court shows, the use of the expression ‘any information’ in the context of this definition reflects the objective of the Union legislator to attribute a broad meaning to this concept.”
As a result, the right of access under the GDPR generally applies to written notes assessing a patient.
Right of access under the GDPR vs. right of access under Patient’s Rights Law
The BDPA recalled that the right of access under Article 9(2) of the Belgian law of 22 August 2002 concerning the rights of the patient (“Patient’s Rights Law”) is more limited than the right of access under the GDPR. However, this right under the Patient’s Rights Law is in accordance with the GDPR, since the latter provides for the option to restrict the right of access in a European or national regulation that meets the conditions referred to in Article 23 of the GDPR to protect the data subject or the rights and freedoms of others. After all, both the patient and the HCP must be protected.
It's however important to note that the right of access (under the GDPR and the Patient’s Rights Law) is not absolute. The limitation in the Patient’s Rights Law can for example be related to the fact that the information is not communicated, and access is not granted to the patient, if this would cause “evidently serious harm to the patient’s health”. This is known as the “therapeutic exception”. In addition, the Patient’s Rights Law states that “the personal notes of a professional and data relating to third parties are excluded from the right of access”.
The plaintiff tried to argue that there was a distinction between “persoonlijke ‘nota’s’ en persoonlijke ‘notities’” / “notes personnelles” and “annotations personnelles” but was not able to argue that such a distinction would exist under the Patient’s Rights Law.
The BDPA ruled that it was not incumbent on it to determine the minimum information that must be included in patient records. This is covered by the Health Care Quality of Practice Act of 22 April 2019 stating the minimum information that the HCP must include in the patient file, including “the minutes of the consultation with the patient” (Article 33, 7°). This provision does not state that the HCP is required to include in the patient file an integral, substantively faithful record of his/her exchanges with the patient throughout the duration of the therapeutic treatment.
Moreover, the BDPA stated that it did not have sufficient evidence to rule that the handwritten notes contained additional medical data (not included in the electronic patient record) or that these notes would have had any purpose other than the HCP’s strictly personal use. Finally, it’s relevant to note that the plaintiff did not exercise her right to inspect her patient file through a trusted person to verify whether the personal notes contained additional medical data (which are not compatible with the concept of “personal notes”). This could well have prevented the complaint going ahead.
Some key takeaways
- The patient cannot view or receive directly a copy of the personal notes of the HCP, although they are part of the patient record. Personal notes are above all the HCP’s work notes.
- The right of access under the Patient’s Rights Law is more limited than the right of access under the GDPR.
- The right of access (under the GDPR and under the Patient’s Rights Law) is not absolute.
- If in doubt, a patient can always exercise his/her right to inspect his/her patient file, including the HCP’s personal notes if necessary, through an appointed trusted person (who is also a professional practitioner).
- As stated by the BDPA, its role does not include determining the minimum information that must be included in patient records, nor determining which data is important for quality of care and consequently does or does not qualify as personal notes.
For more information on cybersecurity, contact your usual CMS advisor or local CMS experts. Did you know our tech & data practice is recognised as tier 1 (best-in-class) by Chambers and Legal 500?