The Regulation on the Processing and Privacy of Personal Health Data ("Personal Health Data Regulation"), published on October 20, 2016 by the Ministry of Health ("Ministry") was amended on November 24, 2017.
he Health Data Regulation was published as the first secondary regulation on personal data based on the Law No. 6698 on the Protection of Personal Data (the "Data Protection Law"). The Ministry was criticized for issuing rules without due regard to the personal data rules and institutions established under the Data Protection Law, resulting in incompatible obligations for healthcare service providers.
The Personal Health Data Regulation's restrictive rules on the duplication and recording of personal health data and mandatory use of particular software for data transfer to the central health data system raised concerns among healthcare service providers. Namely, that the strict obligations would make it impossible for healthcare service provides to comply with their statutory obligations and impair their business operations.
On July 6, 2017, the State Council ruled for the suspension of execution of two provisions in the Personal Health Data Regulation. The State Council's decision reasoned the Data Protection Authority is entitled with a general governing and auditing power over personal data protection issues, and all governmental authorities must obtain the Data Protection Authority's opinion prior to issuing regulations on personal data protection.
What the Amendments Say
The Ministry clarified the scope of the Personal Health Data Regulation by amending the definition of healthcare service providers as "all healthcare institutions providing healthcare services and operating in first, second and third tiers." Article 2/2 of the Implementation Communiqué on Treatment Aid of October 23, 2008 defined the term healthcare institutions; accordingly, healthcare service providers include but are not limited to public and private hospitals, polyclinics, medical centers, family doctors, training and research hospitals, and medical faculty hospitals.
Personal data processing, data transfers, security and notice requirements, as well as data deletion rules are in line with the Data Protection Law. In addition, the Personal Data Protection Board must be notified of any data breach notifications.
The amendment removes the necessity of wet signatures for explicit consent. The Personal Health Data Regulation now refers to the Data Protection Law for explicit consent rules.
The amendment defines personal health data in detail and includes "all information related to the physical and mental health of the individual," and "information related to healthcare services provided to the individual."
Article 5(5) restricted the duplication and recording of personal data except in the healthcare providers' systems and systems established by the Ministry. The State Council had suspended the implementation of Article 5(5), which was amended to include "and other data recording mediums approved by the Ministry's Information Systems General Directorate."
Certain institutions and policies such as the Personal Health Data Commission, Cyber Security Team, National Health Data Dictionary, and Information Security Policies Instructions are abolished. Data Protection Law is no longer referred to as basis law for the Personal Health Data Regulation.
The Personal Health Data Regulation now refers to the Data Protection Authority's principle decisions. If the Personal Health Data Regulation does not address a particular issue, the secondary legislation will be applicable.
The full text of the Regulation is available here (in Turkish).
Healthcare service providers must align their personal data processing activities with the Data Protection Law and the Personal Health Data Regulation.