Mehiläinen Group’s patient register privacy statement

Date: 20 February 2023

1 Controllers

With regard to health care services provided by Mehiläinen, for which Mehiläinen is the controller (e.g. occupational health care services), Mehiläinen Oy or another company belonging to the Mehiläinen Group, such as Fysios Oy or Tutoris Oy, is the controller. All controllers can be reached through Mehiläinen Oy:

Mehiläinen Oy
Pohjoinen Hesperiankatu 17
00260 Helsinki
Business ID 1927556-5

Healthcare services provided by a private practitioner operating in Mehiläinen (or a company on behalf of which the private practitioner operates):

The private practitioner treating the patient (or a company on behalf of which the practitioner operates) is the controller.

The private practitioner has assigned the technical maintenance of the register to Mehiläinen.

2 Contact person in matters related to registers

Data Protection Officer Kim Klemetti,
tel. +358 10 414 0112 switchboard (EUR 0.0835 per call + EUR 0.1669 per minute).

3 Purpose of use of the patient register and the grounds for processing the patient records

The processing of patient records is based on law (e.g. Patient Act 785/1992, Medical Records Decree 94/2022 and Secondary Act 552/2019) or the patient's consent. The processing is carried out in accordance with the EU's General Data Protection Regulation (GDPR).

The information stored in the patient register will be utilised for the organisation, planning, implementation and monitoring of patient care, patient management and other statutory purposes in accordance with the law and consent.

Occupational health care patient records are kept separately from private practice patient records so that the use of these records for care other than occupational care requires the patient's consent. Administrative medical records are stored separately from patient records.

In accordance with the Secondary Act, patient data are used, for example, for essential information management, regulatory control, development and innovation activities and possible scientific research with a separate consent.

4 Information stored in the patient register

Name, personal identity code, and contact information of the patient.

The patient's designated next of kin, guardian of the minor patient, legal representative of the patient.

Information necessary to ensure the organisation, planning, implementation and follow-up of the patient's care, such as health information arising from the examination and treatment, as well as preliminary information.

Other information necessary for treatment, such as information prepared by a nurse, public health nurse, dental hygienist, dietitian, psychologist, etc.

Information on any disclosure of data and the grounds for disclosure.

The occupational health patient register also includes the patient's employer and the health risks that may be associated with the workplace.

Information on whether the patient permits physicians treating them at Mehiläinen to see the medical history made by other private physicians when this is necessary for their treatment.

Information on whether the patient permits other private physicians treating them at Mehiläinen to see any medical history in the Mehiläinen occupational health care register when this is necessary for their treatment.

The information on the healthcare personnel participating in the patient's treatment and the patient's appointment information is stored as a sub-register of the patient register.

Similarly, the results of laboratory, X-ray and cardiac examinations resulting from the examination and treatment of the patient are stored in the patient register as its sub-register. A register separate from the patient register is also maintained for laboratory examination results in the laboratory system.

In addition to the electronic register, a separate basic information register on paper is maintained as a partial register, which may also include information on patient consents and prohibitions to the disclosure of patient records.

4.1 Regular sources of information

The patient, the patient’s guardian, the patient’s legal representative, or the patient's next of kin.

Medical personnel and healthcare professionals.

With the patient’s consent, information can also be obtained from other healthcare units or professionals, such as via the national patient data repository (KANTA).

4.2 Retention period

The retention periods for personal data stored in the patient register comply with the current regulations on the retention periods for patient record.

The retention period for medical records is set out in the Decree of the Ministry of Social Affairs and Health on Medical Records (94/2022). As a rule, the retention period is 12 years from the patient's death.

5 Disclosure of patient records

Patient records are confidential and personnel are subject to an obligation of confidentiality.

Patient records may be disclosed:

  • With the consent of the patient or their legal representative.
  • Under an explicit rule of law.

5.1 Regular disclosure of patient records/recipient groups

Patient records may only be disclosed with the consent of the data subject or based on legislation.

Regular recipients include the following:

  • Healthcare authorities with a statutory right to receive health data for the exercise of their official functions. Such authorities include, for example, the Finnish Institute for Health and Welfare (THL), the Finnish Medicines Agency (Fimea), the Finnish Social and Health Data Permit Authority (Findata) and the Social Insurance Institution of Finland (Kela).
  • In the event of continued treatment, the patient's verbal consent, as recorded in the medical records, may allow information to be disclosed to another healthcare unit or healthcare professional specified by the patient.
  • The information necessary for the organisation or implementation of the examination and treatment of the patient may also be disclosed to another Finnish or foreign healthcare operations unit or healthcare professional without the patient's consent if the patient does not have the necessary conditions to assess the significance of the consent given due to mental health disorder, mental retardation or other similar reason and does not have a legal representative, or if the consent cannot be obtained due to the patient being unconscious or other comparable reason.
  • The Patient Data Repository (Kanta archive).
  • With the written consent of the patient or based on an explicit legal provision, information may be disclosed to the insurance company.
  • The patient's guardian, other legal representative and the patient's next of kin, if the patient has given consent to this. However, if a patient who is a minor because of their age or level of development can decide on the treatment given to them, they have a right to refuse to disclose information on their state of health and care to their guardian or other legal representative.
  • Where the patient is unconscious or for another comparable reason, the next of kin or other close family member of the patient being treated may be informed of the patient's identity and state of health, unless there is reason to assume that the patient would prohibit this.

6 Location and transfers of patient records

We process all patient records and other personal data primarily within the European Union or the European Economic Area.

Where necessary, personal data may also be transferred outside the European Union or the European Economic Area in accordance with data protection legislation; for example, to obtain a research service. The data subject has the possibility to ask the referring healthcare professional for the specific location of the research sample analysis prior to the research.

As far as possible, data transmitted to research institutions outside the European Union and the European Economic Area will be transferred in such a way that the individual patient cannot be identified by the research institution.

Regarding COVID-19 sampling, the analysis capacity in Finland and Europe is limited. Due to of the exceptional situation, a significant proportion of our COVID-19 samples may be analysed by research institutions outside the European Union and the European Economic Area. You can enquire about the professional providing the referral regarding the research institutes we use at the time and their location. For COVID-19 tests, it is not up to the patient to choose the research institute, as we refer samples for analysis to the most appropriate facility for the situation.

6.1 Subcontractors

Our partners cooperate with us as subcontractors, to whom we transfer the necessary data; for example, for diagnostic studies. Such partners process personal data as processors of personal data on behalf of Mehiläinen and in accordance with the instructions and orders given by Mehiläinen. We aim to primarily cooperate with partners operating within the EU/EEA.

7 Use of patient records and general principles of protection

Regulations state that patient records must be kept confidential. Patient records may not be disclosed to third parties.

Patient records may only be accessed by persons involved in the care of a patient or in related tasks in the relevant operational unit or on its behalf. The controller's top management decides on organisational solutions and grants access rights to employees to patient records to the extent required by the tasks and regulations.

Old paper records, and those possibly created in addition to the electronic patient information system, are kept in locked and supervised premises.

The information to be processed electronically can only be accessed by authorised employees with their personal user IDs and passwords. The use of patient records is supervised via monitoring of log information.

8 Profiling

As part of occupational health care services, in accordance with the Occupational Health Care Act and Regulation and good occupational health care practice and, where applicable, based on explicit consent, Mehiläinen may use the patient records generated in connection with occupational health care appointments in order to assess the employee’s need for support and to promote work ability and health. We analyse the information generated during occupational health care appointments in an automated way in order to identify a person's need for support. The results of the analysis are only used by the occupational health care and they will not be disclosed to the employer, for example. Any further action will be agreed with the registered customer.

9 Rights of the data subject

9.1 The data subject's right of access (inspection right)

The patient has the right to inspect the patient register information that concerns them. The inspection request must be presented in accordance with Section 8 of this privacy statement. The right to inspect the data may be denied on a statutory basis. The information is provided by a doctor or other healthcare professional appointed by the healthcare unit who makes an entry in the patient register about the use of the right of inspection. The information is submitted to the patient in written form. In principle, there is no charge for exercising the right to inspect.

9.2 The data subject's right to demand rectification or erasure of data or restriction of the processing of data

Without undue delay, the controller shall, on its own initiative or at the request of the patient, rectify, erase or supplement the personal data in the patient register, with regard to the purpose of the processing (purpose of use of the patient register), incorrect, unnecessary, incomplete or outdated personal data.

The data subject also has the right to demand the controller restricts the processing of their personal data, such as when the data subject is waiting for Mehiläinen’s response to the request concerning the rectification or erasure of the data concerning them in the register. Data subjects have the right to refuse to be profiled.

Implementation and organisation of data correction and restriction of processing

  • The request for rectification and restriction of processing shall be made in writing and addressed to the controller in accordance with Section 9 of this privacy statement, and shall also always be submitted in person to the operating unit. The patient's identity will be reliably verified.
  • If the patient's request is considered legitimate, the correction and possible procedures to restrict processing will be made by a person who has a special access right to correct the patient records.
  • Any inaccurate entries will be corrected so that the original and corrected entries can be read later. The name and position of the person making the correction, the correction date, and the grounds for the correction must be entered in the patient records. If information that is unnecessary for the treatment is removed, an entry will be made in the patient records in accordance with the patient document decree indicating the person who made the correction and the time of deletion.

9.3 Data subject’s right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the controller has not adhered to the applicable data protection regulation in its operations.

9.4 Kanta repository

Mehiläinen joined the Kanta national patient data repository on 21 April 2016, and all patient records generated as of 21 April 2016 will be stored in the Kanta repository and, therefore, the patient must manage any such data via the MyKanta online system.

10 Contacts

In all matters related to the processing of personal data and all situations regarding the exercise of the data subject’s own rights, the data subject should contact Mehiläinen via the OmaMehiläinen service, in person at a Mehiläinen clinic, or by post to the address: Mehiläinen Oy / Patient register, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland. When required, Mehiläinen can request the data subject to further define their request in writing, and, if needed, the identity of the data subject can be authenticated before initiating any other measures.