Data protection description of Mehiläinen Oy’s patient register
Date: 22 October 2019
Heath services provided by Mehiläinen where Mehiläinen is the controller:
Pohjoinen Hesperiankatu 17
00260 Helsinki, Finland
Business ID: 1927556-5
Health services provided by an independent practitioner operating in Mehiläinen (or a company on behalf of which the practitioner operates), excluding occupational health services organised by Mehiläinen: The practitioner (or a company on behalf of which the practitioner operates) treating the patient.
The practitioner has assigned the technical maintenance of the register to Mehiläinen.
2 CONTACT PERSON FOR REGISTER QUERIES
Data Protection Officer Kim Klemetti
tel. +358 10 414 0112 (switchboard).
3 THE PURPOSE OF USE OF THE PATIENT REGISTER AND THE GROUNDS FOR PROCESSING THE PATIENT DATA
The processing of patient data is based on the law or the patient’s consent.
The information stored in the patient register will be utilised in the patient’s care, and for other statutory or consent-based purposes of use.
Patient information for occupational health care will be stored separately from the patient information gathered in private appointments such that the use of this information outside of occupational health care requires the patient’s consent.
4 THE INFORMATION STORED IN THE PATIENT REGISTER
The patient's name, identity code, and contact information.
The patient's next of kin or, for a minor, legal guardian, the patient’s legal representative.
Information required in order to organise, plan, implement and monitor the patient’s care, such as health data gathered during examinations and treatment, and preliminary information.
Other information necessary for treatment, e.g., a nurse’s, nutritionist’s, or psychologist’s records concern-ing the patient.
Information on any disclosure of data and the grounds for disclosure.
In the patient register of occupational health, also the patient’s employer and the possible health risks connected to the workplace.
Information on whether the patient permits physicians treating him or her at Mehiläinen to see other pri-vate physicians’ patient records when this is necessary for his or her treatment.
Information on whether the patient gives private physicians treating him or her at Mehiläinen permission to see Mehiläinen Occupational Health's patient records when this is necessary for his or her treatment.
The information from the medical staff pertaining to a patient and the patient’s appointment information are stored as a sub-register of the patient register.
The results of patient laboratory, X-ray, and cardiac examinations performed during the patient’s examination and treatment are also stored as a sub-register of the patient register. Also, there is a separate register maintained for laboratory examination results in the laboratory system.
In addition to the electronic register, some information is held in paper form. The physical register contains the patients’ basic information and may also contain their consent/refusal with respect to sharing of their records as patients.
4.1 Regular sources of information
The patient, the patient’s guardian, the patient’s legal representative, or the patient's next of kin.
The medical staff and health care professionals.
With the patient’s consent, information can also be obtained from other health care units or professionals, for example via the national patient data repository (Kanta).
4.2 Storage time
In the storage times of the personal data stored in the patient register, the valid regulations on the storage times of patient data will be followed.
5 SHARING OF PATIENT RECORDS
Patient records are confidential, and the staff are obliged to maintain confidentiality.
Patient data can be transferred:
- By consent of the patient or his/her legal representative.
- If applicable law so indicates.
5.1 Regular submission of patient records and the groups acquiring them
For research, planning, statistics and supervisory tasks to the National Institute for Health and Welfare and the Finnish Medicines Agency Fimea who maintain national health care registers, and to Fimea for the purpose of narcotics control.
The following terms are applied with respect to other possible groups:
- During further examinations, the patient records may be submitted to another health care operations unit or health care professional with the patient’s verbal consent registered in the patient documents.
- Information necessary for arranging and implementing the patient’s examination and treat-ment by another Finnish or a foreign health care operations unit or health care professional can also be submitted to such a unit or person if, on account of a mental disturbance, mental disability, or a similar factor, the patient is not able to evaluate the significance of consent and he or she does not have a legal representative, or if, because the patient is unconscious or there are comparable circumstances, consent cannot be obtained.
- The national patient data repository (Kanta).
- Information may be submitted to an insurance company with the patient’s written consent or if required by law.
- The patient’s guardian, other legal representative, and the patient's next of kin, if the patient has given consent to this. If a minor patient, because of his/her age or level of development, can decide on the treatment given to him/her, he/she has the right to prohibit the provision to his/her guardian or other legal representative of information on his/her state of health and care.
- Also, in the case of a patient whose being treated is a result of unconsciousness or a compara-ble factor, the patient’s personal information and information on his or her health may be submitted to the patient’s next of kin or another person close to him or her, unless there is reason to assume that the patient would prohibit this.
6 USE OF PATIENT DATA AND THE GENERAL PRINCIPLES OF PROTECTION
Patient records are confidential. They may not be submitted to a third party.
Patient records are to be used only by the people treating the patient at the operations unit in question or on its commission or by people participating in related tasks. The controller’s top management make the organisational decisions and grant employees access rights to the patient records in the extent required by their work.
Old paper-based registers and other physical files are kept in locked and supervised facilities.
The information to be processed electronically can only be accessed by authorised employees with their personal user IDs and passwords. The use of patient records is supervised via monitoring of log infor-mation.
7 RIGHTS OF THE DATA SUBJECT
7.1 The data subject’s right of access to the data (inspection right)
The patient has the right to access his or her patient records. Such an inspection request must be made in accordance with Section 8 of this data protection description. The right to inspection may be declined on statutory grounds. The information is provided by a physician or other health care professional, deter-mined by the health care unit, who registers the exercise of the right of access in the patient records. The information is submitted to the patient in written form. In principal, there shall be no charge for exercising the right to inspect.
7.2 The data subject’s right to demand rectification or erasing of data or a re-striction on processing data
The controller is obliged to perform correction, erasing, or supplementing of information in the patient records without unnecessary delay, on his or her own initiative or upon the patient’s request, to address information that is erroneous, unnecessary, incomplete or obsolete for the purpose of use of the patient records.
The data subject also has the right to demand the controller to restrict the processing of his or her person-al data, for example, in a situation where the data subject is waiting for Mehiläinen’s response to his or her request to rectify or erase data.
Implementation and organisation of the data’s rectification and restriction of processing
- A rectification request and a request for restricting the processing of data must be made in writing and be addressed to the controller in accordance with Section 8 of this data protection description, and it must always be delivered personally to the operative unit as well. The pa-tient’s identity will be authenticated using a reliable method.
- If the patient's request is considered legitimate, the correction and possible procedures to restrict processing will be made by a person who has the right to correct the patient records.
- Any incorrect entries are struck out or are transferred to a background file such that both the incorrect and correct entry can be seen. The name and position of the person making the cor-rection, the correction date, and the grounds for the correction must be entered in the patient records.
7.3 A data subject’s right to make a complaint to the supervising authorities
A data subject has the right to make a complaint to the competent supervising authorities, if the controller in its operations has not followed the applicable data-protection regulations.
7.4 The national patient data repository (Kanta)
Mehiläinen has joined the Kanta national patient data repository on 21 April 2016, and all patient data generated after this time will be transferred to the Kanta repository and the patient must thus manage such data via the My Kanta online system.
In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the data subject should contact Mehiläinen via the OmaMehiläinen service, in person at a Mehiläinen clinic, or by post to the address: Mehiläinen Oy / Potilasrekisteri, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland. When required, Mehiläinen can request the data subject to further define their request in writing, and, if needed, the identity of the data subject can be authenticated before initiating any other measures.