Of course, a visit to the hospital is not always pleasant. In addition to treatment, it is not uncommon for patients to receive many documents on data protection in the hospital, which they are asked to sign. But what data protection regulations actually apply in the hospital? What is the significance of medical confidentiality and patient consent in this context?
Physicians' duty of confidentiality
All physicians are fundamentally subject to a duty of confidentiality. If they unauthorizedly disclose another's secret that has been entrusted to them as a physician, they may be punished under Section 203 I of the German Criminal Code (StGB). The respective professional codes of conduct also stipulate this.
In principle, the patient's data therefore remain in the respective hospital or with the respective treating physician and are protected from third parties. However, there are also exceptions to the confidentiality obligation.
Right of disclosure of the physician
Exceptionally, a physician may have a right of disclosure regarding certain data of the patient. This is the case, for example, in the protection of children and young people if the doctor suspects that the child being treated is being abused. In this case, the doctor may pass on the relevant data to the Youth Welfare Office.
Duty of disclosure of the physician
In certain cases, the physician may even have a legal duty to disclose. Such obligations can be found, for example, in the Infection Protection Act, if particularly dangerous diseases are involved. In such cases, the doctor is allowed to pass on the relevant data to the respective health authority. It is also sometimes obligatory to disclose data to the insurance carrier.
If the physician in the hospital violates such a duty of disclosure, he is also liable to prosecution.
Protection of data within the hospital
Not only the transfer of patient data to third parties, but also the processing of data within the hospital are regulated by data protection. Not only personal data is affected here, but even data of a special category (health data) that requires special protection. The processing of personal data requires a legal basis or consent.
Consent to the processing of data in the hospital
When processing patient data in the hospital, consent is only required in isolated cases. For example, when carrying out medical billing involving private billing agencies or in some cases of special care in connection with statutory health insurance.
The patient's consent must meet the requirements of the GDPR. It must be voluntary, specific, informed, revocable and explicit. In the case of minors, the legal guardian may also have to be involved.
Legal basis for the processing of data in the hospital
However, for most health data generated in the hospital, processing is already permitted by law. In that case, the patient's consent is not required. This is the case in the following situations:
- Processing of data relating to medical treatment (Art. 9 II lit. h DSGVO in conjunction with § 22 I No. 1 lit. b BDSG)
- Fulfillment of special obligations under social law
- Fulfillment of special duties in the public health interest
- Protection of vital interests in case of incapacity of the patient to give consent
- Preservation of the hospital's legal claims (e.g. fee claim from treatment contract)
Data subject rights from data protection in the hospital
The patient benefits from all data protection (GDPR) data subject rights in the hospital. These include: Transparency and information obligations of the hospital, the patient's right to information, the right to rectification, deletion and restriction of processing, as well as the Right to data portability.
Data protection and information to relatives in the hospital
Even if a relative requests information at the hospital, medical confidentiality and the principles of the GDPR apply just the same. The physician may not disclose any of the patient's data. However, he may be released from his duty of confidentiality by obtaining the patient's consent.
Accordingly, the patient alone can determine which data may be disclosed to whom and when, as long as this does not affect any statutory disclosure rights or obligations of the physician. Patients should therefore always carefully consider the constellations for which they wish to give consent. Such prior declarations are particularly important in the event that the patient is no longer able to express his or her opinion in the course of treatment.