Information requirements for patients in the hospital sector
on the basis of Articles 12 et seq. of the basic Regulation on data protection valid from 25. 5. 2018
Obligation to provide information when collecting personal data
within the context of your treatment or care, it is necessary to process personal and medical data about you.
Since it is not easy to keep track of what happens both within our hospital and in conjunction with other persons or institutions involved in your treatment, we have compiled the following information for you:
Purposes for which your personal data is processed:
As part of your treatment, data about you, your social status if applicable, and medical records necessary for the treatment are collected, recorded, stored, collated, used and transmitted. All in all, we are talking about the processing of your data. The processing of patient data in the hospital is only possible for data protection reasons if this is prescribed or permitted by law, or if you have given your consent as a patient.
In particular, the processing of your data for preventive, diagnostic, therapeutic, curative or aftercare reasons is necessary for your patient-related treatment or care.
Likewise, processing takes place in the sense of the best possible care with regard to interdisciplinary conferences for the analysis of diagnostics and therapy, if necessary for pre-, co- and further care with regard to diagnostics, therapy, findings as well as disease and vital status. In addition, doctor’s letters/reports are written and processed for quality reasons, to identify and combat hospital infections, as well as for social care and discharge management.
In addition to this patient-related processing, your treatment must also be administered. This essentially requires the processing of your data for the billing of your treatment, for controlling / auditing purposes, for asserting and defending legal claims. Furthermore, data processing is carried out for the purposes of training, further education and training of doctors, among others, members of other professions in the health care system, if necessary also for research purposes (separate information will be provided here) or for statutory reporting obligations such as to the health authorities on the basis of the Infection Protection Act or to the Cancer Registry and not least for reasons of the support and maintenance of IT systems and applications.
Who do we receive your data from?
As a rule, we collect the necessary data from you ourselves – if possible. However, it may also happen that we receive personal data concerning you from other hospitals that have carried out your initial or pre-treatment, from general practitioners, medical specialists, medical care centres, etc. In our clinic, these are merged with your other data in the sense of uniform documentation.
Who has access to your data?
The people involved in your treatment have access to your data, which may also include physicians from other areas who participate in interdisciplinary treatment or the administration that invoices your treatment.
Your data will be processed by or under the responsibility of qualified personnel. These specialists are either subject to so-called professional secrecy or an obligation of secrecy.
The confidential handling of your data is guaranteed. Upon request, the “Processors” list can be viewed in the hospital’s logistics centre.
Legal basis for the processing of your data by the Klinik für MIC
According to data protection law, we are allowed to process your data mainly because the hospital operator is responsible for the care and treatment of patients. On this basis, in turn, there are various laws and regulations that allow the hospital owner to process data. In particular, the so-called EU Data Protection Basic Regulation (DS-GVO) and Articles 6 and 9, which also apply in Germany and expressly stipulate that patient data may be processed, should be mentioned here. In addition, the basic principles of German law can be found, for example in the Social Code, Book V (SGB V), e.g. § 301 SGB V, in the Federal Data Protection Act (BDSG), here in particular § 22 BDSG and in the Civil Code (BGB) §§ 630 ff. BGB, which require the processing of your data.
The legal grounds for the processing are given below as examples:
- Data processing for the purpose of implementation and documentation of the treatment process including the in-house medical and interprofessional exchange in the hospital about the patient for the treatment (Article 9 para. 2h, para. 3, para. 4 DS-GVO in connection with §§ 630a ff., 630f BGB in connection with corresponding national regulations if available).
- Data transmission to ” external ” in the sense of a common treatment, consultation of external consulting physicians, laboratory, telemedicine, if necessary involvement of external therapists (Article 9, Paragraph 2h, Paragraph 3, Paragraph 4 DS-GVO in connection with corresponding national regulations, if available).
- Data transmission to the statutory health insurance funds for billing purposes (Article 9, Paragraph 2h, Paragraph 3, Paragraph 4 DS-GVO in conjunction with § 301 SGB V).
- Data transmission for quality assurance purposes (Article 9 para. 2I DS-GVO in conjunction with § 229 SGB V, in conjunction with § 136 SGB V or the G-BA guidelines).
In addition, processing is also permitted in cases in which you have given us your consent.
Requirement to provide your personal data
The proper administrative handling of your treatment requires the recording of your personal data.
Possible recipients of your data:
Within the scope of the intended purpose, your data will be collected in compliance with the relevant data protection regulations or any existing declarations of consent and, if necessary, transferred to third parties. Such third parties can be considered in particular:
- Statutory health insurance funds
- private health insurers
- accident insurer
- family physicians
- doctors providing further, follow-up and co-therapeutic treatment
- other health care or treatment establishments
- rehabilitation facilities
- care facilities
- external data processors (if desired, the “Processors” list can be viewed in the clinic’s Logistics Center).
Which data is transmitted in detail?
If any data is transmitted, it depends on the individual recipient which data this is. For the transmission according to § 301 SGB V to your health insurance, the following are examples:
- Name of the insured person
- date of birth
- policyholder number
- insurance status
- the date and time of admission and the reason for admission, referral diagnosis, admission diagnosis, in the event of a change in admission diagnosis, the subsequent diagnoses, the expected duration of hospital treatment and, if this is exceeded, the medical justification at the request of the sickness insurance fund
- Date and type of surgery(s) and other procedures performed at the clinic
- the date and time and the reason for discharge or transfer and the principal and secondary diagnoses relevant to hospital treatment
- For discharge management, information on rehabilitation measures, statements on work capacity and suggestions for the type of further treatment.
Revocation of consents granted
If processing of your data is based on a consent that you have given to our clinic, you have the right to revoke your consent at any time. You can address this declaration to us in writing. It is not necessary to give reasons for this. Your revocation applies from the time of the written declaration. It has no retroactive effect. The processing of your data up to this point remains lawful.
Protecting the legitimate interests of the hospital owner
If the hospital operator is forced to seek legal or judicial assistance to enforce his claims against you or your health insurance company because the invoice is not paid, the hospital operator must disclose the necessary personal data and treatment.
How long will your data be stored?
According to § 630f BGB (German Civil Code), the hospital is obliged to keep documentation about your treatment. The clinic can comply with this obligation in the form of a paper file or an electronically managed patient file. This patient documentation will also be kept by us for a long time after completion of your treatment. We are also legally obliged to do so.
There are many special legal regulations that deal with the question of how long documents are to be kept in detail. These include the X-ray Ordinance (RöV), the Radiation Protection Ordinance (StrlSchV), the Pharmacy Ordinance (ApBetrO), the Transfusion Act (TFG) and many more. These legal regulations stipulate different retention periods.
In addition, it should be noted that hospitals keep patient files for up to 30 years for reasons of preserving evidence. This follows from the fact that according to § 199 exp. 2 BGB claims for damages expire at the latest after 30 years.
A liability claim could therefore only be brought against the hospital owner decades after the end of treatment. As a result, your patient file will be kept for up to 30 years.
Right to information, correction, deletion, etc.
You are entitled to so-called affected persons’ rights, i.e. rights that you can exercise as a person affected in an individual case. You can assert these rights against the clinic. They result from the EU DS-GVO, which also applies in Germany.
Right to information, Art. 15 DS-GVO about the stored personal data concerning you.
Right of rectification, Art. 16 DS-GVO If you discover that incorrect data concerning your person are being processed, you can demand rectification. Incomplete data must be completed taking into account the purpose of the processing.
Right to deletion, Art. 17 DS-GVO You have the right to request the deletion of your data if certain reasons for deletion exist. This is particularly the case if they are no longer necessary for the purpose for which they were originally collected or processed.
Right to limitation of processing, Art. 18 DS-GVO
You have the right to restrict the processing of your data. This means that your data will not be deleted, but will be marked to restrict further processing or use.
Right to object to unreasonable data processing, Art. 21 DS-GVO
As a matter of principle, they have a general right of objection even against legitimate data processing which is in the public interest, in the exercise of official authority or due to the legitimate interest of an authority.
Complaints to the supervisory authority about data protection violations
Irrespective of the fact that you are free to take legal action, you have the right to complain to a supervisory authority if you are of the opinion that the processing of your data is not permitted under data protection law. This results from Art. 77 DS-GVO. The complaint to the supervisory authority can be made informally:
Berlin Commissioner for Data Protection and Freedom of Information
10969 Berlin www.datenschutz-berlin.de
The data protection officer of the Klinik für MIC
You can reach us at: firstname.lastname@example.org
If you have any questions, please do not hesitate to contact us either in writing or by e-mail.
S+A Klinik für MIC GmbH
Kurstr. 11 in 14129 Berlin
or by telephone under 030/809 88 155 or by Mail email@example.com our homepage finds you under www.mic-berlin.de
Berlin, December 2019