GDPR in Healthcare — How to Protect Patient Data in Compliance With the Law

The healthcare sector is one of the areas where personal data processing carries the highest risk. Health data belongs to the special categories of personal data (Article 9 GDPR), and its processing is subject to stricter rules than ordinary data. At the same time, healthcare requires intensive processing of such data — diagnostics, treatment, prevention, research, and reimbursement are impossible without medical data.

Healthcare providers, medical practitioners, pharmacies, diagnostic laboratories, telemedicine companies, health app developers, and medical device manufacturers all process health data and must simultaneously comply with the GDPR, the Polish Patient Rights Act, the Healthcare Activity Act, and numerous sector-specific regulations.

This article explains how to apply the GDPR in the healthcare sector — from legal bases for processing patient data, through medical records and telemedicine, to DPIAs and patient rights as data subjects.

Health Data as a Special Category

Article 4(15) of the GDPR defines data concerning health as personal data related to the physical or mental health of a natural person — including the provision of healthcare services — which reveals information about their health status.

In practice, health data covers an extremely wide range of information: diagnoses (ICD-10 codes), laboratory and imaging results, medical histories, prescriptions and medications, information about procedures and surgeries, medical record data, disability information, genetic data, data from medical devices (e.g., heart monitors, insulin pumps), data from health and fitness apps (if related to health), and information about medical appointments (the mere fact of visiting a specialist may reveal health status — e.g., a visit to an oncologist).

Recital 35 of the GDPR specifies that health data includes data relating to the past, current, or future physical or mental health status — including data collected during registration for, or the provision of, healthcare services.

Legal Bases for Processing Health Data

Processing health data requires meeting two conditions simultaneously: a basis under Article 6 GDPR (as for all personal data) and an additional condition under Article 9(2) GDPR (specific to special category data).

Article 9(2)(h) — Health Purposes (Most Common Basis)

The most frequently used basis is Article 9(2)(h) GDPR — processing is necessary for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

Additional condition: processing must be carried out on the basis of EU or Member State law, or pursuant to a contract with a health professional, subject to professional secrecy obligations.

In Poland, the relevant supplementary legislation includes the Patient Rights Act (2008), the Healthcare Activity Act (2011), the Medical Professions Act (1996), and the Health Information System Act (2011).

Article 9(2)(a) — Explicit Consent

Patient consent for processing health data must be explicit — a stricter requirement than “ordinary” consent under Article 6. In practice, consent is used for participation in clinical trials, processing data in health apps beyond healthcare service provision, and sharing medical data with third parties (e.g., the patient’s family, employer).

Important: consent is not required for providing healthcare services — Article 9(2)(h) is sufficient. Requesting consent for processing data for treatment purposes is a mistake — the proper basis is healthcare legislation.

Article 9(2)(i) — Public Health Interest

Used for processing data for public health purposes — e.g., epidemic monitoring, managing health threats, ensuring the quality and safety of medicinal products. This basis was widely used during the COVID-19 pandemic.

Article 9(2)(j) — Archival, Research, Statistical Purposes

Used for processing medical data for scientific research and health statistics. Requires appropriate safeguards (pseudonymisation, data minimisation).

Medical Records and the GDPR

Medical records are one of the main collections of health data. Their maintenance, storage, and sharing are primarily governed by the Patient Rights Act and the Minister of Health’s regulation on the types, scope, and templates of medical documentation.

Retention Period

Medical records are retained for 20 years from the end of the calendar year in which the last entry was made — with important exceptions:

Documentation concerning children up to 2 years of age — 22 years.

Referrals and physician orders — 5 years.

Documentation in cases of death due to bodily injury or poisoning — 30 years.

X-ray images — 10 years.

These are among the longest retention periods in Polish law — the controller must ensure data security throughout this entire period.

Form of Documentation

Since 2021, medical documentation is maintained, as a rule, in electronic form (Electronic Medical Documentation — EDM). Paper form is permissible in situations specified by law. The digitisation of medical records brings new GDPR challenges — IT system security, access control, backups, and event logging.

Sharing Medical Records

The patient has the right to access their medical records (Article 23 of the Patient Rights Act). Documentation may be made available: for inspection (including the ability to make notes), by preparing an extract, transcript, copy, or printout, via electronic communication, or on a digital data carrier.

Records may also be shared with other entities — but only on the basis of law (e.g., to another healthcare provider to ensure continuity of care, to medical professional bodies, courts, or prosecutors).

Medical Confidentiality and the GDPR

Medical confidentiality (Article 40 of the Medical Professions Act) and the GDPR operate in parallel. A physician is obliged to maintain the confidentiality of patient-related information obtained in the course of practising their profession. Release from confidentiality may only occur in cases specified by law.

From a GDPR perspective, medical confidentiality implements the confidentiality requirement (Article 5(1)(f) GDPR) and is one of the “appropriate safeguards” required when processing special category data. Persons processing medical data (physicians, nurses, administrative staff at healthcare facilities) must be bound by confidentiality — Article 9(3) GDPR expressly requires this.

Telemedicine, e-Health, and the GDPR

The growth of telemedicine — online consultations, e-prescriptions, remote patient monitoring, health apps — has brought new GDPR challenges:

Transmission security — video consultations must take place via encrypted communication channels. Popular messaging apps (WhatsApp, Messenger) generally do not meet the security requirements for medical data — dedicated telemedicine platforms with end-to-end encryption should be used.

Health apps (mHealth) — apps monitoring health status, sending medication reminders, or tracking vital signs process health data and are subject to the GDPR. The app developer is a controller or processor, depending on the model. If the app is a medical device, it is additionally subject to the MDR regulation.

E-prescriptions — the e-prescription system (P1) processes patient personal data. The system controller is the Centre for e-Health. Entities issuing e-prescriptions must ensure secure system access.

Remote Patient Monitoring (RPM) — IoT devices (smartwatches, health bands, implants) transmitting real-time health data. They generate massive amounts of data, often with continuous processing. A DPIA is essential.

Cloud storage — an increasing number of healthcare providers use cloud solutions. Transferring medical data outside the EEA requires particularly careful analysis — health data is the most sensitive category.

Patient Rights as Data Subject Rights

Patients benefit from rights under both the GDPR and the Patient Rights Act. In practice, both sets of rights complement each other:

Right of access (Art. 15 GDPR) / Right to access medical records (Art. 23 Patient Rights Act) — the patient has the right to obtain a copy of their data. In the medical context, exercising the right of access covers both data from IT systems (GDPR) and medical records (Patient Rights Act).

Right to rectification (Art. 16 GDPR) — the patient may request correction of inaccurate personal data. However, rectifying medical records is subject to limitations — a physician may supplement or correct records by adding an annotation but may not alter original entries (the principle of medical record integrity).

Right to erasure (Art. 17 GDPR) — significantly restricted in the healthcare sector. The controller cannot delete medical records before the statutory retention period expires (20 years). Refusal is based on Article 17(3)(b) GDPR (legal obligation) and Article 17(3)(d) (archival purposes in the public interest).

Right to restriction (Art. 18 GDPR) — the patient may request restriction of processing, e.g., while data accuracy is being verified. However, this does not mean the healthcare provider may cease processing data necessary to ensure continuity of care.

Right to data portability (Art. 20 GDPR) — the patient may request their data be transferred to another healthcare provider in a machine-readable format. In practice, this is difficult due to the varying formats of medical systems.

DPIA in the Healthcare Sector

Healthcare providers processing health data on a large scale are required to conduct a DPIA (Article 35(3)(b) GDPR). This applies to hospitals and clinics processing data on large numbers of patients, diagnostic laboratories, telemedicine companies, health app developers processing health data, and entities conducting clinical trials.

A DPIA in the healthcare sector should consider particular risks: unauthorised access to medical data (e.g., staff viewing records without authorisation), breach of confidentiality (leak of health status information), data loss (system failure without backup), data manipulation (alteration of test results or medication dosages), and patient profiling (e.g., AI systems supporting diagnostics).

DPO in Healthcare Entities

Healthcare providers are in many cases required to appoint a DPO — due to large-scale processing of special category data (Article 37(1)(c) GDPR). This applies to hospitals, clinics, laboratories, and other healthcare providers processing medical data on large numbers of patients.

A DPO in a healthcare entity should possess specialist knowledge at the intersection of data protection law and medical law — familiarity with the Patient Rights Act, medical documentation regulations, medical confidentiality, and the health information system.

Data Breaches in the Healthcare Sector

Medical data breaches are particularly serious due to the sensitivity of the information. The most common scenarios in healthcare:

Sending test results to the wrong patient — an error in the email address or phone number.

Unauthorised staff access — viewing patient medical records unrelated to treatment (e.g., curiosity about a well-known person’s data).

Ransomware attack on a hospital system — encrypting the patient database and demanding a ransom.

Loss of a data carrier — losing a laptop or USB drive containing patient data.

System misconfiguration — patient data publicly accessible online due to a settings error.

Each of these scenarios requires notification to UODO within 72 hours (Article 33 GDPR) — and if there is a high risk to patients, notification to them as well (Article 34 GDPR).

UODO has imposed fines on healthcare entities for data protection violations — including insufficient security measures, failure to report breaches, and failure to notify affected individuals.

Medical Data Security — Technical Requirements

Due to the sensitivity of medical data, security requirements are particularly high:

Encryption — of data at rest (databases, storage media) and in transit (patient communication, results transmission, telemedicine).

Access control — a role-based access control system (RBAC). A physician sees only their patients’ data, a nurse sees only data necessary for care, a receptionist sees only administrative data.

Event logging — recording who accessed what data and when. Enables detection of unauthorised access.

Multi-factor authentication (MFA) — particularly for access to medical systems.

Backups — regular, tested for recoverability. In healthcare, data loss can endanger a patient’s life.

Network segmentation — separating medical systems from the administrative network and the internet.

Mobile device management — encrypting tablets and smartphones used by medical staff, remote wiping in case of theft.

Standards compliance — ISO 27001, ISO 27799 (information security in health), EN ISO 13606 (health informatics communication systems).

Checklist — GDPR for Healthcare Providers

1. Identify all health data processing activities — medical records, IT systems, telemedicine, research.
2. Determine legal bases — Art. 9(2)(h) (health purposes) as the primary basis, Art. 9(2)(a) (consent) only when necessary.
3. Do not request consent for processing data for treatment — the proper basis is healthcare legislation.
4. Prepare patient privacy notices — address healthcare sector specifics.
5. Conduct a DPIA — mandatory for large-scale health data processing.
6. Appoint a DPO — mandatory for most healthcare providers.
7. Ensure medical confidentiality — bind staff to confidentiality, control access to records.
8. Secure IT systems — encryption, access control, MFA, backups, logging.
9. Regulate telemedicine — encrypted communication channels, secure platforms.
10. Define retention periods — 20 years for medical records (with exceptions).
11. Implement a patient rights procedure — access to records, rectification, restriction.
12. Implement a breach procedure — rapid response is critical for medical data.
13. Conclude DPAs — with IT system providers, laboratories, cloud providers.
14. Maintain a ROPA — include all medical data processing activities.
15. Train staff — physicians, nurses, receptionists, IT personnel — all process patient data.

Need GDPR Support in the Healthcare Sector?

Protecting patient data requires simultaneous knowledge of the GDPR, medical law, and the specifics of healthcare IT systems. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we advise healthcare providers and health sector companies on GDPR compliance — from auditing medical documentation, through implementing security procedures, to serving as an external DPO.