Legal analysis of the law
- Title of the law and Official Gazette number (last change or modification)
Law on Protection of Patients Rights (“Official Gazette of the Republic of Macedonia“ n.82/2008; 12/2009 and 53/2011)
- Does the Law envisage processing of personal data and in what type of Collection? (Evidence, Register, Database)
The law envisages the processing of personal data in a form of a medical record.
- What is the purpose of collecting personal data? Is that purpose clear?
Excersising the right of health protection.
- What categories of personal data are collected? Is the scope in compliance with the purpose?
In the Medical record for the patient shall be a record where all data and documents referring to the health status of the patient, medical, i.e. clinical condition, diagnosis, prognosis and treatment, as well as all other personal data are stored, and which is kept in accordance with the regulations in the field of health record and this Law.
- Who collects the personal data at first instance? (company, institution)
Ministry of Health
Health Insurance Fund
- Is the Consent of the data subject for personal data protection envisaged by this law?
Right to confidentiality – Article 25
The patient shall have the right to confidentiality (secrecy) of the personal and medical data that must be kept in secrecy even after his/her death, in accordance with the regulations for personal data protection.
As an exception, patient’s data may be revealed if:
– the patient gives written consent,
– they are necessary for the patient’s medical intervention in another institution,
– they are necessary for processing prescribed by law, by the healthcare institution providing health services for the patient,
– they are used for historic, scientific, research or educational purposes, under condition the patient’s identity not to be revealed, and
– it is in accordance with another law in order to protect lives, safety or health of other people.
The disclosure of the data shall be performed in a manner and up to the extent to which the aim of the disclosure is achieved and the secrecy of the data is protected to the greatest possible extent.
The patient’s data obtained shall be kept in accordance with the regulations for keeping professional and business secret, as well as for personal data protection.
The human substances whereof the patient can be identified must be kept secret, in accordance with the regulations for personal data protection.
The patient should give written or oral statement about the persons who can be given information of his/her admission in healthcare institution, i.e. a statement about a person for further communication, as well as his/her health condition, i.e. the persons who must not be given such information.
The consent for giving information may be assumed only in cases when they are given to another health worker, i.e. institution that continues to give the patient healthcare.
The processing of the patient’s personal data shall be performed in accordance with the regulations in the field of personal data protection, provided that it is not regulated otherwise by this Law.
- Is the keeping period of personal data clearly defined?
No. Medical record as a part of the medical documentation is kept according the keeping period defined by the Law on Health Records.
In this particular Law there is a need for precise definition of the keeping periods of the personal data collections.
In the healthcare institutions, the basic medical documentation shall be kept 15 years as of the last entry of data.
The medical chart and history of disease shall be kept 15 years as of the death of the diseased.
A dental chart shall be kept permanently.
Healthcare institutions shall be obliged to keep and store the basic medical documentation in electronic form in accordance with this Law.
In the Institute for Public Health of the Republic of Macedonia and in the regional centers for public health, the processed data along with the analyses and reports shall be kept permanently in electronic form.
- Does the law contain separate provision for personal data protection that clearly states the implementation of technical and organizational measures?
Not precisely but Article 25 contains principles according to which personal health data are considered as confidential.
- Is the processing of personal data prescribed by this law connected to implementation of another law?
Law on Health Records
Law on Healt Protection
Law on Protection of Patients Rights
- Are there any examptions for processing of sensitive data? (PIN, biometrics, video survelliance)