November 8, 2023
Confidentiality of information in medical examination and treatment activities is an paramount issue. Leakages of patients’ information will negatively affect the patient’s psyche and could lead to many unwanted consequences. Such events also degrades the reputation of medical examination and treatment facilities in the eyes of patients. In recent years, medical examination and treatment facilities in Vietnam have applied advances in science and technology to manage their operations. However, alongside such advancements, methods of exploiting patients’ information are also becoming increasingly sophisticated and more common.
The inviolability of private life, personal secrets and family secrets is a human right enshrined in the 2013 Constitution of Vietnam. In medical examination and treatment activities, this right is concretized in the provisions of legal documents such as Law on People’s Health Protection No. 21-LCT/HDNN8 (“Law on People’s Health Protection”); Law on Medical Examination and Treatment No. 40/2009/QH12 (“Law on Medical Examination and Treatment”); Law On Donation, Removal And Transplantation Of Human Tissues And Organs And Donation And Recovery Of Cadavers No. 75/2006/QH11 (“Law On Donation, Removal And Transplantation Of Human Tissues And Organs And Donation And Recovery Of Cadavers”); Law On Hiv/Aids Prevention And Control No. 64/2006/QH11 (“Law on HIV/AIDS Prevention and Control”); Law on Prevention and Control of Infectious Diseases No. 03/2007/QH12 (“Law on Prevention and Control of Infectious Diseases”)…etc.
In general medical examination and treatment activities, Article 8 of the Law on Medical Examination and Treatment stipulates that respect for privacy is a right of patients. Specifically, according to the provisions of Clause 1 of this Article, patients are entitled to keep confidential “information about their health status and private life recorded in the medical record dossier“. Clause 1, Article 59 of the Law on Medical Examination and Treatment stipulates: “A medical record dossier is a medical and legal document; each patient has only one medical record dossier in each medical examination and treatment at a medical examination and treatment establishment.” Medical record dossiers are in paper or electronic form, including documents and information related to the patient and the medical examination and treatment process. Specifically, the medical record dossier includes:
– Medical record: consists of 2 administrative sections (patient’s name, age, gender, occupation, address, name of a relative, contact address when needed, hospital admission number, code, date of admission, discharge, etc.) and professional section (recorded by the doctor);
– Documents attached to the medical record such as: Care sheet, Drug disclosure sheet for the patient; Life functions monitoring sheet; Transfusion sheet; Drug reaction test sheet; Minutes of consultation; Surgery approval paper; Transfer paper; Minutes of death; Blood request sheet; Subclinical papers; Test papers of all kinds; X-ray, ultrasound, electrocardiogram sheets…[1]
Thus, the patient’s information in the medical record dossier, whether it is a paper record or an electronic record (including but not limited to the above information) is kept confidential, and is only allowed to be made public under certain circumstances as presented in section 1.3 of this article.
Medical examination and treatment practitioners are obligated to keep patients’ information confidential. This obligation is established based on respect for the privacy of individuals and obligations related to professional practice and professional ethics. According to the World Medical Association’s Code of Ethics, physicians have a duty to “respect the privacy of their patients. Any patient information must not be disclosed to anyone, without the patient’s consent.”
In Vietnam, right from the 1989 Law on People’s Health Protection, medical practitioners’ obligation to keep patients’ information confidential has been set. Specifically, Clause 1, Article 25 of this Law stipulates that doctors are obligated to “keep secret matters related to the disease or private life of the patient“.
In general medical examination and treatment, Clause 2, Article 3 of the Law on Medical Examination and Treatment stipulates that one of the principles of medical examination and treatment practice is “Respect for the rights of patients; keep confidential information about health status and private life recorded in medical record dossiers,…”. At the same time, according to Clause 5, Article 37 of this Law, one of the obligations towards the profession of medical examination and treatment practitioners is “Keeping the patient’s medical condition and information provided by the patient and medical records, except for the case specified in Clause 2, Article 8 of this Law.” Regarding the time limit for storing medical record dossiers, Clause 3, Article 59 of the Law on Medical Examination and Treatment stipulates that medical record dossiers shall be stored according to the levels of confidentiality of the law on protection of state secrets; inpatient and outpatient medical record dossiers must be kept for at least 10 years; occupational accidents, domestic accidents medical record dossiers mus be kept for at least 15 years; Medical record dossiers of mentally ill patients and deceased patients must be kept for at least 20 years.
In the activities of donating, removing and transplanting human tissues and organs and donating and recovering of cadavers, Clause 4, Article 4 of the Law on Donation, Removal And Transplantation Of Human Tissues And Organs And Donation And Recovery Of Cadavers stipulates the principle of these operations which is “Keeping confidential information related to the donor and transplant recipient, unless otherwise agreed by the parties or otherwise provided by law.” Clause 9, Article 11 of this Law also stipulates that “Disclosure of information and secrets about the donor and the transplant recipient contrary to the provisions of law” is a prohibited act.
In HIV/AIDS prevention and control activities, according to the provisions of Clause 3, Article 25 of the Law on HIV/AIDS Prevention and Control, laboratory staff “have the responsibility to keep test results confidential and only use test results for HIV/AIDS epidemiological surveillance and scientific research”.
In infectious disease prevention and control activities, according to the provisions of clause 3, Article 33 of the Law on Prevention and Control of Infectious Diseases, doctors and medical staff at medical examination and treatment establishments have the responsibility to “keep confidential information related to the patient”.
In diagnosis, consultation, remote medical examination and treatment, Decision No. 4054/QD-BYT clearly states: The information shared in these activities includes summary of medical record dossiers, case progress and consultation minutes. Medical facilities are not allowed to share personal information of patients such as full name, address, patient’s face and body image or information that can identify the patient in any way. Where the consultation session requires the presence of the patient, technical measures must be taken to cover or blur the patient’s face. At the same time, do not directly stream the consultations, remote medical examination and treatment consultations via social networks or other channels that may reveal the patient’s personal information, face and health situation[2].
According to Article 8 of the Law on Medical Examination and Treatment, information about health status and private life recorded in medical record dossiers is only allowed to be disclosed in the following cases:
(i) With the patient’s consent.
Patients are owners of confidential information and data and they have the right to disclose their own information or allow medical facilities to disclose such information. The patient’s consent to disclose information will waive the obligation of confidentiality for medical examination and treatment establishments and medical practitioners. The consent of the patient may be expressed in writing or in other forms as agreed.
(ii) To share information and experiences to improve the quality of diagnosis, care and treatment of patients among practitioners in the group directly treating patients.
Practitioners in the group directly treating the patient need to have enough information about the patient’s condition to be able to give the best diagnosis, care and treatment plan for the patient. Therefore, it is reasonable to disclose patients’ information to these subjects, purely for the benefit of the patient.
(iii) In other cases as prescribed by law.
Clause 4, Article 59 of the Law on Medical Examination and Treatment stipulates cases in which the head of a medical examination and treatment establishment may decide to allow the exploitation of medical record dossiers, including:
– Internship students, researchers, practitioners in medical examination and treatment establishments may borrow medical record dossiers on the spot to read or copy for research or professional and technical work.
– Representatives of state medical management agencies directly managing medical examination and treatment establishments, investigative agencies, procuracies, courts, specialized medical inspectors, insurance agencies, forensic organizations, forensic psychiatrists, lawyers may borrow medical records on the spot to read or copy to serve their assigned tasks according to their authorized competence.
The above subjects, when using information in the medical record dossiers, must keep it secret and only use it for the right purposes as suggested to the head of the medical examination and treatment establishment.
The law has specific provisions to ensure confidentiality of information in medical examination and treatment, however, the implementation of these regulations in practice is still limited. There are many medical examination and treatment establishments and practitioners that knowingly or unintentionally provide patients’ information to pharmaceutical traders and private insurance organizations without the written consent of the patient.
For example, on August 23, 2022, many pregnant women reported to Tu Du Hospital (Ho Chi Minh City) suspecting that their personal information was leaked during their time giving birth at the hospital. Many people said that they were constantly harassed by milk companies, babysitters, and offers of at-home care services, free fingerprint biometrics, etc after giving birth at Tu Du Hospital. Notably, there are cases where the caller knew the baby’s date of birth, sex or the incubator status. Pregnant women expressed their annoyance, fatigue and worries when their personal information was exposed, affecting their lives. Regarding the cause of this incident, Tu Du Hospital believes that the information leak may be due to the utility system providing information to the patient such as the message switchboard about the progress of the hospital stay, treatment, etc or the call center for registration of medical examination and treatment, or the bank connection for conducting cashless payments or due to the naivety of some medical staff in certain departments who may have leaked the information when getting the medical record dossiers stamped, etc [3]
According to information from the Ministry of Health, there is a phenomenon in which some medical facilities that have signed medical examination and treatment contracts with the Social Insurance Agency unintentionally leaked access to their management system, leading to some individuals taking advantage of this to build applications, illegally exploiting databases, medical examination and treatment, health insurance information of the Information System of Vietnam Social Insurance. This greatly affects the confidentiality of patients’ medical examination and treatment information, health insurance, and violates the prohibitions in the Law on Medical Examination and Treatment, the Law on Cyber-information Security…[4]
Or like in the early days of the Covid pandemic in our country, there were many articles sharing and posting internal information and documents of the authorities related to the list of F0 patients, the patients’ movement schedule, contact, etc. The information shared contained personal information of the patients for tracing and preventing the Covid-19 epidemic. The fact that the above documents were spread on the social network environment caused the community to comment, discuss, stigmatize, speculate, affecting the right to keep confidential information about the health status and private life of the patient. Although the publicity of this information helps to trace the patient and limit the spread of the disease, it has seriously violated regulations on patients’ information confidentiality. Faced with that situation, on May 21, 2021, The Ministry of Health had to issue Document No. 4191/BYT-TT-KT on coordinating and adjusting the provision of information to the press on Covid-19 epidemic prevention and control. Accordingly, the Ministry of Health requested the units under the Ministry of Health, the Departments of Health of the provinces and cities under the jurisdiction of the central government to not disclose to the press the identity, details of the travel schedule and contact history of the patients; mandate the medical staff of their unit to strictly comply with the provisions of the Law on Medical Examination and Treatment: Not disclose in any form personal information (identity, age, address …) of the Covid-19 patients.
Another extremely common case in fact is where a medical practitioner shares information about a patient’s illness with the patient’s family without the patient’s consent. Especially in the case of detecting that the patient has a malignancy or a serious illness, the doctor would inform the patient’s family. The purpose of this is for the patient’s family to coordinate treatment and help support the patient’s emotional well-being. Emotionally speaking, this reason is very much legitimate, in service of the interests of the patient, but strictly speaking, this behavior has violated the confidentiality of information in medical examination and treatment. On the other hand, this also leads to more risks since the patient’s family members are often the ones who would most easily spread such information to others.
Another relatively common violation of information privacy obligations in medical examination and treatment of medical facilities is the usage of images and information of patients to advertise their medical examination and treatment establishments without patients’ consent. Most notably is the incident that happened at the beginning of 2018, at T Beauty Salon (Ho Chi Minh City). Doctor T went to examine female patients and livestreamed the scenes in which he examined the patients’ breasts and gave instructions to the female patients on how to take care of their newly-lifted breast. The incident caused quite a controversy in the community. In this incident, without the consent of the female patients, it was illegal for Dr. T to post pictures on the social networking site of the beauty salon for the purpose of promoting his beauty salon since it was a violation of patients’ privacy rights to their images[5].
Firstly, It is necessary to expand the scope of confidential information in medical examination and treatment activities under the Law on Medical Examination and Treatment. According to the provisions of the Civil Code, individuals have the right to privacy and the right to images. Thus, all information about personal life, not only information about health status and private life recorded in medical records, but also information on relationships with relatives and photos of patients must be kept strictly confidential. Therefore, it is necessary to supplement “the right to keep confidential the entire process of exchange and treatment between the patient and the medical examination and treatment practitioner” to be consistent with the provisions of the Civil Code on personal privacy and image rights.
In addition, patient data related to health conditions should be considered as sensitive personal data in order to properly demonstrate the importance of this data and have a plan to develop more specific regulations to restrict the disclosure, processing or transfer of this data. This is also the approach that many countries are adopting, such as the EU with GDPR[6].
Secondly, it is necessary to specify the obligations of information processors and users in the process of exploiting and using patients’ information. Specifically, in the case of sharing information and experiences in order to improve the quality of diagnosis, care and treatment of patients among practitioners in the group directly treating the patient or other cases prescribed by law, it is recommended that identifying information be kept confidential unless the patient agreed otherwise, except where it is required by law to be disclosed in the public interest or in the interest of someone else.
Thirdly, it is necessary to expand the scope of cases where parts of the patient’s information could be shared. For example, photos or information about a patient’s condition can be used to share medical expertise (widely, not just among practitioners who directly treat the patient), provide information about epidemics or medical statistics, scientific research, however, identifying information or images must be deleted or hidden unless otherwise agreed by the patient.
Fourthly, it is necessary to specify in which cases the doctor can notify the patient’s medical condition to the patient’s family. In some cases, the doctor, to avoid shocking, letting the patient have negative thoughts, chose the solution to explain it to the patient’s family. Meanwhile, family members often do not respect the patient’s right to keep information confidential. Therefore, the legal regulations need to be more specific in dealing with different cases in order for the hospital to behave appropriately and understand the cases in which they can notify the patient’s family[7].
Fifthly, it is necessary to clearly define who is allowed to participate in the medical examination and treatment process. One of the problems that frequently appear in hospitals in Vietnam is the fact that medical interns are present at the clinic, even performing some works under the guidance and supervision of the practitioners during the process of medical examination and treatment. However, the question whether the presence of the interns requires the consent of the patient or not is still left open in the regulations on medical examination and treatment. Therefore, it should be ensured that the medical examination and treatment process would only allow the participation of relevant practitioners, unless the patient consents or requests otherwise. Non-medical practitioners participating in the medical examination and treatment process are also obligated to keep information confidential.
Finally, it is necessary to specify the period of confidentiality of patients’ information. Currently, Vietnamese law does not stipulate a time limit in which medical examination and treatment establishments and medical practitioners are obligated to keep patients’ information confidential. This raises the question: after the patient’s death, does the obligation to keep information confidential still exist or not? In this regard, the Lisbon Declaration of the World Medical Association on the Rights of the Patient prescribes that, all information about the patient’s health, medical conditions, diagnosis, prognosis and treatment and all other personal information must be kept confidential, even after the patient’s death, except where the patient’s descendants have the right to access to information warning about their health risks[8]. According to US law, after the death of a patient, medical facilities and medical practitioners may disclose the patient’s information to family members or designees, except where the patient requested for such information not to be disclosed[9]. Vietnamese law also needs to clearly regulate this issue so that it can be easily applied in practice.
PrivacyCompliance
[1]Ministry of Health (2020), Lecture on regulations on management of medical records and care forms, Clinical practice training materials for new nurses, Hanoi Medical Publishing House
[2]Decision No. 4054/QD-BYT dated September 22, 2020 of the Minister of Health, temporarily promulgating guidelines and regulations on organizing consultations and remote medical examination and treatment.
[3]Linh Giao (2022), Tu Du Hospital “explained” the cause of patients’ information leakage, Vietnamnet Newspaper,https://vietnamnet.vn/benh-vien-tu-du-giai-thich-nguyen-nhan-lo-thong-tin-cua-san-phu-2052946.html (accessed 11/16/2022)
[4]Viet Nga (2019), Ensuring safety and confidentiality of patients’ information, Website of Bac Giang Department of Health,https://syt.bacgiang.gov.vn/chi-tiet-tin-tuc/-/asset_publisher/6CWBO9WiZqsQ/content/-am-bao-an-toan-bao-mat-thong-tin-cua-nguoi-benh (accessed 11/16/2022)
[5]MSc. Dinh Thi Thanh Thuy (2018), Ensuring the rights of users of medical examination and treatment services – some legal issues, Journal of Democracy and Law, Issue 5/2018, p. 14 – 18
[6]Thomsonreuters, ‘Data Concerning Health’https://uk.practicallaw.thomsonreuters.com/w-014-8175?transitionType=Default&contextData=(sc.Default)&firstPage=true#:~:text=Under%20the%20General%20Data%20Protection,(15)% 2C%20GDPR), accessed December 27, 2022.
[7]MSc. Nguyen Thuy Ha (2019), Exercising the rights of users of medical examination and treatment services and recommendations to improve the law, Legislative Research Journal No. 7(383)/Issue 1, April 2019, p. 39 – 45
[8]WMA declaration of lisbon on the rights of the patient
[9]45 CFR §164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object.
Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]
Learn more
Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]
Learn more
E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]
Learn more