In this data protection statement, I will describe how I process the personal data of my patients (later “patient data”). Collecting, saving, storing, using, disclosing, and protecting patient data is based on legislation, particularly on the EU General Data Protection Regulation (2016/679), Act on the Status and Rights of Patients (785/1992), Decree of the Ministry of Social Affairs and Health on Patient Documents (94/2022), and Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (703/2023). Please read this data protection statement carefully. I reserve the right to make changes to this data protection statement.
Data Controller
Mikael Piha (Rautatienpuiston lääkäri)
Läntinen Pitkäkatu 26 C 63, FI-20100 TURKU, FINLAND
tel.: +358 40 530 5725
e-mail: laakari@mikaelpiha.fi
Business ID: 3382517-2
Patient Data Subject to Processing
While providing medical services, I process patient data. This consists of various personal data concerning health, such as information on appointments and visits, medical history, living habits, medication, observations and measurements made by myself, laboratory results, and medical imaging reports. Necessary personal data that I process to arrange medical care also include, for example, full name, personal identity code, home address, telephone number, e-mail address, as well as personal data and contact information of the guardian of a child patient, or the representative of any other person without legal capacity.
Source of Patient Data
Primarily, I acquire patient data from the patient themself by means of interview or physical examination. In addition, by booking an appointment through my website, the patient delivers their data to me. I also receive data in the form of documents and other physical records possibly delivered to me by the patient. If necessary, I obtain data from other healthcare providers for example via the Kanta Services, but I only do this with the patient’s consent or on the basis of a specific justification stipulated in legislation.
Disclosing Patient Data
As a physician, my duty is to keep patient data confidential. Only with the patient’s consent or on the basis of a specific justification stipulated in legislation do I disclose patient data to next of kin, other healthcare providers, insurance institutions (e.g. Kela), and officials. Patient data can be saved on servers outside the EU and EEA, the security and legality of which Vello Solutions Ltd is responsible for.
Purpose of Using Patient Data
The purpose of using patient data is primarily to arrange, plan, carry out, and monitor medical treatment. I also use patient data to e.g. give statements and certificates of the patient’s state of health. Additionally, I use data for billing and to fulfil other possible legal responsibilities.
Legal Basis of Processing Patient Data
I process patient data according to the EU General Data Protection Regulation to fulfil my legal responsibility to maintain a patient registry and to keep patient records. Processing data can also be based on the patient’s consent when I obtain data elsewhere. In both cases, my right to process sensitive personal data is based on the Data Protection Regulation.
Storing and Protecting Patient Data
I store patient data primarily in electronic form in the systems of Vello Solutions Ltd and in the Kanta Patient Data Repository. I save the patient data that I process with the Vello electronic health record system into the Kanta Patient Data Repository according to the regulations of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. Vello is a healthcare information system registered by Valvira with high standards of information security. The data saved in the information systems are protected with passwords, and only I have access to them. I process electronic patient data over a secure internet connection. Additionally, I store some data in physical form in a security cabinet to which only I have access. I have drafted a separate information security plan. Patient data will mainly be retained for 12 years after the patient’s death or any other time period according to the Decree of the Ministry of Social Affairs and Health on Patient Documents. After this, Kela will dispose of the data saved in the Kanta Patient Data Repository, and I or the retainer of the data at the time will dispose of the data saved elsewhere.
Rights of Patient
The registered person, i.e. the patient, has, excluding some exceptions stipulated in the law, the right to access their data: upon request, I will deliver the patient a copy of the patient data concerning them, or I will disclose it to them orally. The patient has the right to rectify inaccurate or incorrect data and the right to supplement deficient data. According to legislation, the patient has no right to have their information erased.
Information Security Violations
If patient data is destroyed, damaged, leaked, or stolen so that the rights or freedoms of the patient become compromised, I will notify the patient of an information security violation without delay and the Office of the Data Protection Ombudsman within 72 hours after becoming aware of the violation.
Cookies
My website uses cookies which are essential for the correct functioning of the website. Additionally, third-party plugins on my website may use cookies according to their own policies with permission from the user. Cookies are stored for six months.
Other Considerations
The scale of my medical services is so small that according to the ruling of the EU Data Protection Working Party, it is not necessary to carry out an impact assessment or to appoint a separate data protection officer.
Turku, 28 January 2025
Mikael Piha