/ Alessandri in DataGuidance: Overview of privacy in the health sector and COVID-19 considerations in Chile7 July, 2022
The purpose of this Insight article is to provide an overview of the Chilean regulations governing privacy and data protection in the health sector. Thereon, it is worth mentioning that it comprehends any type of healthcare provider (whether public or private), as well as health professionals and workers who are involved in the provision of healthcare services.
With the COVID-19 pandemic, privacy and healthcare data protection became crucial among privacy practitioners due to the number of consultations and healthcare services provided by means of telemedicine, health-related data processing for different purposes, as well as restrictions in mobility, the capacity of premises, and the exercise of rights protecting the access to healthcare and related data. Jaime Urzúa and Felipe Von Unger, from Alessandri Attorneys at Law, discuss general and more specific rules governing data protection, their enforcement, and Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority (‘the Bill’), which is now being discussed in the Chilean National Congress.
Constitution and laws
Article 19(4) of the Political Constitution of the Republic of Chile guarantees all individuals the protection of personal data and sets forth that the processing and data protection must be carried out under the conditions determined by law.
Likewise, Law No. 19.628 on the Protection of Private Life 1999 (‘the Law’) constitutes the current and main normative framework on data privacy. The Law establishes general rules for data processing and specifically refers to health-related data, including the definition of ‘sensitive data’, which encompasses data regarding physical or moral characteristics of persons or in relation to facts or circumstances of their private life or intimacy, such as physical or psychological health conditions and sexual life. The relevance of this definition is, among other things, that sensitive data cannot be processed, except:
- when authorised by law;
- with the data holder’s explicit consent; or
- when it is necessary for the determination and/or granting of health benefits for the data holders.
Moreover, Law No. 20.584 Which Regulates the Rights and Duties that People have in relation to Actions related to their Health Care (‘the Health Care Rights Law’) regulates patient rights and related obligations. Beyond the rights and obligations therein granted and regulated, the key correlation with privacy lies with the medical records. According to the Health Care Rights Law, a medical record is defined as a mandatory instrument in which an individual’s health-related background information is recorded. Its purpose is to integrate all relevant medical information for the correct assistance of each patient. It may be in electronic, paper, or any other format, provided the record is complete and it assures proper access, storage, and confidentiality, as well as the authenticity of its content and the option of amendments according to the law and the data holder’s requests. Particularly, all information arising from the medical record, studies, laboratories, and other documents in which the patient’s procedures and treatments are recorded must be considered as sensitive data under the Law.
The Health Care Rights Law states that providers are responsible for the confidentiality of the medical record and must store it for a 15-year term, also establishing that only those directly involved with the patient’s healthcare may have access to their medical record. That way, third parties that are not directly related with the patient’s healthcare should not have access to the information contained in medical records, not even health and administrative personnel of the provider not involved in the direct care of the patient.
Notwithstanding the above, a medical record may be accessed by:
- its holder, their legal representative, or their heirs;
- third parties duly authorised by the data holder or by means of a power of attorney granted before a notary public;
- courts of justice, provided that the information contained in the medical record is related to the case they are currently hearing;
- prosecutors of the Public Ministry and lawyers with the previous authorisation of the competent judge, when the information is directly related to the investigations or defences they oversee; and
- the Institute of Public Health in the exercise of its powers.
Finally, the Health Care Rights Law obliges people and institutions involved in healthcare services to adopt all necessary precautions for assuring the confidentiality and privacy of the patient, their medical, genetic, or other sensitive data, and that all such information is used exclusively for the purposes for which it was collected and processed.
Sectoral regulations issued after the emergence of COVID-19
Apart from the aforementioned requirements, there are certain sectoral regulations that impose data protection obligations with reference to the Law and the Health Care Rights Law, all of them published as a response to the pandemic:
- Exempt Resolution No. 24, which facilitates the acquisition of medicines in the context of health alert, which sets out that prescriptions and their content, including digitalised images, are reserved and sensitive data, subject to the Law, the Health Care Rights Law, and other applicable laws and regulations.
- Exempt Resolution No. 141, which regulates the coordination of public-private network, which establishes that the information provided with respect to patients diagnosed with COVID-19 must be safeguarded as sensitive data, as established in Article 12 of the Health Care Rights Law and Articles 2(g) and 10 of the Law.
- Decree No. 466 of the Ministry of Health, which allows drugstores to dispense medicines by electronic means. Such drugstores must safeguard the security and confidentiality of the personal and sensitive data they have access to.
- Circular No. 45 and Office Circular No. 7 of the Intendency of Health Providers, which acknowledge the validity of digital documents regarding the patient’s health data. Specifically, the providers may proceed to digitalise documents, being incorporated as an image in the electronic medical record. To guarantee the safeguarding of the content and access to the electronic medical record, it is sufficient that digital storage, i.e. information in paper format, is eliminated according to the current regulations.
Although there is not a data protection authority in Chile, there are some relevant stakeholders that may be able to enforce the Law and the Health Care Rights Laws. Considering the sectoral standards described above, the Superintendence of Health and the Regional Ministry Secretary of Health have the power to oversee all public and private healthcare providers in these matters under the Health Care Rights Law.
Recently, Law No. 21.398, which amended Law No. 19.496 which Establishes Rules on the Protection of Consumer Rights (‘the Consumer Protection Law’), was passed and grants audit powers to the National Consumer Service (‘SERNAC’) within consumer relations. Consequently, whenever healthcare data is processed under the scope of a consumer relationship, SERNAC will be able to enforce the Law as one of its audit capacities.
Key-provisions and amendments of Bill No. 11144-07
In 2017, the Bill was introduced to the National Congress, which aims to modify the Law and to create a data privacy authority. Thus, the Bill seeks to set a higher standard for data processing and protection in Chile.
Notably, the Bill amends the definition of sensitive data, including new data categories, such as health-related data and biometric data. As mentioned, the proposed wider new definition of sensitive data refers to personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning health, human biological profile, biometric data, and information concerning a natural person’s sex life, sexual orientation, and gender identity.
Similarly, according to the current text of the Bill the health-related data would include biological profile, genetic, proteomic, or metabolic data. Likewise, biometric data would be covered by the scope of the regulation, defining it as the data obtained from a specific technical treatment, related to physical, physiological, or behavioural characteristics of a person that allow for, or confirm, their identification, such as fingerprint, iris, hand or facial features, and voice.
With regards to genomic, proteomic, or metabolic data, the Bill stipulates that it can only be processed for the following purposes:
- to perform medical diagnoses or treatments, and when necessary for the proper administration of healthcare and health insurance benefits;
- to ensure and improve the quality and effectiveness of such benefits and for the performance of activities associated with the management of the population’s health;
- to provide medical or health treatment in case of emergency;
- to qualify the degree of dependency or disability of a person; and
- when it is indispensable for the execution or fulfilment of a contract whose object or purpose requires the processing of health data.
Other amendments that are included in the Bill refer to human health as a cause for impeding the exercise of the right to access, cancel, opposition, and cancellation. Moreover, the Bill deems licit the processing of sensitive data without the data holder’s consent in the following situations:
- when it is indispensable to safeguard the life or physical or psychological integrity of the data holder or someone else’s, or when the data subject is physically or legally impaired from giving their consent. Once the impediment ceases, the data controller must inform the data subject in detail the data that was processed and the specific processing operations that were carried out;
- in cases of legally decreed health emergency;
- for historical, statistical, or scientific purposes, for studies or research in the public interest or for the benefit of human health, or for the development of medical products or supplies that could not be developed in any other way. The results of scientific studies and research using personal data relating to health or biological profile may be freely published or disseminated, with prior anonymisation of the data;
- when the processing of the data is necessary for the formulation, exercise, or defence of a right before the courts of justice or an administrative entity;
- when data processing is necessary for the purposes of preventive or occupational medicine, evaluation of the worker’s capacity to work, medical diagnosis, provision of health or social assistance or treatment, or management of health and social assistance systems and services; or
- when the law so permits and expressly indicates the purpose of such processing.
Finally, the Bill adds a provision that prohibits the processing and transfer of data relating to the health and biological profile and biological samples associated with an identified or identifiable person, including the storage of biological material, when the data or samples have been collected within labour, educational, sports, social, insurance, security, or identification fields, unless the law expressly authorises its processing in qualified cases and it refers to any of the cases previously mentioned.