/ The End of an Era: Health Data at the Center of the Debate

Health Data Protection Before Law No. 21,719

One of the sectors where the need to safeguard data subjects’ rights has become most pressing—due to the particular sensitivity of the information involved—is the health sector. Although Law No. 19,628 of 1999 established a general protection framework, specific health regulations—such as the Health Code, Law No. 20,584 on Patients’ Rights and Duties, and Health DFL No. 1—required a complement that would extend protection for health‑related data to areas that go beyond the strictly sectoral. Law No. 21,719 stepped in to fulfill that function, strengthening and expanding safeguards related to the processing of personal data linked to health.

A Structural Shift in the Processing of Sensitive Data

The entry into force of Law No. 21,719 marks a turning point in the processing of sensitive data. The use of health‑related information now requires a clear justification tied to legitimate and proportionate purposes, which compels a review of long‑standing practices across multiple sectors. The logic is changing: it is no longer just about having consent, but about ensuring that each processing activity responds to a concrete need and is properly substantiated.

This is because Law No. 21,719 introduces principles that are commonplace in Europe but will require deep re‑engineering of processes among Chilean data controllers. The lawfulness of sensitive‑data processing (Articles 16 and 16 bis) no longer rests solely on written consent; it requires specific and explicit purposes. This aligns with existing sectoral rules, such as Article 134 bis of Health DFL No. 1, which prohibits the sale or transfer of patient databases, except to provide health benefits.

The crucial difference from the previous model lies in the intensity of consent and the scope of exceptions. As under the General Data Protection Regulation (GDPR), processing health data without consent is limited to narrowly defined legal grounds. Any secondary use different from the purpose established by law—such as profiling for insurance or credit scoring—is virtually prohibited without a free, specific, and informed authorization, which is essentially revocable.

A Cross‑Cutting Impact Beyond the Health Sector

The impact of this new legal architecture presents a cross‑cutting challenge that goes beyond healthcare providers as obligated parties. It is possible to identify several sectors that have historically handled health data as highly relevant operational inputs and that will now face heightened regulatory compliance obligations.
By way of illustration only: the insurance and banking industries, in connection with risk assessment and claims settlement; the construction and manufacturing sectors, through the handling of pre‑employment and employment medical examinations, medical diagnoses, and exposure to disease risks; and, of course, the health and technology sector, to meet standards for interoperability, security, and the provision of remote healthcare services.

In conclusion, the entry into force of Law No. 21,719—combined with the high regulatory standard now in place—puts us in a context where health data can become the most complex asset if poorly managed, and the most valuable if properly protected. It will be essential for organizations to provide sufficient safeguards to position themselves in competitive markets like those mentioned above and to uphold a standard that helps prevent significant reputational and/or economic damage.