SELECTED LEGAL ASPECTS RELATING TO A PATIENT ’ S RIGHT TO ACCESS MEDICAL RECORDS

The right to access medical records is one of the most important patient’s right. This right has been regulated in a number of legal acts, and in particular, in the provisions of the Act of November 6, 2008 on patient rights and the Patients Ombudsman1. The aim of the paper is to present selected legal aspects relating to patient right to access medical records. The provisions of the Act of November 6, 2008 on patient rights and the Patients Ombudsman define the obligation to respect the right to access medical records. However, it should be noted that most of the doubts concern the right to access medical records after the death of a patient, which is only available to a person authorized by the patient during his life. This causes that immediate family members do not have the right to access the patient’s medical records after his death, if they have not been authorized by him.

The right to access medical records is one of the most important patient rights in Poland.Patient rights to access medical records stipulated was confirmed also in European Parliament resolution on patient mobility and the development of health in the European Union (2004/2148(INI)) 2 .It should be noted that, in Poland the term of medical records has not been well defined according to the law in force.With the reference to the that, art. 2 section 1 of the Act of April 15, 2011 on health care facilities 3 , determines medical records with accordance to the regulation of the Act of November 6, 2008 on patient rights and the Patients Ombudsman.
"It in turn is a logical error ignotorum per ignotorum, as in art. 3 of the Act of on patient rights and the Patients Ombudsman, in the legal dictionary the medical records definition is missing" 4 .It should be added that the term of medical records was presented in art.18 d, section 1, item 5 of the Act of August 30, 1991 on health care facilities5 .The above regulation noted that according to the Act of November 6, 2008 on patient rights, medical records constitutes gathering and sharing of data and information on patient's health status or already provided health care services by the health care provider.A similar definition was given by R. Kubiak indicating that medical records is a set of data describing patient's health status and the scope of provided health services 6 .
The patient right to access medical records is closely related to the issue of patient right to privacy, in particular the right to the protection of medical data.It shall be emphasized that medical records are one of the institutional guarantees of a patient's interests and rights referring to both the quality and, above all, safety of health services provided.The medical records include a patient's data, therefore, the patient has the right to expect that the data will be adequately protected by the therapeutic and medical personnel.Besides, the medical records are one of the primary means of proof in the case of claims for violations of patient rights.It should be noted that medical records can also be used for conducting certain medical  Beata Zasadzka, "Autostradą do EDM", Konferencja: Dokumentacja papierowa v. elektroniczna, Warszawa 26 czerwca 2013 r., cyt.za Iwoną Wrześniewską -Wal: "Dokumentacja medyczna lekarza psychiatry", [in:] Prawo medyczne dla lekarzy psychiatrów, (ed.)Anna .Jacek, Emilia Sarnacka, Warszawa: Difin, 2014, p. 45.  tests, especially the ones that are based on statistical analysis of data of a large number of patients.It should be added that both art.41section 1 of the Act of December 5, 1996 on the professions of physician and dentist7 as well as art.18 of the Act of July 15, 2011 on the professions of nurse and midwife8 obligates physician, nurses and midwives to carry out and share medical records based on regulations determined in the Act of November 6, 2008 r. on patient rights and the Patients Ombudsman"9 .

TYPES AND CONTENT OF MEDICAL DOCUMENTATION
We shall start with specifying that the term medical records means any document, regardless of whether it is in writing, or in a form of an electronic or digital record.The records should contain at least the following elements:designation of a patient for determining his identity -surname, first name, date of birth, gender, address, number of the Universal Electronic System of Population Register (PESEL), if it has been given (in the case of a newborn -mother's Social Security number, and for people not given PESEL -type and number of identity document); if a patient is a minor, incapacitated or incapable of informed consent -the name and surname of his legal representative and the address of his place of residence; identification of an entity providing health services, indicating organizational units which provided health care benefits; description of a patient's health condition or health benefits granted and the date of recording.
These are the basic elements that should be included in the medical records."A lack of any of these elements means that the document is not a medical record" 10 .It should be emphasized that the provisions in force also do not define the concept of a medical document.Due to that, the provisions of the Criminal Code and the Civil Code should be referred to in order to define the concept of a medical document.In turn, art.115 § 14 of Criminal Code indicates that: "the document is any item or other recorded medium of information with which a particular law is bound, or which, by virtue of its content, constitutes evidence of law, a legal relationship or a circumstance of legal significance."11 .Whereas, art.773 of Civil Code Specifies the document as:" an information medium for getting to know its content."12 .Consequently, it should be assumed that the medical document will contain any information carrier including the patient's identification data, the identification of the organizational unit with the name of the medical institution in which the document was created, the data describing the patient's state of health along with the information on the provided health care services, as well as the date of preparation of medical records.
Types of medical records and the manner of their keeping has been defined mainly in the Decree of the Minister of Health of November 9, 2015 on the types, scope and examples of medical records and the ways of their processing13 and in the Act of November 6, 2008 on patient rights the Patients Ombudsman14 .Medical records can be divided into two groups: individual (relating to individual patients using health services) and collective (applicable to all patients or certain groups).Both groups are divided into internal and external records.The individual internal records are: health history, medical history, newborn card, individual nursing and midwifery card, patronage visit card and background check card, as well as immunity card.The individual external records are in particular: referral to hospital or other entity, referral for diagnostic tests and consultations, as well as any certificates, decisions, opinions, pregnancy card, child health certificate and information sheets for the hospital treatment.
The collective internal records include: general admission and discharge register, the waiting list for health services, register of ward patients, treatments register, or register of doctors physician and nurses reports.Whereas the external collective records include activity reports, i.e. the data on the course of treatment, the available staff and equipment.This documentation does not contain personal data of patients.
The Decree of the Minister of Health of November 9, 2015 on the types, scope and examples of medical records and the ways of their processing determines general regulations regarding carrying out the medical records, and those are: records shall be kept in a legible manner, further entries shall be made in chronological order, any entries in the documentation must not be removed from it, and if entered incorrectly, it shall be crossed out and provided with the date of deletion and signature of a person making the deletion 15 .
Article 25 of the Act on patient rights and the Patients Ombudsman defines the basic elements that shall be included in medical records.Moreover this catalogue in article 25 is not closed because even the current regulations regarding medical records expand it."Other acts also indicate the additional information that should be included in individual medical records, for example, the Act on professions of physicians and dentists, the act on mental health care" 18 .
The concept of access consists in one of the actions to which the personal data are subject.The fundamental legal act governing the principles of sharing medical records is the Act of November 6, 2008 on patient rights and the Patients Ombudsman, where the entire chapter 7 formulates a patient's right to access medical records.Whereas, the provisions of the Regulation of the Minister of Health of November 9, 2015 on the types, scope and examples of medical records and how they are processed19 clarify the issues of the access to documentation.Art. 23, paragraph 1 The Act of November 6, 2008 on patient rights and the Patients Ombudsman guarantees the patient right to access medical records in relation to his health state and health services.Besides the patient, the persons authorized to have access to medical records are his legal representatives or a person authorized by him."Art.26, paragraph 1 The Act of November 6, 2008 on patient rights and the Patients Ombudsman not specify a time, when the patient has to submit an authorization.Therefore, the patient can authorize medical records to be made available both before, during and after the healthcare delivery" 20 .
Internal documentation can be made available, if a patient made two types of declaration of will.One statement applies to the authority (or its lack) of a relative to obtain information about the patient's health state and health services, while the other is the patient's statement authorizing a close person to have access to his medical records or a statement of disagreement on sharing medical records.After the patient's death the access to the documentation is given only to a person authorized by the patient during his life."However, the case is complicated when the patient is unconscious or in another condition that prevents the expression of the will and has previously failed to take any position21 .The Act of November 6, 2008 on patient rights and the Patients Ombudsman does not specify this problem.D. Karkowska indicating that: " if the patient authorized the person in his life to read the information in his medical records, it can not be deprived at the moment of death by a person authorized to do so only because of the lack of a written authorization to obtain medical records"22 .However J. Grzymowski considered that: if the patient authorizes access to medical records, but does not indicate that the authorization extends also to the time after the death of the patient, this authorization along with the death of the patient expired.If the patient authorized the person someone To access this patient's documentation after the patient's death, the fact that the authorization concerns Also (or only) the period after the death of the patient should be marked in the authorization" 23 .In this regard, we shall note the judgment of WSA in Krakow of October 29, 2014, which says: "A patient's statement about the possibility of sharing medical records with a closest person, also submitted in another medical facility and not revoked in any way (explicitly or implicitly) causes that the statement retains its power in other health care facilities, if it is attached to the health card within the individual patient records24 .Whereas, in the judgment of February 13, 2013 the Regional Administrative Court in Warsaw similarly pointed out that the authorization to access the medical documentation is also effective in therapeutic entities other than the one where it was granted 25 .
The catalogue of entities entitled to access medical records is wide.As previously mentioned, medical records can be made available to a patient, his legal representative, or a person authorized by the patient.Medical records can also be made available to providers of health services, when documentation is necessary to ensure continuity of care, as well as a number of bodies and institutions.In order to use the records for the control and supervision, the right to access medical records is given to public authorities, the National Health Fund, the bodies of local health professionals self-governments, as well as national and voivodeship consultants.Among other entities authorized to inspect medical records there are also: the courts, prosecution, forensic physician and professional liability ombudsmen, pension authority and commissions adjudicating on disability, entities keeping registers of medical services, physician, nurses, midwives in connection with the procedure evaluating the entity providing health services under the provisions on accreditation in health care, and voivodeship commissions adjudicating on medical events.In the case of the authorization of voivodeship commissions adjudicating on medical events to request medical records for the proceedings, it shall be emphasized that the provisions of the Act on patient rights do not specify, whether it is acceptable for the commission to request medical records from all medical entities running hospitals, or only a medical entity running the hospital that is the party to the proceedings."However, due to the content of art.67 d section 2 of the Act on patient rights, it is the applicant that should include prima facie evidence of circumstances indicated in the application, and Article 6 of the Civil Code where the commissions' authorization in terms of access to medical records should be assessed as subsidiary"26 .Medical documentation may also be made available to the heirs within the framework of the proceedings before the voivodeship commission adjudicating on medical events, as well as to those performing checks in medical entities to control the legality, efficacy and reliability of the databases in the field of health care and the transmission of the data to the information system.
In addition, making the documentation available for insurance companies is possible only with a patient's consent."Medical records can also be made available to universities or Research Institutes for scientific purposes, without disclosing the names and other data making it possible to identify a person the documentation concerns"27 .It is worth noting that the police are entitled to use the personal data and process these data without the consent and knowledge of a person concerned, but only as a result of operation and reconnaissance actions.
It shall also be noted that both the patient and a person authorized by him shall not be obliged to give reasons for their request to see the documentation, as well as they do not have to provide the purpose for which they want to become familiar with its contents, or to obtain its duplicate, copy or extract.However, in the case of entities and bodies authorised under article 26 of the Act on patient rights and the Patients Ombudsman, access to the documentation is granted under certain conditions, on formal grounds, and for a specific purpose.
There are three methods of sharing medical records.The most common way is to produce its extract, copy or duplicate.The second form consists in access to the documentation, including the databases in the field of health care, at the headquarters of the entity providing health services.The third way of sharing medical records is to release the original with the confirmation of receipt and condition of returning it after use, if the authorized body or entity requests access to the original documents.
Whereas, sharing the original documentation requires special security measures and attaching the confirmation of receipt with condition of returning it after use.The period for provision of medical documentation is referred to as" without undue delay ", but it is generally accepted as up to 30 days.In the case when the provision of the documentation is not possible, the refusal together with a statement of the reasons shall be given in a hard or electronic form, in accordance with the request of the authorized body or entity.
Sharing medical records was also considered in the judgment of April 19, 2016 of the Supreme Administrative Court in Warsaw.The judgment clearly stated that the subject of regulation of article 27 law on patient rights and the Patients Ombudsman is the way of sharing medical records.One of the ways of sharing medical records is giving the original with confirmation of receipt and condition to return after use, if the authorized body or entity requests provision of the original documentation.The right to access medical records is a patient's right, thus, he has the right to choose the form of sharing medical records due to his needs for the protection of his health and life.In addition, the protection of medical records is guaranteed by the obligation to leave a copy or a full excerpt of the documentation by the entity providing health services.An interpretation that sharing the original document is permissible only for other purposes is not acceptable.The priority is given to the patient's subjective right to health, included in the fundamental rights (Art.68 paragraph 1 of the Polish Constitution) 28 .
Using medical records on site, with prior appointment, does not involve a fee.However, extracts and duplicates are subject to the payment of 0.002 of the average earnings in the previous quarter for one page, and copies -0,00007 of this remuneration.
"In the Czech Republic, patient's right to access ones medical records is governed by § 67b, sec.12 Law No 20/1966 on Health Care.The patient has the right to see the medical records, may make copies, extracts or ask a health care provider for a copy of the documentation or a part thereof.However, he or she cannot obtain an original medical record because the healthcare institution is required to archive it for a prescribed period for the purpose of any control, and after the statutory deadline, they must destroy the documentation" 29 .
"In some countries there more restricted solution are implemented/ For example, in France, where confidentiality and privacy are traditionally tightened.It is assumed that only the insured person can apply for access to medical records which he can then transfer to the insurance company.The physician authorized by the insurance company issues an opinion on the basis of the data provided by the patient"30 .

STORING AND DESTROYING MEDICAL RECORDS
Regulations in Poland and in the European Union relate to ways of dealing with papers and media, carrying the information about patients.Hospitals, clinics and other medical entities store large amounts of sensitive documents.The rules on periods of storage of medical records by the entities providing health benefits are included in the article.29.par. 1 of the Act on patient rights and the Patients Ombudsman, which states that the retention time is 20 years from the end of the calendar year in which the last entry was made.However there are four exceptions to this rule.Medical records retention period in the event of the death of the patient as a result of injury or poisoning shall be extended to 30 years from the end of the year in which the death occurred.Whereas, in case of children up to the age of 2 it is more than the basic retention period -22 years.Another exception applies to referrals for tests or medical orders, where the retention period is set at 5 years from the end of the calendar year in which the service, being the subject of a referral or order, was provided.X-rays stored outside of the patient's medical records are subject to the 10-year retention period starting from the end of the calendar year in which it was taken.In accordance with § 73 of the regulation of the Ministry of Health of November 9, 2015 on the types, extent and examples of medical records and the ways of its processing, the internal documentation is stored by the body that issued it.Whereas, the external documentation in the form of orders or referrals is stored by the person who provided health services31 .
In the case of the exclusion of a medical entity e.g. because of the gross violation of the conditions required by the performance of the activities covered by the entry, the Voivode calls the subject to present the place of documentation storage within the specified period, and after its expiration, indicates the place of documentation storage.If the party takes over the other, resolved one, it also has to take over its medical documentation.
After specified periods of storing medical records, its destruction is provided for in a way that does not allow the identification of the patient.The Decree of the Minister of Health of November 9, 2015 on types, extent and examples of medical records and the ways of its processing does not introduce an absolute obligation to destroy medical records without the possibility of releasing it to the patient after expiry of the period provided for storage.It allows the patient himself, his legal representative or authorised persons to have the possibility of obtaining individual internal documentation before its complete destruction.Provisions the Act of November 6, 2008 on patient rights and the Patient Ombudsman do not determine such possibilities, which makes it difficult and controversial to unambiguously take an attitude towards this issue.
It should be added that the incorrect handling of medical records is punishable on the basis of the criminal and civil liability.

ELECTRONIC MEDICAL RECORDS
Since a few years we can notice moving more and more towards computerization of the health system, which is also confirmed by the legal provisions.The term of compulsory keeping medical records exclusively in electronic form, however, was established once again on 1 January 2018.Art. 3, paragraph 2, of the Act of 17 February 2005 on the computerization of the entities performing public tasks, which indicates that: "electronic document is a set of data constituting a separate meaning entirety, arranged in a particular internal structure and saved on a data carrier" 32 .However, in accordance with the provision of the Act of April 28, 2011 on the system of information in health care, the electronic medical records is medical documentation produced in an electronic form that contains the information about the already provided or planned health care services, including an electronic document, which allows the recipient to get a particular type of service 33 .Electronic health records can be kept in the IT system after meeting certain conditions.They consist in ensuring: protection of the documentation from damage or loss of integrity of the documentation content and metadata to protect against the introduction of changes, with the exception of the changes in the framework of the established and documented procedures, access to the documentation for the persons entitled and protection from unauthorized use, identification of the person making the entry and the person granting health benefits, and documenting those changes in documentation and metadata assignment of the information characteristics for the appropriate types of documentation, sharing -also by electronic exporting -documentation or its part, being in a form of documentation in the format in which it is processed (XML or PDF), exporting all data in the required format and print functionality of medical records 34 .
There are three ways of sharing electronic documentation.First, by passing the data carrier on which the relevant documentation was saved.Second, by electronic transmission of documentation.The third method is a hard copy given to authorized entities or bodies, provided with the numbering of pages and first and last name of the patient."The aim of the implementation of the computerisation of the health system is to create a coherent database and medical information related to the provision of health benefits, in order to improve the services provided 35 .ICT systems are to ensure data security by meeting the standard requirements.The Decree of the Minister of Health of November 9, 2015 on the types, scope and examples of medical records and the ways of their processing 36 specifies that electronic medical records will be secured if it is permanently ensured that it is available for authorized persons, protected against accidental or unauthorized destruction, and methods and means of document protection are in place that are universally recognized during their use."Therefore, ongoing monitoring of all organizational and technical and IT security measures is essential, as well as periodic evaluations of the effectiveness of these methods.The data processor should also develop appropriate procedures defining the rules for accessing the data"37 .The security policy and management of the information system for the processing of personal data was included in the regulation of the Minister of Internal Affairs and Administration of April 29, 2004 on the documentation, processing personal data, and technical and organizational conditions that should be met by devices and IT systems used for the processing personal data38 .The security policy set of laws, rules and practical experiences regulating the management, protection and distribution of sensitive information (here personal data) within a specific organization39 .The security policy should include a list of buildings, premises and their parts, which are the area, in which personal data are processed, including places where data processing takes place, as well as those, in which they are stored.In the part identifying the list of data sets, it is recommended that names and programs used for their processing are indicated.The other elements are: description of data structure indicating the contents of the individual information fields and links between them, the way of data transfer between different systems and determining technical and organisational measures, which should guarantee the confidentiality, integrity and accountability.The directors of medical entities are obliged to prepare instructions for the information system management.The instructions are based on 8 elements relating to the general information about the system and the collection, technical solutions, terms of use or access methods.
When discussing the issues related to electronic medical records there should not be avoided the subject of the Medical Information System (hereinafter referred to as the MIS), an electronic system used for gathering, analysing and sharing resources containing data related to health services.The aim of MIS is to allow keeping electronic medical records and cooperating with the Electronic Platform for Gathering, Analysis and Sharing Digital Resources of Medical Event (Platform P1) that provides access to data stored in MIS.However, it should be emphasize, that in Poland Platform P1 was not implemented yet due, irregularities related to digitization of health care, eg.procedures connected with the award of public contracts, extending from the fault of the contracting entity (CSIOZ)40 .

SUMMARY
The provisions of the Act of 6 November 2008 on patient rights and the Patients Ombudsman provide for the obligation to respect a patient's right to access medical records.However, it should be pointed out that most of the doubts concern the right to access medical records after a patient's death, which is granted only to a person authorized by the patient during his life.The above results in the fact that the immediate family members have no right to access the patient's medical records after his death.On the basis of administrative case law, it is appropriate to adopt a functional interpretation of Article 26 (2) of the Patients' Rights Act, regarding the provision of medical records after the death of a patient, and not merely based on the literal wording of the above provision.It is needed and fully justified to implement the actual operation of Platform P 1 to enable electronic medical records, as well as the possibility.the exchange of data contained in electronic medical records between service providers if this is necessary to ensure the continuity of treatment and the exchange of electronic documents between service providers for the purpose of diagnostics, continuity of treatment and provision of services to medicinal products and medical devices.

2
Official Journal of the European Communities UE 124 E, 15/05/2006 P. 0543 -0548.3 Uniform text, Journal of Laws of 2016, item 1638 as amended. 4 33 Uniform text, Journal of Laws of 2016, item 1535. 34the Decree of the Minister of Health of November 9, 2015 on the types, scope and examples of medical records and the ways of their processing (Journal of Laws of 2015, item 2069).