REGISTER DESCRIPTION/ 1(6) CONTROLLER Name Address Suomen Terveystalo Group Jaakonkatu 3B, 3rd floor, FI-00100 Helsinki, Finland Tel. +358 30 633 11 PERSON RESPONSIBLE FOR THE PATIENT REGISTER In the entire Finland: Juha Tuominen, Chief Medical Officer Suomen Terveystalo Oy, Group Administration Jaakonkatu 3B, 3rd floor, FI-00100 Helsinki, Finland At each Suomen Terveystalo Oy unit, the director responsible for health care services (the director of the unit or person authorized by the director) is responsible for ensuring that the patient register is used in compliance with the law at the unit level. If data subjects or patients require further information on the register or wish to submit a request for the rectification of an error, they may contact the persons specified above. REGISTER NAME JOINT REGISTER SHARED BY INDEPENDENT CONTROLLERS The Patient Register of Suomen Terveystalo Oy Suomen Terveystalo Oy shares its patient register with external healthcare professionals who work in Terveystalo units or premises either as self-employed professionals or as service providers through external companies. These health care professionals have signed a separate service provision agreement with Suomen Terveystalo. Each self-employed health care professional or each company providing services as an independent service provider which participates in the maintenance of Suomen Terveystalo Oy s joint register is an independent controller and prepares its own Description of Register. Such a professional or company is also responsible for the legality and legal use of its own registers. The patient registers of Suomen Terveystalo Oy, the self-employed health care professionals and the companies providing services as independent service providers are separate from each other. The registers must be kept technically separate, and the information in them cannot, under any circumstances, be disclosed to outsiders without the patient s consent, unless otherwise prescribed in legislation concerning disclosure. The different register controllers are regarded as third parties in relation to one another, even if they work in the same premises. Suomen Terveystalo Oy is responsible for the technical maintenance, information security and legal operation of the entire patient information system, as well as the implementation of information security within the system. Suomen Terveystalo Oy may conclude a written agreement with another independent controller or service provider regarding some of the responsibilities of the controller, such as the storage and archiving of patient records in a manner required by law. PURPOSE OF THE REGISTER Planning, organizing, implementing and monitoring examinations and care given to patients as well as customer relationship maintenance and monitoring Providing healthcare services (and associated reporting) to companies, organizations and private persons Treatment monitoring on the basis of professional development as well as ensuring and measuring the quality and effectiveness of the treatment Planning, development and statistical analysis of the controller s operations, invoicing, debt collection and other tasks required to enforce the controller's rights and obligations Notifying and reminding patients of Terveystalo services Assessing the suitability of medical examinations and treatments in individual patients care, notifying patients of them (on the patient's consent)
REGISTER DESCRIPTION/ 2(6) Assessing whether the patient might benefit from joining a clinical pharmaceutical study and notifying the patient of such opportunities (on the patient s consent) Additionally, patient information in the joint register can be used to survey customer feedback and customer satisfaction and for conducting market surveys and opinion polls Communication between patients and call center (such as phone calls) may be recorded for the following purposes: developing customer service staff training, ensuring service quality and verifying service events The Patient Register of Terveystalo consist of digitally stored patient data and manual medical records, both of which are stored and protected according to Terveystalo's information security guidelines. REGISTER CONTENTS Basic information Employer information (occupational healthcare customers) Medical records Examination registers Other information necessary for treatment Appointment information Call recordings Chat recordings Invoicing information Sub-registers are as follows: Patient register (basic information), appointments register, medical records, examination registers, screening registers, physiotherapy register, invoicing register, occupational healthcare customer information register, customer service recording register Name, personal identity code, contact details, occupation, next of kin specified by the patient (in case of underage patients: caretaker), other identification information (e.g. copy of a passport). A record of the patient's consent to or prohibition against storing his or her personal information in the joint register and disclosure of said information, the patient's care thus requiring, between healthcare professionals working in Terveystalo's premises. A record of the patient s consent to the processing and disclosure of his or her personal information, including the aforementioned information stored in the joint register as well as records of consents regarding patient record assessments and patient notification. Additional records maintained for occupational healthcare customers: employer, department or unit, job title, sickness fund membership, employer s insurance company details and other employment relationship information. Health information required by healthcare professionals for treating the patient (medical records, referrals, form and statement information). Health and self-care data provided by the patient. Information on laboratory tests, imaging studies and other examinations. Information related to physiotherapy, occupational physical therapy and the employer (such as visits to the workplace). Customer, date, time, place, who the appointment is with, the person making the appointment and the date on which the appointment was made. Number of the caller, call recipient ID, time and the actual call recording (stored for three months) Chat session participants, time and the actual chat recording (stored for three months) Invoicing information concerning care and examinations. Payer information related to care. REGULAR DATA SOURCES Patient Medical staff Employer Information provided by the patient. Data generated in connection with examinations and care. Basic information on those covered by an occupational healthcare agreement, workplace contact details and any changes to the information at agreed intervals.
REGISTER DESCRIPTION/ 3(6) Third party healthcare unit or healthcare professional Population register REGULAR DISCLOSURE OF INFORMATION IN PATIENT DOCUMENTS Information obtained from other healthcare institutions For the purposes of ensuring correct invoicing, information regarding who was treated, the procedures carried out along with their cost is stored. The information is either based on an outsourcing agreement or a referral issued by an external unit. Information on screening invitations. Information contained in patient documents is confidential (Act on the Status and Rights of Patients [785/1992, Patients Act ], section 13), and the staff and healthcare professionals have the obligation not to disclose to others any information obtained in connection with the patient s care. Information in patient documents may be disclosed with a specific consent of the patient or pursuant to express statutory rules or provisions. If a patient is not capable of assessing the significance of the consent, information may be disclosed on the basis of the consent of his or her legal representative. If the disclosure of information requires the patient s consent, he or she shall have the right to withdraw his or her consent at any time. Joint data register The patient s information is saved in a joint register by the express consent of the patient (the consent will be recorded in the patient s background register information) whereby the patient decides whether those with shared access to the joint register may have access to patient information saved in the patient information system of another controller. The patient may, at any time, withdraw his or her consent concerning the right to access his or her information in the joint register. The patient or data subject may also request that information on a specific visit will be considered confidential, in which case it will only be available to the person who made the entry. The patient information in the patient information register is divided into the occupational healthcare register and the private customer register. Prescription Center controlled by Kela Kanta Patient Data Repository EXCEPTIONS To whom 1. To a court of law, another public authority or an organization which is by law entitled to access the information 2. Third party healthcare unit or healthcare professional All prescriptions made for the patient will be saved in the Prescription Center, a register controlled by Kela. Additional information is available at www.kanta.fi/en/. Pursuant to the Act On the Electronic Processing of Social Welfare and Healthcare Client Data (159/2007, hereinafter Patient Data Act ), the continuing medical records recorded by healthcare professionals shall be archived in the Kanta Patient Data Repository maintained by Kela. By way of derogation from the above, under section 13 of the Patients Act (785/1992), information included in the patient documents may be disclosed as follows: Which information, reason for disclosure and the method of disclosure Patient information will be disclosed to courts of law, public authorities or other associations entitled by law to access the information upon a specific written request. Information is released only to the extent the present case requires. The information is principally provided as statements. Information required for arranging and providing the examination and care of a patient may be disclosed to another healthcare unit specified by the patient upon the patient's verbal or written consent or other approval otherwise apparent by the context and recorded in the patient's records.
REGISTER DESCRIPTION/ 4(6) 3. Patient s next of kin or other close person 4. Disclosure of information on a deceased person 5. Use for research purposes Regular disclosures and the transfer of data to outside the EU or the European Economic Area GENERAL PRINCIPLES OF PROTECTION OF PATIENT INFORMATION Protection and method of storage of patient information If a patient is being treated for unconsciousness or a comparable reason, information on the identity of the patient and his or her state of health may be disclosed to the patient s next of kin or another person close to him or her, unless there is reason to believe the patient would forbid this. The obligation for confidentiality and need for protection of privacy extends beyond the person s death. Therefore, information concerning a deceased person must not be disclosed without grounds specified by the law. The provisions laid down in section 13 (4) of the Patients Act shall be applied to the disclosure of information in the patient documents for scientific research. No data in the system will be transferred to outside the European Union or the European Economic Area. According to law, patient records are confidential. Patient information must not be disclosed to outsiders without the patient s consent or unless express provisions for disclosure exist in the law. Patient information may only be used for the purpose of treating the patient or tasks related to treatment. The controller s executive management determines the required procedures within the organization and authorizes employees to access the patient register data to the extent necessary for the performance of their duties. Patient register information is processed electronically (automated data processing) information on computers is accessed by means of usernames, passwords, and the use of patient information is monitored (log files) Patient information in other than electronic formats (manual patient information) under supervision in customer folders that are stored in locked archive rooms and cabinets DATA SUBJECT S RIGHT OF ACCESS TO HIS OR HER INFORMATION
REGISTER DESCRIPTION/ 5(6) Scope of the right of access Patients have the right to access the information recorded of them in the patient register (Personal Data Act [523/1999], section 26). Access to the data shall be provided without undue delay. Access to the data may only be refused under exceptional circumstances. For example, access may be denied on the grounds that the disclosure of information could cause serious danger to the health or treatment of the patient or to the rights of another person. If only a part of the information in the register falls within the restriction of access on the above-mentioned basis, the data subject has the right to access the remainder of his or her information. Access to data shall be provided free of charge once within every 12-month period. Realization and organization of the right of access A request for accessing the data shall be made in writing, using a form prepared for this purpose. The form is available from Suomen Terveystalo Oy s units, websites or the patient ombudsman. The patient may exercise the right of access either in person by making appointment or by requesting copies of the patient s medical records to be delivered to him or her. The request for accessing the data shall be delivered to one of the Terveystalo units, and the medical director either accepts of refuses the request. If the controller refuses to provide access to the data, a written certificate to this effect shall be issued. The reasons for refusal must be indicated in the certificate. A failure by the controller to give a written response to the data subject within three months of the request is deemed equivalent to a refusal to provide access to the data. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman. Verifying the identity of the patient before disclosure of data The identity of the data subject will be verified before providing him or her with access to the data. The controller must, without undue delay, provide the data subject an opportunity to inspect the data recorded on him or her in the data file. Upon request, a hard copy of the data will be provided. The data must be given in an intelligible form. RECTIFICATION As required by section 29 of the Personal Data Act, the controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file that is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing (purpose of the patient register). However, a rectification requested by the patient must not be carried out if the data is important or essential in the investigation or treatment of the patient and if legally valid reasons exist for saving the data. For reasons related to the responsibility to care, health care registers shall also show the previous data with appropriate rectification entries (the Ministry of Social Affairs and Health decree on patient records 289/2009). A request for rectification shall always be made in writing. The request must always be specific and sufficiently justified, and it should be made using the data rectification request form, available from the company s units or the patient ombudsman. A request for the rectification of data, signed by the patient, shall be addressed to the clinic in question, which will forward the request to the medical director. The rectification of the data shall be primarily carried out by the person who made the original entry, or, if this is not possible, by the medical director. Any data not relevant to the patient's care shall be erased. The rectified data, as well as any erased data, will remain in the background material whereby the data can be verified at a later time.
REGISTER DESCRIPTION/ 6(6) Any entries concerning the rectification or erasure of data shall state the data rectified, the grounds for the rectification, the name and position of the person who made the decision, and the date on which the decision was made (the Ministry of Social Affairs and Health decree on patient records 289/2009). If the rectification is carried out by a person other than the person who made the decision, his or her name and position and the date must also be stated, as well as the date on which the rectification was carried out. If the controller refuses the request for rectification, a written certificate to this effect shall be issued to the patient. The certificate shall mention the reasons for the refusal (Personal Data Act, section 29). The right to appeal the refusal must also be stated and instructions for appeal be provided. Patient ombudsman The national patient ombudsmen of Suomen Terveystalo Oy are Sanna Sarin, Johanna Toivonen and Riitta-Liisa Karhunen e-mail potilasasiamies@terveystalo.com telephone +358 30 633 1655 The task of the patient ombudsman is: to advise patients in issues related to the status and rights of the patient to assist patients in submitting objections and patient claim reports, and initiating any disciplinary proceedings or legal action to inform patients of their rights to promote and implement patient rights in other ways THE PATIENT S RIGHT OF REFUSAL The patient may give his or her consent to electronic direct marketing as specified in the Act on the Protection of Privacy in Electronic Communications (516/2004) and withdraw his or her consent at any time. If the patient uses his right of refusal, the only information Terveystalo and its affiliates may send to the patient is that which is required for the provision of services and in managing the customer relationship. The patient may access and manage his consent information and refusals directly through Terveystalo s OmaTerveys service or by contacting one of the Terveystalo clinics