Health Omnibus Law Series – Data Privacy in the Health Sector

This Newsflash is a part of our Health Omnibus Law Newsflash series with respect to the issuance of Law No. 17 of 2023 dated August 8, 2023 on Health (the “Health Law”). The Health Law governs a wide range of topics in the health sector including the personal data protection in the health sector as well as to harmonize the aspects of personal data protection in the health industry to be in line with the applicable data protection laws and regulations, particularly Law No. 27 of 2022 dated October 17, 2022 on Personal Data Protection (the “PDP Law”). Please refer to our previous Newsflash on the PDP Law at the following link: AKSET Newsflash – PDP Law.

As previously noted, the Health Law is issued using the omnibus method. The Health Law revokes several laws and regulations in the health sector, including Law No. 36 of 2009 dated October 13, 2009 on Health (the “Previous Health Law”). Under the Previous Health Law, provisions relating to data privacy and/or personal data protection were inadequate and were still found sporadically in several implementing regulations under the Previous Health Law, including the Minister of Health Regulation No. 24 of 2022 dated August 31, 2022 on Medical Records. Although the Health Law revokes the Previous Health Law, all implementing regulations of the Previous Health Law remain valid for so long they do not contradict the Health Law.

We highlight the key data privacy related provisions under the Health Law, as follows.

♦ Personal Health Data and Information

  • Obligation for Medical Personnel, Health Personnel, and Health Service Facilities to Maintain Confidentiality of Patients’ Personal Health Data and Information

Each Medical Personnel or Tenaga Medis (i.e., doctors and dentists) and Health Personnel or Tenaga Kesehatan (e.g., nurses) must maintain confidentiality of patients’ personal health in providing medical services to individuals. Information on patients’ personal health that shall be kept confidential includes history, condition and treatment, medication for one’s physical and psychological health, as well as the patients’ personal data. Such obligation also applies to Health Service Facilities or Fasilitas Pelayanan Kesehatan.

  • Acknowledgement of Patients’ Rights to Confidentiality of Personal Health Data and Information and to Obtain Personal Health Data and Information

Patients are entitled to, among others, the right to obtain confidentiality of personal health data dan information. Further, a patient is entitled to request their personal health, including actions and treatments that a patient has received or will receive from Medical Personnel and/or Health Personnel.

However, the confidentiality above is not applicable in certain conditions such as (i) fulfillment of requests by law enforcers for law enforcement, (ii) management of extraordinary events or kejadian luar biasa, outbreaks, or disasters, (iii) limited educational and research interests, (iv) efforts to protect against threats to the safety of others, individually or to the public, (v) health maintenance, treatment, healing, and patient care interests, (vi) the patient’s own request, (vii) administrative, insurance payments, or health financing security interests, and/or (viii) other interests as regulated in the applicable laws and regulations.

♦ Medical Records

  • Obligation for Medical Personnel, Health Personnel, and Health Service Facilities to Maintain Confidentiality of Medical Records

In providing medical services to individuals, each Medical Personnel and Health Personnel shall maintain a medical record prepared using an electronic system. A medical record is defined as a document that contains the patients’ identity data, observation, treatment, action, and other services provided to the patients. Such medical records shall be maintained and kept confidential by the Medical Personnel, Health Personnel, and management of Health Service Facilities.

  • Acknowledgement of Patients’ Rights to Access Medical Records

Although the medical records are owned by the Health Service Facility, a patient may access information contained in their medical records. The Health Service Facility has the obligation to maintain the security, integrity, confidentiality, and availability of the data contained in the medical records.

  • Management of National Health Data

In the context of the management of national health data, the Minister of Health (the “MOH”) is responsible for the management of the medical records. Such management of medical records includes formulation of policies, collection, processing, storage, security, data transfer, and monitoring.

  • Operation of Health Information System

To carry out effective and efficient health efforts, the Health Law governs the operation of a Health Information System, which is a system that integrates multiple stages of processing, reporting, and use of information to increase effectiveness and efficiency in health management and directing decision making for health development. The operators of such Health Information System may be the Central Government, a Regional Government, a Health Service Facility, and the public, both individuals and groups (any one of them, an “Operator”).

  • Obligation of Operators in Processing of Health Data and Information

An Operator shall ensure the reliability of the Health Information System which covers (i) availability, (ii) security, (iii) maintenance, and (iv) integration. Further, an Operator shall carry out the processing of health data and information in accordance with the applicable laws and regulations which includes (i) planning, (ii) collection, (iii) storage, (iv) inspection, (v) transfer, (vi) utilization, and (vii) destruction.

In carrying out the processing of health data and information, an Operator shall ensure the protection of health data and information of each individual. The Health Law also emphasizes that the processing of health data and information that uses individuals’ health data is subject to consent from the data owners and/or fulfill other requirements as the basis of personal data processing in accordance with laws and regulations on personal data protection.

  • Rights of Data Owners in Processing of Health Data and Information

In relation to the data processing by an Operator, the data owners are entitled to, as follows: (i) obtain information regarding the purpose of collecting the individual health data, (ii) access and make changes to the data and information through the Operator, (iii) request the Operator to send the data to another Operator, (iv) request the Operator to delete incorrect data based on the data owner’s consent, and (v) obtain other appropriate personal data subject rights in accordance with laws and regulations on personal data protection.

  • Location for Processing of Health Data and Information

An Operator shall carry out the processing of health data and information within Indonesia. Such processing of health data and information includes (i) acquisition and collection, (ii) management and analysis, (iii) storage, (iv) repairs and updates, (v) appearance, announcement, transfer, distribution, or disclosure, and/or (vi) deletion or destruction.

Notwithstanding the above, the Health Law provides that data processing may be carried out outside the territory of Indonesia (in the form of transfer and storage) in accordance with laws and regulations regarding electronic information and transactions, electronic system operation, and personal data protection. Specifically for cross-border data transfers, such data transfers shall be for a specific and limited purpose with a permit from the President.

We note that the Health Law expressly stipulates that provisions relating to medical records and processing of health data and information are to be further governed by a Government Regulation. As a reference, the same also applies to the majority of the provisions stipulated under the Health Law, which will be further governed by Presidential Regulations, Government Regulations, and Minister of Health Regulations.

Considering the current objections from medical society with respect to certain provisions under the Health Law, kindly anticipate that there is a possibility for the Health Law to be challenged by the medical society or other parties of interest through the Constitutional Court. We will monitor the development and will issue further updates as relevant.

August 24, 2023

AKSET

Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com), Clara Anastasia So (canastasia@aksetlaw.com), or M. Fatih Satria Kasmaliputra (mkasmaliputra@aksetlaw.com) for further information.

 

Disclaimer:

The foregoing material is the property of AKSET and may not be used by any other party without prior written consent.  The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance.  Specific legal advice should be sought by interested parties to address their particular circumstances.

Any links contained in this document are for informational purposes and are available and relevant at time this publication is made.  We provide no liability whatsoever in respect of any information or content in such links.