Unauthorised access to mental health records: No breach of professional secrecy, but a duty of extra protection

In Trouw, Martin Buijsen, Professor of Health Law at Erasmus School of Law, spoke about the legal implications. “Only treatment team members are allowed to access the record,” he said. “The law is clear on this. Others need the patient’s consent. Nevertheless, it happens regularly that healthcare employees look into records without authorisation, though rarely on such a large scale.”

The role of the Dutch data protection authority

The AP has the power to impose sanctions, but does so infrequently. “Although the healthcare sector leads in data breaches, relatively few fines have been issued,” Buijsen noted. “In 2021, OLVG Hospital was fined €440,000 for insufficient security of medical records. In 2019, Haga Hospital received a similar fine and a penalty order for inadequate internal security.”

He emphasised that simply keeping log files is not enough to fulfil the duty of care. “The AP requires active security measures. This can mean implementing two-factor authentication even for internal staff. Merely registering those who log in is insufficient.”

Unauthorised access: No breach of professional secrecy, but a violation of privacy

Strictly speaking, this does not constitute a breach of professional secrecy, Buijsen explained. “Medical professional secrecy is breached when a healthcare provider bound by confidentiality shares data with a third party without legal grounds to do so. That is not the case here. However, it is a violation of the patient’s informational privacy. Institutions are obliged to protect that data adequately.”