Keeping and sharing medical records

Are you a medical practitioner in the Netherlands? You are required to keep records for each patient according to the Dutch Medical Treatment Contracts Act (Wet op de Geneeskundige Behandelingsovereenkomst, WGBO, in Dutch). These records contain various details, including the patient’s health and the treatment prescribed by the medical practitioner.

What information is included in medical records?

The information medical records should contain depends on the type of treatment and the practitioner’s profession. You must at least include the basic data of the care you provide, such as:

• findings of your examination
• test results
• medical scans
• diagnosis
• treatment
• reports and referrals

You have to inform your patient clearly on how you will use their medical information and for what purpose.

Citizen service number (BSN)

You must also include the patient’s citizen service number (burgerservicenummer, BSN) in your records and use this number when exchanging information. Your patients must identify themselves using a valid ID.

Protect patient information

Medical records contain special personal data. You must protect this data and comply with the rules as laid out in the General Data Protection Regulation (GDPR). You have to be able to show that you have taken the proper measures to secure your medical records.

Explaining patient's rights

You must explain to your patient what exactly electronic data exchange means. You must inform them how your exchange system works, which healthcare providers you share the data with and why, and you must explain what the consequences are. You are also responsible for telling your patients what their rights are, for instance, to have their data modified or deleted.

Patient access to records

A patient has the right to view their medical records and receive an electronic copy. This must be possible for free via internet. The privacy regulation GDPR underlines this right.

Patients may have data in the medical records amended if it is incorrect or incomplete. Patients may also have their own statement added to the medical record if they disagree with your diagnosis.

If your patient asks you to destroy their file, you may only refuse if:

• the information in the file is very important to others (for example in case of hereditary diseases)
• there is a law stating that there is a retention period (for example in case of compulsory admission to a psychiatric hospital)
• you have to defend yourself in legal or other proceedings

The only details the patient may not access are the practitioner's own notes and any details that may affect the privacy of a third party.

Filing and keeping medical records

You may only file necessary data and you must keep the records. Patients must give you permission to share their information. You have to record for which information patients have given their consent. You must also log when records were modified or viewed, and by whom.

Retention period

You must keep medical records for at least 20 years after the last change in the file. Sometimes you may keep a medical record longer. For example, if you need the data to treat your patient properly or in case of compulsory admission.

When are you allowed to share medical records?

You are only allowed to access the medical records of patients that you treat. You may request their medical files from other healthcare providers.

You may only share data from their medical record with your patient's permission. You must ask the patient which exact data you may share with which healthcare providers. You have to record which consents you have received from your patient. Your patient may also withdraw this consent.

Sometimes you may share data from the medical records without consent. For example, if you are going to treat the patient of another general practitioner. Or if data is needed to investigate domestic violence or child abuse.

How do you have to share medical records?

You must ensure that medical records are shared securely.

If you share medical records with other health care providers, you must do this electronically (via the internet) and not via, for example, paper, fax, or DVDs. Under the Electronic Data Exchange in Healthcare Act (Wet Elektronische gegevensuitwisseling in de zorg, Wegiz, in Dutch), the following data exchanges must take place electronically with priority (in Dutch):

• handover of medication-related information
• medical handover
• availability of images
• basic healthcare data set
• acute care

Other requirements for sharing medical records will come into effect gradually (in Dutch).

Sharing medical records with healthcare providers abroad

If you need to share medical records with healthcare providers abroad, you must make sure all parties comply with the European privacy regulation GDPR and that the method used to transfer the information is secure.

To ensure that citizens can securely access and exchange their health data wherever they are in the EU, a Recommendation on a European electronic health record exchange format has been adopted. You can find more information on the transfer of data to another country (in Dutch) with the Dutch Data Protection Authority.

UZI card and AGB code

You need an UZI card if you want to access confidential patient information online. You can obtain the UZI card from the Dutch Unique Healthcare Provider Identification Register (UZI-register, in Dutch), for which you will need an AGB code (Algemeen Gegevensbeheer Zorgverleners, the General Database for Care Providers). You can apply for an AGB code at AGBcode.nl (in Dutch). You use the AGB code in the electronic invoicing process between you and your health insurance company. Read more on the UZI register's Certification Practice Statement.