Logo of the Dutch government

Keeping and sharing medical records

This information is provided by:Netherlands Enterprise Agency, RVONetherlands Enterprise Agency, RVONederlandse versie

Are you a medical practitioner in the Netherlands? You are required to keep records for each patient according to the Dutch Medical Treatment Contracts Act (Wet op de Geneeskundige Behandelingsovereenkomst, WGBO, in Dutch). These records contain various details, including the patient’s health and the treatment prescribed by the medical practitioner.

What information is included in medical records?

The information medical records should contain depends on the type of treatment and the practitioner’s profession. You have to at least include the basic data of the care you provide, such as:

  • findings of your examination
  • test results
  • medical scans
  • diagnosis
  • treatment
  • reports and referrals

You have to inform your patient clearly on how you will use their medical information and for what purpose.

Citizen service number (BSN)

You must also include the patient’s citizen service number (burgerservicenummer, BSN) in your records and use this number when exchanging information. Your patients must identify themselves using a valid ID.

Protect patient information

Medical records contain special personal data. You must protect this data and comply with the rules as laid out in the General Data Protection Regulation (GDPR). You have to be able to show that you have taken the proper measures to secure your medical records.

Explaining patient's rights

You must explain to your patient what exactly electronic data exchange means. You must inform them how your exchange system works, which healthcare providers you share the data with and why, and you must explain what the consequences are. You are also responsible for telling your patients what their rights are, for instance, to have their data modified or deleted.

Patient access to records

A patient has the right to view their medical records and receive an electronic copy This must be possible for free via internet. The privacy regulation GDPR underlines this right.

Your patient may have data in the medical records amended if these are incorrect or incomplete. Your patient may also have their own statement added to the medical record if they disagree with your diagnosis.

If your patient asks you to destroy their file, you may only refuse if:

  • the information in the file is very important to others (for example in case of hereditary diseases)
  • there is a law stating that there is a retention period (for example in case of compulsory admission to a psychiatric hospital)
  • you have to defend yourself in (legal) proceedings

The only details the patient may not access are the practiones's own notes and any details that may affect the privacy of a third party.

Filing and keeping medical records

You may only file necessary data and you must keep the records. Your patient must give permission to share their information. You have to record which information the patient has given their consent. You must also log when and by who records were modified or viewed.

Retention period

You must keep medical records for at least 20 years after the last change in the file. Sometimes you may keep a medical record longer. For example, if you need the data to treat your patient properly or in case of compulsory admission.

Sharing medical records

You may only share data from their medical record with your patient's permission. You must ask the patient which exact data you may share with which healthcare providers. You have to record which consents you have received from your patient. Your patient may also withdraw this permission

Sometimes you may share data from the medical records without consent. For example, if you are going to treat the patient of another general practioner. Or if data is needed to investigate domestic violence or child abuse.

Sharing medical records with healthcare providers abroad

If you need to share medical records with healthcare providers abroad, you must make sure all parties comply with the European privacy regulation GDPR and that the method used to transfer the information is secure.

To ensure that citizens can securely access and exchange their health data wherever they are in the EU, a Recommendation on a European electronic health record exchange format has been drafted. You can find more information on the transfer of data to another country (in Dutch) with the Dutch Data Protection Authority.

Requirements for unity in language and technology for electronic data exchange in healthcare are being elaborated (in Dutch).

UZI card and AGB code

You need an UZI card if you want to access confidential patient information online. You can obtain the UZI card from the Dutch Unique Healthcare Provider Identification Register (UZI-register, in Dutch), for which you will need an AGB code (Algemeen Gegevensbeheer Zorgverleners, the General Database for Care Providers). You can apply for an AGB code at (in Dutch). You use the AGB code in the electronic invoicing process between you and your health insurance company. Read more on the UZI register's Certification Practice Statement.

Related articles

This article is related to: