Access to medical records

Medical records are a highly sensitive set of information about a patient. Their handling is governed by Act No. 372/2011 Coll. (the Health Services Act) and personal data protection regulations. The Act strictly defines who is legally authorized to access the records and make extracts or copies thereof. The aim is to protect patient privacy while ensuring continuity of care. Failure to comply with the rules may damage patient trust and lead to significant penalties.

Author of the article: ARROWS (Mgr. Dita Zbožínková, LL.M., office@arws.cz, +420 245 007 740)

Key principle: medical records cannot be provided to just anyone. Only persons who meet the conditions of the law have the right to request access or a copy. This principle applies without distinction – in doctors' offices, clinics, and hospitals.

Legal framework for access to records

The rules of access are set out primarily in Sections 65 and 66 of the Health Services Act. Furthermore, the duty of confidentiality under Section 68 and the GDPR (Act 110/2019 Coll.) must be respected. Healthcare providers are obliged to secure documentation against unauthorized access – the law expressly requires measures to be taken to prevent unauthorized or accidental access to personal data. Breaches of confidentiality or unauthorized disclosure of data result not only in disciplinary consequences but also in criminal liability.

Who has the right to inspect the documentation

The law distinguishes between several categories of persons who may, under precisely defined conditions, inspect a patient's medical records or make extracts from them:

• The patient themselves – they may view their own documentation at any time, but always in the presence of an employee of the facility and with regard to the records kept. The patient has the right to inspect their documentation and make extracts or copies free of charge upon first request.
• Legal representative/guardian – for example, the parent of a minor patient or the legal guardian of an adult. They also have the right to inspect and obtain extracts in the same way as the patient. The patient's consent is not required for this.
• Persons designated by the patient, legal representative, or guardian of the patient (power of attorney) – the patient (or their representative/guardian) may designate, for example, a family member or legal representative in the medical records. Such designated persons have the same rights to access and copy as the patient.
• Persons close to the deceased patient – family members or other persons close to the deceased may inspect the records, but only to the extent specified in Section 33 of the Act (they have the right to information about the health status of the deceased patient and information about the results of the autopsy, if performed, including the right to inspect the medical records kept on the patient or other records relating to their health and to make extracts from them). If the patient expressly prohibited the disclosure of information to certain close persons during their lifetime, this prohibition shall also apply after their death (information may only be disclosed to these persons if it is in the interest of protecting their health or the health of another person, and only to the extent necessary.
• Attending medical staff – doctors, nurses, physiotherapists, etc. who are involved in the care of the patient have the right (and obligation) to access the patient's documentation without their consent. This is necessary to ensure high-quality and safe care. In practice, this means that any doctor or nurse from the patient's team may read and make notes in the documentation.
• Healthcare professionals in facilities – e.g., in laboratories, radiology, rehabilitation, etc., if they provide services to the patient, may view the documentation (again, to the extent necessary and in the patient's interest).

• Other authorized persons, in particular state authorities and supervisory bodies – a number of persons authorized by these institutions may access the documentation without the patient's consent to the extent necessary for the performance of their duties:
• persons involved in the exercise of administrative authority – e.g., persons authorized to handle complaints at the regional office
• Health insurance company medical reviewers – persons authorized by health insurance companies may inspect the documentation for the purpose of verifying the eligibility of reimbursement for services. However, they do not have unlimited rights – they may only view the documentation to the extent necessary for verification (e.g., confirmation of diagnosis and services).
• Medical assessors and other health assessors – healthcare professionals who assess health for social security purposes (e.g., sickness benefits, pensions, unemployment benefits)
• SÚKL – SÚKL employees authorized to perform inspections
• ÚZIS – persons who record and check data in the National Health Information System
• Court experts – to the extent specified by law enforcement authorities or courts
• Doctors of the State Office for Nuclear Safety
• Public health authorities – hygiene doctors, epidemiological service in the investigation of infectious diseases.
• persons qualified to practice a healthcare profession who perform quality and safety assessments in accordance with this Act and persons qualified to practice a healthcare profession who perform external clinical audits of medical exposure in accordance with the Act on Specific Health Services,
• Public Defender of Rights (ombudsman) – to ensure the protection of sensitive data of third parties,
• inspectors authorized to carry out inspections related to the clinical evaluation of medicinal products for human use in accordance with EU regulations
• EU Member States – doctors abroad – if a patient moves to another EU country for care and there is an electronic version of the “patient summary,” the new doctor may take it over unless the patient has expressed disagreement
• International preventive bodies against torture
• Archivists
• Disciplinary bodies of professional chambers – authorized member of the Czech Medical Chamber

What about the Czech Police?

According to the provisions of Section 8(5) of the Criminal Procedure Code, unless a special law specifies the conditions under which information that is classified under such law or subject to confidentiality (Section 68 of the Health Services Act) may be disclosed for the purposes of criminal proceedings, such information may be requested for criminal proceedings with the prior consent of a judge.

If the Czech Police requests your medical records for the purposes of criminal proceedings, they may only be disclosed with the written consent of the patient (whether the patient is the injured party or a suspect in a criminal offense) or with the consent of a judge.

Suspected abuse:

A healthcare provider may restrict access to medical records (refuse to disclose information about the health status) of a minor patient to their legal representative, foster parent, or other caregiver if they have reasonable suspicion that this person is involved in their abuse, exploitation, or other threat to their healthy development. Such withholding of information is possible if its disclosure could further endanger the patient. The same procedure applies to patients with limited legal capacity.

Who to contact:

Table: Overview of Authorized Persons and Their Rights

Subject	Access to Documentation	Obtaining Extract/Copy	Conditions/Note
Patient	yes	yes (upon request)	First extract free of charge; subsequent repeated request at cost
Legal guardian	yes (e.g. parent, guardian)	yes (similarly to patient)	If the patient is a minor or has limited legal capacity
Person designated by the patient	yes (upon presentation of power of attorney)	yes (with patient’s consent)	The patient must explicitly authorize; no access without authorization
Close persons after patient's death	yes (exclusively within legal scope)	yes (limited according to § 33)	Limited by law; the patient could have explicitly prohibited it
Attending healthcare professionals (doctors, nurses)	yes (without patient’s consent)	yes (for care purposes)	Access necessary for treatment; records must be kept in the system.
Other medical specialists	yes (if involved in care)	yes (limited to purpose)	E.g. radiology, laboratory, rehabilitation – only within scope of care.
Health insurance companies (inspection)	limited (for reimbursement only)	yes (limited)	Only to verify diagnoses and procedures for reimbursement; without patient’s consent.
State authorities (inspections, courts, etc.)	limited (with legal mandate)	yes (written request only)	Actions within legal framework; often accompanied

How records are viewed and extracts obtained

Access to records always takes place in the presence of an authorized employee of the facility. The patient or other authorized person may not take the records away – they may only read them on site and, if necessary, have an extract or copy made.

The procedure usually includes:

• Request: The patient or other authorized person submits a written request for access or a copy (often using a specific form). They must specify whose documentation they are requesting and the scope of the request.
• Verification of identity: The provider verifies the identity of the applicant (by means of an identity card) and their authorization (power of attorney, child's birth certificate, court decision, etc.). Persons from public authorities or insurance companies are required to present their service card or authorization.
• Setting a deadline: The provider must comply with the request within 15 or 30 days of its submission (depending on the type of applicant). The patient themselves (and persons under Section 65(1)) usually receive the extract within 30 days, and authorities and external entities within 15 days. A different deadline may be set by mutual agreement.
• Possibility of electronic access: If the documentation is in electronic form, the patient may request remote access or a copy on a data carrier. If the technology allows, a digital copy may be provided (unless a paper document is expressly required).

If personal inspection is not possible (e.g., the patient cannot come to the facility), the provider may send a copy of the documentation. In such a case, the law stipulates a period of 5 days from the time the patient/directive announced that access cannot be granted. Again, you can agree on a different deadline, but we recommend a written agreement. The copy is sent to the requested medium (e-mail, CD/DVD, regular mail).

Deadlines and fees

• The law guarantees the patient and other persons pursuant to Section 65(1) of the ZZS that the first copy/extract is free of charge. The provider may therefore not charge any fee for a single copy of the documentation (postage and packaging costs still apply in the case of delivery).
• Repeated requests may be subject to a fee – up to the actual costs incurred for printing and sending. However, please note that the provider cannot make the provision of an extract or copy from medical records conditional on prior payment – you must therefore issue the copy and only then request payment.
• Persons pursuant to Section 65 (1) (b) and (c) of the ZZS (e.g., legal representative, guardian) may also obtain the first extract free of charge. Repeated requests are subject to the same fees as for patients.
• Organizational measures: The patient must follow the instructions of the healthcare professional (so as not to jeopardize the care of another patient or breach confidentiality). A record must always be made in the documentation of who accessed it and when.

Common mistakes and risks of unauthorized access

In practice, situations arise where an employee or person in good faith “just wants to quickly check” a patient's medical records. However, this is not permitted by law unless certain conditions are met. Unauthorized access is a breach of confidentiality and can have serious consequences:

• Criminal penalties: The Criminal Code (§ 180) regulates the criminal offense of unauthorized handling of personal data in cases where this causes serious harm to the rights of the person to whom the documentation relates. If no serious harm is caused, it is a misdemeanor.
• Administrative sanctions: The Office for Personal Data Protection (ÚOOÚ) may impose a fine of hundreds of thousands to millions of crowns for insufficient protection of sensitive data.
• Professional liability: A healthcare professional who breaches confidentiality commits a disciplinary offense for which disciplinary measures may be imposed.
• Lawsuits and compensation: Patients or their survivors may seek compensation for the disclosure of personal and health data, which constitutes a violation of privacy.
• Loss of trust: Patients whose data has been disclosed to unauthorized persons may lose trust in their doctor and the facility. In healthcare, trust is key to successful treatment.

Case study: In one case, an employee illegally viewed patients' electronic records without reason. The ÚOOÚ criticized the facility for its lack of access control, and one of the patients even received a penalty for breach of confidentiality. This situation led to a heavy fine and a thorough briefing for the entire team.

Summary and recommendations

• Follow procedures: Treat every request to view or copy medical records in accordance with the law and internal regulations. Always ask for the identity and authorization of the person making the request.
• Be a guardian of privacy: Be aware that the records are the patient's private property. Do not allow unauthorized persons to access them, even if they “come for the results” without a proper request.
• Educate yourself: Carefully study the provisions of Sections 65–66 of the Health Services Act and the obligations regarding personal data protection. Follow internal guidelines.
• Follow clear requirements: In some cases (misdemeanors or criminal offenses), special authorization or a formal request is required. Never copy documentation just because you think it makes sense—follow the procedure outlined in the documentation.
• Be careful when sharing information: Even sharing information about patients (e.g., between nurses and social workers) must be kept to the minimum required by law.

Conclusion

Respecting the right to access documentation is not bureaucracy for bureaucracy's sake (even if it sometimes seems that way) – it is a fundamental ethical and legal rule for the protection of patients and you. Medical records are a sensitive legal and ethical issue, and any mistake can have serious consequences. If you are unsure who specifically has access to records in your facility, how to properly handle requests, or how to set up internal guidelines, please do not hesitate to contact us.

Our law firm has extensive experience in healthcare law – we will help you not only resolve specific situations, but also prevent unnecessary risks and penalties. In law, as in medicine, prevention is always better than cure.

Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.