1
Health Records Act No. 55/2009,
as amended by Act No. 6/2014, No. 44/2014 and No. 77/2014.
SECTION I
Introduction.
Article 1
Purpose and scope.
The purpose of the Act is to introduce rules on health records, so that patients can be provided with the
best possible health service at any time, while also ensuring protection of health data.
The Act applies to health records entered when treatment is provided here in Iceland.
In so far as not otherwise provided in this Act, the provisions of the Act on the Protection of Privacy as
regards the Processing of Personal Data (Data Protection Act) apply to health data and their handling.
Article 2
Patients’ right to self-determination and human integrity.
In the entering and storage of health records and access to them, the patient’s human integrity and right
to self-determination shall be respected, taking account of the fact that health records contain sensitive
personal information, and that health data are confidential.
Article 3
Definitions.
In this Act the following terms have these meanings:
1. Patient: A user of health service.
2. Health service: All forms of primary healthcare, medical care, nursing, general and specialised
hospital care, transport of patients, medical-aids service, and service from healthcare practitioner
within and outside healthcare facilities, provided in order to promote health, to prevent, diagnose
or treat illness, and to rehabilitate patients.
3. Treatment: A test, procedure or other healthcare service rendered by a physician or other
healthcare practitioner in order to diagnose, cure, rehabilitate, nurse or care for the patient.
4. Health data: Description or interpretation in writing, images, including x-rays, graphical data and
video and audio recordings, containing information regarding a patient’s health and his/her
treatment provided by a healthcare professional or healthcare facility, and other necessary
personal data.
5. Health records: A collection of health data about an individual, prepared in connection with
treatment, or acquired from elsewhere in connection with treatment at a healthcare institute or at
the premises of a self-employed healthcare professional.
6. Health information system: Software used to set up, store and manage health data.
7. Connected health information systems: Health information systems of two or more responsible
parties, interoperable in such a way that data from health records may be shared between the
systems.
8. Joint health information systems: Joint health information systems of two or more healthcare
facilities or premises of self-employed healthcare practitioners.
2
9. Healthcare facility: Institution where health service is provided.
10. Healthcare practitioner: Person working in health services, licensed by the Medical Director of
Health to use to the professional title of a legally-recognised health profession.
11. Premises of self-employed healthcare practitioner: Facilities of self-employed healthcare
practitioners, where health services are provided with or without Government contribution to
costs.
12. Guardian of health records: Healthcare facility or premises of a self-employed healthcare
practitioner where health records are entered. Should the health records systems of two or more
healthcare facilities or premises of self-employed healthcare practitioner have been joined, cf.
Section VI, the guardian of health records in the system is deemed to be the party on whom the
healthcare facilities or premises of self-employed healthcare practitioners have agreed.
13. Supervisor of health records: A physician, or other healthcare practitioner if no physician is
available, appointed by the guardian to supervise the entry and handling of information in health
records, and to ensure that they are consistent with the provisions of this Act. A healthcare
practitioner who works alone on his/her premises is deemed to be the supervisor of health records
he/she enters.
14. Quality monitoring: The aspect of quality control which is concerned with ensuring that standards
of quality for healthcare services are met.
15. Quality development: The aspect of quality control concerned with enhancing ability to meet
quality standards.
16. Patient’s representative. A patient’s guardian or a person appointed in writing by the patient to
make decisions with respect to his/her health records, or granted leave to access such records.
SECTION II
Entry of health records.
Article 4
Duty to enter health records.
A healthcare practitioner who treats a patient shall enter health records.
Health records shall be entered in electronic form as far as possible.
The guardian of the health records shall ensure that it is possible to enter health records in accord with
the provisions of the Act.
A healthcare practitioner who provides treatment and enters information on that treatment in health
records is always responsible for his/her entries in health records.
Article 5
Entry of health data.
Only healthcare practitioners and other staff, and students undergoing clinical/health training
(internship) in healthcare sciences who have undertaken an obligation of confidentiality comparable to
that of healthcare practitioners, may enter health data in health records.
Entry of especially sensitive health data, cf. the second paragraph of Article 13, in electronic health
records is subject to the provisions of regulations issued by the Minister under Article 24.
Every entry of health data in health records shall specify the name and professional title of the person
making the entry, and the time of the entry. Additions, amendments and deletions of entries of health data
shall always be traceable.
Health data shall be entered immediately, or normally not more than 24 hours from the time when the
data were generated.
Entry of health data shall be carried out in such a manner that the data are accessible and that written
text is clear and comprehensible.
3
Article 6
Entries in health records.
In health records, all information necessary with respect to the patient’s treatment shall be
systematically entered. But in all cases, the following minimum information shall be entered, as
applicable:
1. Patient’s name, address, ID number, profession, marital status and next of kin.
2. Date of consultation or admission and discharge.
3. Reason for consultation or admission.
4. Aspects of health and medical history relevant to the treatment.
5. Alerts, e.g. regarding allergies.
6. Examination.
7. Description of treatments/procedure, including information on medication and opinions of
consultant specialists.
8. Test results.
9. Diagnosis.
10. Outcome and plans for further treatment.
The Minister can make further provision in regulations
1)
for entry of health data in health records.
Entries of electronic health records and health information systems are also subject to the provisions of
regulations issued by the Minister under Article 24.
1)
Regulation No. 722/2009. Regulation No. 917/2011. Regulation No. 451/2013.
Article 7
Patient’s rights with respect to health record entries.
A patient or his/her representative can decide, when he/she receives treatment, that health records with
respect to the treatment shall not be accessible to others than the person making the entry and the
supervisor of the health records, and as applicable other specified healthcare practitioners. Should it be
deemed necessary with respect to treatment that other healthcare practitioners have access to the health
data in question, the patient shall be informed of this, and also informed that refusal to authorise necessary
access to the health record may be equivalent, under some circumstances, to refusal of treatment, cf. the
Patients’ Rights Act.
Should a patient or his/her representative be of the view that health records are wrong or misleading,
his/her comment to that effect shall be entered in the health record. Should it be demonstrated that
information in the health record is clearly wrong or misleading, it is permissible, with the consent of the
supervisor, to correct the information in the health record of the individual, provided that it is ensured that
information which could be relevant to legal disputes is not lost. Should the supervisor refuse to correct
health records regarded by the patient as clearly wrong or misleading, the patient may appeal that refusal
to the Medical Director of Health. Deletion of information from a patient’s health record is prohibited,
except by permission of the Medical Director of Health.
[Decisions of the Medical Director of Health on correction or deletion of health records are final at
administrative level and may not be appealed to the Minister.]
1)
Procedure is subject to the provisions of
the Administrative Procedure Act.
1)
Act No. 6/2014, Article 1.
SECTION III
Storage of health records.
Article 8
General.
Health records shall be stored securely in such a way that health data are not lost and are accessible in
accord with the provisions of Section IV.
4
Article 9
Responsibility for storage of health records.
The guardian of health records is responsible for the storage of health records being consistent with the
provisions of this Act.
Article 10
Transfer of health records.
Should a patient transfer from one primary healthcare centre to another, a copy of his/her health record
shall be saved in the health records system in use at the healthcare centre to which he/she transfers.
Should the operation of a health information system cease, the health records it contains shall be
transferred to the Medical Director of Health. The Medical Director of Health can decide, with the consent
of the patient or his/her representative, that health records transferred to the Medical Director shall be
saved in the health information system of another healthcare facility or at the premises of a self-employed
healthcare practitioner, or in joint health information systems.
Article 11
Duration of storage.
Health records shall be stored in the health information system of healthcare facilities or on premises of
self-employed healthcare practitioners. [With respect to the obligation to pass health records to public
archives, their storage and access to them, the provisions of the Public Archives Act apply.]
1)
1)
Act No. 77/2014, Article 50.
SECTION IV
Access to health data.
Article 12
General.
Access to health records is prohibited except under authority provided by this Act or other legislation.
Article 13
Staff access to health records.
Healthcare practitioners who are involved in a patient’s treatment and require his/her health records in
connection with the treatment shall have access to the patient’s health records, with the restrictions arising
from the provisions of this Act and rules issued on the basis of the Act. A supervisor of health records can
grant other staff, and students undergoing clinical training in healthcare sciences who have undertaken an
obligation of confidentiality comparable to that of healthcare practitioners and are involved in the patient’s
treatment, leave to access his/her health records in so far as this is necessary for their work in the patient’s
interest.
Access to especially sensitive health data, i.e. health data which the patient himself/herself believes
should be classified as such, shall be restricted to healthcare practitioners who necessarily require access
for treatment of the patient. Access to especially sensitive health data shall normally be restricted to those
healthcare practitioners working within the unit or department of healthcare facilities or of the premises of
self-employed healthcare practitioners where the treatment is provided. Access by other healthcare
practitioners to especially sensitive health data is prohibited, except with the patient’s consent. An
exception may be made from the above-mentioned access restrictions if deemed necessary for the security
of healthcare practitioners. The Minister shall, in regulations issued under Article 24, make further
provision for access to especially sensitive health data.
Healthcare staff’s obligation of confidentiality with respect to personal information of which they
become aware in their work, including health data, is subject to the provisions of the Patients’ Rights Act,
and other relevant legislation.
A patient or his/her representative may prohibit a specific member or specific members of staff,
including students undergoing clinical training, from accessing his/her health records. Should it be deemed
5
necessary, however, with respect to treatment, that the specified member/members of staff or students
have access to the health data in question, the patient shall be informed of this, and also informed that
refusal to authorise necessary access to the health record may be equivalent, under some circumstances, to
refusal of treatment, cf. the Patients’ Rights Act.
Access to health records is also subject to the provisions of regulations issued by the Minister under
Article 24.
Article 14
Patient’s access to his/her own health records.
A patient or his/her representative has right of access to his/her own health records in whole or in part,
and to be given copies on request. Such a request shall be made to the supervisor of the health records.
In the case of health data acquired from another source than the patient himself/herself or healthcare
practitioners, the consent of the source of the information shall be elicited before the record is shown to
the patient. Should such a source of information on a patient be deceased, or refuse on unreasonable
grounds to give consent, the Medical Director of Health may decide that the patient or his/her
representative be granted access to the data in question, in whole or in part.
[Should it be deemed not in the patient’s interest to gif him/her access to health record in whole or in
part, or give him/her or his/her representative copy of the health record, the supervisor of the health record
shall guide him/her of his/her right to refer the refusal to the Directorate of Health according to Article 15
a.]
1)
A patient is entitled to information from the supervisor of health records regarding which people have
gathered information from his/her health record, inter alia by connection of health information systems,
where and when the data were gathered, and for what purpose.
...
1)
1)
Act No. 6/2014, Article 2.
Article 15
Access to health records of a deceased person.
[For exigent reasons a supervisor of health records may grant a close relative of a deceased individual,
such as the spouse, a parent or a descendant, access to the deceased’s health records and give copies on
request. When assessing whether access shall be granted to a health record of a deceased individual, a
consideration shall be taken to the relative’s interests requesting such access and to the wishes of the
deceased, if they are at hand. If a supervisor of health records denies of access or copy to a deceased
individual’s health record, the supervisor of health records shall provide guidance of the right to appeal
that refusal to the Medical Director of Health under Article 15 a.]
1)
1)
Act No. 6/2014, Article 3.
[Article 15 a
The right to appeal refusal of access to a health record to the Medical Director of Health
Refusal of the supervisor of health records on patient’s access to his/her own health record, in whole or
in part, or refusal of a copy of a health record, may be appealed to the Medical Director of Health. The
same shall apply to refusals of the supervisor of health records on granting close relative access to a health
record of a deceased individual or refusal of its copy. Procedure is subject to the provisions of the
Administrative Procedure Act. Decisions of the Medical Director of Health on access to health records are
final at administrative level and may not be appealed to the Minister.]
1)
1)
Act No. 6/2014, Article 4.
6
Article 16
Healthcare authorities’ access to health records.
Healthcare authorities which by law receive for consideration a complaint or appeal from a patient or
his/her representative with respect to treatment, are entitled to access the person’s health records in the
same manner as the patient himself/herself.
Provision of data from health records for the keeping of health registers and monitoring by the Medical
Director of Health, including quality monitoring, is subject to the Medical Director of Health Act.
Article 17
Access to health records for quality development and monitoring.
The supervisor of health records may grant healthcare practitioners and other staff, and students
undergoing clinical training in healthcare sciences who have undertaken an obligation of confidentiality
comparable to that of healthcare practitioners, access to health records for purposes of quality
development and quality monitoring within the relevant healthcare facility or premises of healthcare
practitioners.
[Article 17 a
Access to health records for scientific studies is subject to the Act on Scientific Research in the Health
Sector. A patient or his/her representative may prohibit that his/her health data are stored as identifiable in
a health databank for use in scientific research and that shall be noted in his/her record.]
1)
1)
Act No. 44/2014, Article 36.
[[Article 17 b]
1)
Access to health information system to work on processing, update and maintenance.
The supervisor of health records my grant necessary access to health information system to those
employees that work on service for the computer and data system, for the purpose of work on processing,
update and maintenance of the system. As far as possible, when granting such service, a test data shall be
used instead of actual data. Employees shall undertake an obligation of confidentiality comparable to that
of healthcare practitioners. ]
2)
1)
Act No. 44/2014, Article 36.
2)
Act No. 6/2014, Article 5.
SECTION V
Connection of health information systems.
Article 18
Authority to connect health information systems.
A supervisor of health records may grant healthcare practitioners at other healthcare facilities, or at
other premises of specified healthcare practitioners which do not have access to the system, direct access
to health records by connecting health information systems, if the patient has not prohibited such access,
cf. Article 21. Those healthcare practitioners who are in direct contact with the patient with respect to
treatment are authorised to gather necessary information on the patient. The same may apply, as
necessary, to students undergoing clinical training in healthcare sciences who have undertaken an
obligation of confidentiality comparable to that of healthcare practitioners.
The Minister can make further provision in regulations on connection of health information systems
and authority for access by healthcare practitioners when such a connection is made. Security of personal
data when health information systems are connected is subject to the Act on the Protection of Privacy as
regards the Processing of Personal Data (Data Protection Act) and to the Data Protection Authority’s rules
on security of personal data.
7
Article 19
Patient’s right to prohibit sharing of information on him/her by
connection of health information system.
A patient or his/her representative can prohibit the sharing of data about him/her by connected health
information systems. The prohibition can apply to sharing of all electronic health data on a patient stored
in a specific health information system. The prohibition may also apply to specific health data in the
electronic health record of a patient at a healthcare facility or the premises of a self-employed healthcare
practitioner, e.g. health data stored at specific departments or units in a healthcare facility or premises, in
so far as this is technically practicable for the guardian of health records in question, cf. regulations issued
by the Minister under Article 24. The patient or his/her representative can also prohibit specified parties
from gathering information on him/her by connected health information systems.
Should a patient or his/her representative prohibit sharing of his/her health data by connected health
information systems in a specific instance, the healthcare practitioner responsible for the patient’s
treatment shall inform him/her, as applicable, that the treatment may be rendered less effective than it
would otherwise be, as comprehensive information on him/her cannot be gathered. A patient’s decision to
prohibit connection in a specific instance shall be recorded in his/her health records.
A patient’s decision to prohibit all sharing of health data under the first paragraph by connected health
information systems shall be communicated to the supervisor of health records. The decision shall be
submitted in writing, and confirmed by a healthcare practitioner, who also confirms, as applicable, that it
has been explained to the patient that, by this decision, treatment which the patient may later require may
become less effective than it would otherwise be, as it will not be possible to gather comprehensive
information on the patient by connection of health information systems. The supervisor of health records
is then responsible for honouring the patient’s prohibition of connection of health information systems and
for health data about the person in question not being accessible by connecting the system with another
health information system. A patient may at any time revoke the prohibition of sharing of health data on
him/her by connected health information systems. A patient’s decision to revoke the prohibition shall be
confirmed by two healthcare practitioners, and submitted to the supervisor of health records.
The Minister may make further provision in regulations for the patient’s right to prohibit sharing of
health data on him/her by connected health information systems.
SECTION VI
Joint health information systems.
Article 20
Joint health information systems.
Two or more healthcare facilities or premises of self-employed healthcare practitioners may, with the
consent of the Minister, enter and store health records of patients treated by them in a joint health
information system.
The Minister’s consent under the first paragraph shall only be granted if a joint health information
system is demonstrated to be conducive to enhancing the security of patients in their treatment. The
Minister may make impose such conditions as he/she deems necessary upon his/her consent under teh first
paragraph, in order to ensure high quality of entry and storage of health records, and protection of health
data. The Minister’s consent shall also be subject to the following conditions:
1. That the conditions of the regulations issued under Article 24 on entry of electronic health records
and health information systems are met.
2. That the Data Protection Authority has confirmed that security of personal data in the shared
health information system is ensured in accord with the Act on the Protection of Privacy as
regards the Processing of Personal Data (Data Protection Act) and with Data Protection Authority
rules on security of personal data.
8
Article 21
Patient’s right to restrict access to health data about him/her in a
joint health information system.
A patient or his/her representative can prohibit access to health data about him/her in a joint health
information system, in whole or in part, outside the healthcare facility or premises of a healthcare
practitioner where the records are entered. The prohibition may also apply to health data stored in
specified departments or units of a healthcare facility or premises of healthcare practitioners, in so far as
that it is technically practicable, see regulations issued by the Minister under Article 24. Finally, a patient
or his/her representative can prohibit specified parties from gathering information on him/her in a joint
health information system.
A patient’s decision under the first paragraph shall be communicated to the supervisor of health
records. The decision shall be submitted in writing, and confirmed by a healthcare practitioner, who also
confirms, as applicable, that it has been explained to the patient that, by this decision, treatment which the
patient may later require may become less effective than it would otherwise be, as it will not be possible to
gather comprehensive information on the patient. The supervisor of health records is responsible for
honouring the patient’s prohibition, and for health data about the person in question being accessible only
in accord with his/her decision. A patient may at any time revoke the prohibition of sharing of health data
on him/her in a joint health information system. A patient’s decision to revoke the prohibition shall be
confirmed by two healthcare practitioners, and submitted to the supervisor of health records.
SECTION VII
Various provisions.
Article 22
Monitoring.
The guardian and supervisor of health records shall actively monitor compliance with the provisions of
this Act. The supervisor of health records has the right to access health records in so far as is required for
monitoring purposes.
The Medical Director of Health monitors, as applicable, compliance with the provisions of this Act.
The Medical Director of Health’s monitoring, and measures available to him/her, are as provided in the
Medical Director of Health Act.
The Data Protection Authority monitors the security and processing of personal data in health records,
in accord with the provisions of the Act on the Protection of Privacy as regards the Processing of Personal
Data (Data Protection Act).
Should monitoring reveal a real likelihood that the personal privacy rights of a patient have been
violated, the offence shall be reported to the police. The police then handle the case under the provisions
of the Criminal Procedure Act. Reporting of the matter to the police does not entail cessation of
investigation, nor of the application of administrative sanctions under the Medical Director of Health Act
and the Act on the Protection of Privacy as regards the Processing of Personal Data (Data Protection Act),
or the application of measures under the Rights and Obligations of Government Employees Act.
Article 23
Penalties.
Violations of the provisions of the Act, and regulations issued on the basis of the Act, entail fines or
imprisonment for up to three years.
Article 24
Regulations.
The Minister shall make further provision in regulations
1)
on the entry of electronic health records,
their storage, access to them, access controls and access restrictions in accord with the provisions of this
Act. The Minister shall also provide in regulations for technical requirements and standards which health
information systems, including joint health information systems, must meet. The Minister’s regulations
9
shall take account of the patient’s rights under the provision of this Act with respect to entry of health
records, and the right to restrict access to his/her health records. Security of personal data in health
information systems is subject to the Act on the Protection of Privacy as regards the Processing of
Personal Data (Data Protection Act), and Data Protection Authority rules on security of personal data.
The Minister is also authorised to issue further rules on other matters concerned with the
implementation of this Act.
1)
Regulation No. 550/2015.
Article 25
Entry into force.
This Act takes force immediately.
Article 26
...
Temporary provisions.
The provisions of Article 19 on the patient’s right to prohibit sharing of data about him/her by
connection of health information systems shall be implemented not later than 31 December 2010.
The provisions of Article 21 on the patient’s right to restrict access to health data about him/her in a
joint health information system shall be implemented not later than 31 December 2010.
[This translation is published for information only.
The original Icelandic text is published in the Law Gazette.
In case of a possible discrepancy, the original Icelandic text applies.]
