Privacy Advisor

Poland Proposes New Law Governing Medical Documentation in Electronic Form

December 12, 2013

By Marcin Lewoszewski

Polish legislative bodies proposed a legal framework for providing outsourcing services of hosting medical documentation in electronic form. The changes will influence both the public and private medical sectors and may lead to new business models within the healthcare sector. 

Currently, it is difficult or even impossible under Polish law to outsource the hosting of medical documentation in electronic form. This is due to the fact that personal data pertaining to health and medical information is protected, irrespective of data protection law, by medical secrecy.

Under Polish law, each healthcare provider must keep such health and medical information confidential, and it may be disclosed only under certain conditions, difficult to meet from the business perspective. Such outsourcing would require; e.g., the consent of each patient for the disclosure of his/her medical data; therefore, it is highly impractical for healthcare providers and businesses from the healthcare sector.

The above issue was addressed a few times by the Polish Data Protection Authority; e.g., in 2011 when the GIODO directed a petition to the Minister of Health, but with no significant effect until recently.

There are, however, changes planned by the legislative bodies that will allow the disclosure of medical documentation in electronic form to third parties other than healthcare providers; e.g.; businesses offering IT services. According to the draft law and the project disclosed on the National Legislation Center’s website, such disclosure would require meeting several conditions.

For the purpose of the outsourcing of the processing of medical data in electronic form, the healthcare provider and service provider will have to meet the requirements from the data protection act, meaning that:

Healthcare providers will have to enter into an entrustment agreement (or data transfer agreement) with the service provider, in line with Polish law. The healthcare provider would remain the data controller of the patient’s data and would be liable in case of any noncompliance or a data security breach.

  • The service provider will have to apply security measures in line with Polish data protection law. This includes creating and keeping specific documentation related to security and appointing an information security officer. The service provider will be liable for unlawful disclosure of medical data to unauthorised third parties.
  • The changes are now at an early stage of legislative works. However, it is expected that the new law will be passed in 2014.

Marcin Lewoszewski is an Associate in the Commercial & Regulatory Department of CMS Cameron McKenna in Warsaw. He specialises in personal data protection and e-commerce issues in Poland. He can be reached at