Apart from the educational industry, medical industry is also a field that collects quite detailed information about users. The provision of information to the medical institution is a requirement when performing medical examinations or other services at the medical institution. After the information is provided, it will be stored in the form of data on the digital platform and in paper form for some specific cases, especially in the era of strong development of industry 4.0, medical services are gradually digitized so that competent authorities can easily manage and support people when needed. However, this has posed the risk of user information being leaked, disclosed, and publicized in cyberspace, infringing on the privacy of individuals and organizations. This article will analyze the overall legal regulations for securing healthcare data, especially personal information, in the medical environment.  

To protect user data in the medical field, some other countries have specific provisions, such as The Health Insurance Portability and Accountability Act (HIPAA) in the United States, and The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

In Vietnam, the legal frameworks for securing healthcare data is provided by:

1. The Law on Medical Examination and Treatment (2009)

In Vietnam, according to the provisions of Clause 2, Article 3 and Article 8 of the Law on Medical Examination and Treatment (2009), information about health status and private life recorded in the patient’s medical record should be respected and protected. Accordingly, only certain subjects have access to this information, including [1]:

  • Internship students, researchers, practitioners in medical examination and treatment establishments may borrow medical records on the spot for reading or copying for research or professional and technical work;
  • Representatives of state management agencies in charge of health directly manage medical examination and treatment establishments, investigation agencies, procuracies, courts, specialized health inspectors, insurance agencies, and supervision organizations For forensic medicine, and forensic psychiatry, lawyers may borrow medical records from the spot to read or copy to serve their assigned tasks according to their authorized competence;
  • The patient or the patient’s representative is entitled to receive a summary of the medical record as legally required.

2. The 2018 Law on Cybersecurity

In addition to the above provisions, the 2018 Law on Cybersecurity is an important basis for protecting personal data in the medical environment. Based on these bases, the Guidelines on information security in remote medical examination and treatment consultation in Decision 4054/QD-BYT of the Ministry of Health [2], also clearly state the Measures to limit sharing of patients’ personal information include:

  • A prohibition to share the patient’s personal information such as Full name, address, picture of the patient’s face, body, or information that can identify the patient in any way (for example through pictures, text or audio recording);
  • In case the consultation session requires the presence of the patient: technical measures must be used to cover or blur the patient’s face.
  • Do not perform live reporting – “Live stream” consultations, remote medical examination, and treatment through social networks or other forms that may reveal personal information, and images of the patient’s face and face. Health status of patients and participants in consultation, or remote medical examination and treatment consultation.

The guidelines also clearly state that medical staff participating in remote medical consultation and treatment consultations are responsible for keeping confidential and not sharing information about patients and participants during consultations. Remote diagnosis, consultation, medical examination, and treatment; strictly comply with the contents of this Guide and the internal regulations of the workplace.

According to Decree 53/2022/ND-CP detailing a number of articles of the Law on Cybersecurity [3], data about personal information is understood as data about personal information in the form of symbols, letters, numbers, images, sounds, or the like to identify an individual. Therefore, the user’s health data is one of the types of information that needs to be kept secure in a medical environment.

In fact, it can be seen that users have no choice in accepting or refusing to provide part or all of the user information when using any service at medical facilities. Providing information is the first step for users to receive medical treatment. Therefore, providing personal information is almost mandatory for users, who cannot later control whether that information is secure or not. Stemming from this situation, it is necessary to have specialized documents regulating issues around the collection, use, and security of user information in the medical field as well as sanctions applied to organizations. Loss or unauthorized use of user information. This is really necessary for the medical field, a field where users do not have any tools to control the process of using their information.

[1] Clause 4, Article 59 of the 2009 Law on Medical Examination and Treatment.

[2] (issued on September 22nd, 2020)

[3] (effective from October 1st, 2022)

The article is based on laws applicable at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable laws and the specific cases that the reader may wish to apply may have changed. Therefore, the article is for referencing only.