Currently, not only the educational industry but also the medical industry is a field that collects quite detailed information about users. The provision of information to the medical institution is required when performing medical examinations or other services at the medical institution. After the information is provided, it will be stored in the form of data on the digital platform and in paper form for some specific cases, especially in the era of strong development of industry 4.0, medical services are gradually digitized so that competent authorities can easily manage and support people when needed. However, this has posed the risk of user information being leaked, disclosed, and publicized in cyberspace, infringing on the privacy of individuals and organizations. This article will analyze the overall legal regulations on the privacy of user information, especially personal information in the medical environment.
To protect user data in the medical field, the laws of some countries have specific provisions such as the Health Insurance Portability and Accountability Act (HIPAA) of the United States, and the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, etc.
In Vietnam, according to the provisions of Clause 2, Article 3 and Article 8 of the Law on Medical Examination and Treatment 2009, information about health status and private life recorded in the patient’s medical record should be respected and protected. Accordingly, only certain subjects have access to this information, including :
In addition to the above provisions, the 2018 Law on Cybersecurity is an important basis for protecting personal data in the medical environment. Based on these bases, the Guidelines on information security in remote medical examination and treatment consultation in Decision 4054/QD-BYT of the Ministry of Health issued on September 22, 2020, also clearly state the Measures to limit sharing of patients’ personal information include:
The guidelines also clearly state that medical staff participating in remote medical consultation and treatment consultations are responsible for keeping confidential and not sharing information about patients and participants during consultations. remote diagnosis, consultation, medical examination, and treatment; strictly comply with the contents of this Guide and the internal regulations of the workplace.
According to Decree 53/2022/ND-CP detailing a number of articles of the Law on Cybersecurity effective from October 1, 2022, data about personal information is understood as data about personal information in the form of symbols, letters, numbers, images, sounds, or the like to identify an individual. Therefore, the user’s health data is one of the types of information that needs to be kept secure in a medical environment.
In fact, it can be seen that users have no choice in accepting or refusing to provide part or all of user information when using any service at medical facilities. Providing information is the first step for users to receive medical treatment. Therefore, whether you like it or not, providing the information is almost mandatory for users, and then users cannot control whether that information is secure or not. Stemming from this situation, it is necessary to have specialized documents regulating issues around the collection, use, and security of user information in the medical field as well as sanctions applied to organizations. loss or unauthorized use of user information. This is really necessary for the medical field, a field where users do not have any tools to control the process of using their information.
 Clause 4, Article 59 of the 2009 Law on Medical Examination and Treatment.
The article is based on applicable law at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable law has changed and the specific case that the reader wishes to apply. Therefore, the article is only for reference.