Privacy Policy for Pihlajalinna’s Patient Registry

1 Protecting Your Privacy

Pihlajalinna attaches great importance to the privacy of all patients using its services. Pihlajalinna is committed to protect patients’ privacy as users of Pihlajalinna’s services and to comply with the legislation on the processing of patient data and data protection. Protecting private life is an important part of Pihlajalinna’s principles of responsible business. Pihlajalinna processes the patient data of its patients in accordance with the conditions described in this privacy policy.

2 General Information on the Keeping of Records

Name of the registry:
Each company’s patient registry (‘Patient Registry’).

The controller is:
Each company belonging to the Pihlajalinna Group

Companies:
Pihlajalinna Lääkärikeskukset Oy, Business ID 2452505-5
Pihlajalinna Terveys Oy, Business ID 2303024-5
Lääkäriasema DokTori Oy, Business ID 2617382-3
Linnan Klinikka Oy, Business ID 0878086-5
Pihlajalinna Ikioma Oy, Business ID 2519853-5
Pihlajalinna Kainuu Oy, Business ID 3136375-2
Pihlajalinna Seppälääkärit Oy, Business ID 2786010-7

Contact information:
Kehräsaari B 3rd floor
33200 Tampere

Controller’s data protection officer:
Marika Vihervaara, tel +358 (0)10 312 010, tietosuoja@pihlajalinna.fi

Representatives of the controller:
Nationally, Sari Riihijärvi, Chief Medical Officer at Pihlajalinna Group, tel. +358 (0)10 312 010, tietosuoja@pihlajalinna.fi. The local representative is the responsible doctor at each unit.

3 Purpose of Processing Personal Data

The purpose of processing the personal data in the Patient Registry is to organise the patient’s care as follows:

  • organisation of the patient’s examination, care, and rehabilitation, planning, implementation, monitoring, archiving, quality control, guidance, and disease prevention;
  • planning, monitoring, and evaluating healthcare operations and compiling statistics on it, and scientific research;
  • invoicing and debt recovery; and
  • production of occupational health services for companies and communities.
  • communication between patients and the customer service centre (e.g. phone calls) may be recorded to improve the training of customer service staff, to ensure the quality of the service, and to verify the service event.

To become a patient of Pihlajalinna, it is necessary that data about the person can be recorded in the Patient Registry. The processing of data in the Patient Registry is based on Pihlajalinna’s legal obligation to process patient data, Pihlajalinna’s legitimate interest on the basis of the patient care relationship and, in some cases, the patient’s consent.

When Pihlajalinna receives correct and comprehensive data from the patient, it can provide the patient with the best care and service possible.

Pihlajalinna is responsible for the general patient data registry, which is jointly accessed by various operating units and self-employed professionals acting as independent data controllers. Each controller who has joined the general registry is responsible for the legality and legal use of their own registries. The registries of such independent controllers are kept technically separate and the information contained in them cannot, in principle, be disclosed without the patient’s written consent. Occupational healthcare customers’ data also form their own separate sub-register which must be kept technically separate from the rest of the Patient Registry. Access to the sub-register has been restricted through access rights.

4 Content and Sources of the Data in the Registry

The personal data in the Patient Registry are provided mainly either by the patients themselves or by guardians of minor patients, or generated in connection with examinations and treatment.

On consent from the customer, data from, for example, other care institutions and insurance companies are also added to the registry.

However, the patient’s data can also be combined and supplemented, within the limits permitted by legislation, with data from other sources and derived from such sources, such as data obtained from other healthcare institutions with the consent of the patient or their guardian, or data from the Digital and Population Data Services Agency.

The Patient Registry may contain the following personal data:

  • full name;
  • personal identity code;
  • contact details (including address and telephone number);
  • the patient’s contact person (including the patient’s designated next of kin and the guardian(s) of minor patients), their contact details and, if necessary, their personal identity codes;
  • medical information and preliminary information necessary for the patient’s care (including patient records, referrals, and doctor’s statements);
  • examination data (including laboratory, imaging, and other examination data);
  • health survey data
  • appointment data;
  • invoicing and payment information;
  • the name and status of the person submitting the note, date of the note, and data of the person reading the note;
  • information about the arrival and source of documents; and
  • a caller’s telephone number, receiver’s ID, date, and a recording of the call.

In addition, the following data is collected from occupational health care customers:

  • employer and their contact details;
  • data about the employment relationship (including department/office, professional title, and other similar information);
  • insurance company information;
  • possible health risks associated with the workplace; and
  • payment data.

The health application can also use the following information sent by the customer during a chat session to support treatment:

  • photos taken with the camera of the device
  • video images (video connection opened on customer’s consent)
  • audio (audio connection opened on customer’s consent)
  • photos and videos sent by the customer

The data are not stored, recorded or shared and are automatically deleted after the appointment.

The following data sent by the customer may also be examined using remote examination:

  • auscultation sounds of the heart and lungs
  • video of the eardrums and throat
  • images of any skin alterations
  • heart rate and body temperature.

The data are used during the appointment, but are not automatically stored in the patient data system.

5 Protection of the Registry and Principles of Data Processing

When processing patient data, Pihlajalinna carefully obeys the requirements to act diligently and protect the patient data set down in legislation, and the good data management practice. When processing patient data, Pihlajalinna always ensures that the processing of data is adequately justified and necessary in relation to the described purpose of use.

Data in the Patient Registry is confidential, and the persons involved in their processing are subject to secrecy and confidentiality. This obligation to maintain secrecy and confidentiality will continue even after the employment relationship has been terminated. Pihlajalinna limits the number of people processing patient data. Patient data is only accessible to such employees at Pihlajalinna or its partners who, on the basis of their duties, need to process patient data.

Pihlajalinna also has strict user ID policies in place to protect the patient data. The Patient Registry system and data stored in it are protected by, among other things, access right restrictions and passwords that only persons authorised to use the system have access to. Pihlajalinna uses log data, among other things, to track and monitor the processing of patient data actively and carefully in a manner required by legislation.

6 Data Disclosures and Transfers

Patient data can be disclosed primarily with the patient’s written consent. If a patient is not in a position to assess the importance of the consent given, data may be disclosed with a consent from their legal representative.

In addition to the above, patient data may be disclosed if the disclosure of data or the right to access information is expressly provided for in the law, for example, in the following situations:

  • data may be disclosed to another healthcare unit or professional to organise the patient’s examination and care in accordance with the patient’s or their legal representative’s oral consent or some other consent arising from the context;
  • data that is necessary to organise or implement the patient’s examination and care may be disclosed to another Finnish or foreign healthcare unit or professional if the patient is not in a position to assess the importance of the consent given, or if the patient’s consent cannot be obtained due to the patient’s unconsciousness or some other comparable reason; and
  • information of the patient and their state of health can be disclosed to their next of kin or another close relative due to unconsciousness or some other comparable reason, unless there is reason to assume that the patient would refuse to do so
  • necessary data regarding statutory insurances are disclosed to insurance companies.

In addition, patient data can be disclosed to scientific research.

We may transfer your personal data to service providers and subcontractors commissioned by Pihlajalinna in order to implement the service you need.

In general, Pihlajalinna does not transfer patient data outside the EU/EEA area. With regard to possible transfers, we obey all valid laws and regulations.

7 Your Rights

Patients have the right to check their personal data stored in the Patient Registry. If the patient is a child, their guardian will generally have the right to access their child’s data. A request to access the data must be made in writing using Pihlajalinna’s access request form.

Patients also have the right to review the log data concerning the processing of their patient data and to make a request for clarification regarding the processing of their patient data. The request must be made in writing using a form Pihlajalinna has provided for this purpose.

In addition to the rights of access and clarification, patients also have the right to request the rectification of incorrect data. The rectification request must be made in writing using Pihlajalinna’s rectification form. The request for rectification must be itemised and justified. The data will be rectified in a manner required by legislation so that information about the rectification and the original note will be included in the Patient Registry.

All above-mentioned forms for using the rights of patients are available on Pihlajalinna’s website at www.pihlajalinna.fi and at Pihlajalinna’s locations.

If a patient has questions about the processing of their patient data or this privacy policy, they can contact the controller’s contact persons listed at the beginning of this policy.

8 Period of Storage of Personal Data

The patient data in the Patient Registry is stored in accordance with the Finnish Ministry of Social Affairs and Health’s decree on patient records (94/2022).

Log data regarding the processing of patient data will be kept for at least 12 years from their creation date.

Other information contained in the Patient Registry, such as phone records, invoicing, and debt recovery, will be stored for as long as necessary for their processing or as required by legislation (such as bookkeeping regulations).

9 Other Terms and Conditions

Pihlajalinna will always try to resolve any disagreements directly with the patient. However, the patient has the right to have a disagreement regarding the processing of their personal data reviewed by the data protection authority.