The “Regulation on the Amendment of the Regulation on Personal Health Data” (the “Regulation”), published in the Official Gazette dated 03.12.2025 and numbered 33096, has introduced significant updates regarding the processing, protection, and access to personal health data.
With the Regulation, it has been clarified that the primary criterion for the processing of health data shall be limited to the processing conditions set forth in paragraph three of Article 6 of the Law No. 6698 on the Protection of Personal Data (“KVKK”). In addition, the scope of application of the Regulation, which was previously defined in a general manner, has now been explicitly restricted to the institutions and organizations affiliated with and related to the Ministry of Health.
Another important amendment has been introduced through the definition of the “caregiver” added to the Regulation; this definition refers to the child’s parent or guardian or real or legal persons duly authorized to be responsible for the care and supervision of the child, thereby enabling such caregivers to access the health data of persons who hold a disability report.
A- Abolishment of the “Special Authorization” Requirement for Attorneys’ Access Rights
The most significant amendment concerning attorneys is the repeal of Article 10 of the former Regulation. With this amendment, the requirement of having a “special authorization” stipulated in the power of attorney for attorneys to request their clients’ health data has been lifted. Attorneys will now be able to access their clients’ health data (such as epicrisis reports, test results, etc.) based on a general litigation power of attorney.
B- Prohibition on Forcing the Disclosure of Past Health Data
One of the most comprehensive protection measures introduced by the Regulation concerns individual privacy. Except for mandatory cases stipulated by law, no one may be forced to submit or disclose the breakdown of their past health data (such as e-Nabız (the Turkish electronic health information system) records) to third parties. This regulation has rendered unlawful the practice of requesting manual data printouts from candidates during recruitment processes or from insured persons during the issuance of insurance policies.
C- Procedure for Insurance Companies’ Access to Data
Access by insurance, reinsurance, and pension companies to health data has been made subject to stricter rules. These companies shall be able to access health data solely through the secure line established between the Insurance Information and Monitoring Center (SBGM) and the Ministry. Insurance companies shall not request health data directly from the insured nor demand e-Nabız passwords/screenshots. The flow of data shall be ensured exclusively through system integration.
D- Physicians’ Access Rights to Health Data
The Regulation has restructured physicians’ access to patients’ past health data in terms of duration and scope. Accordingly, family physicians may access the health data of their registered patients without any time limitation; whereas physicians at healthcare institutions where the patient has been examined or received inpatient treatment shall be limited to access until the completion of procedures directly related to the service (including consultations) or until the patient’s discharge. Furthermore, in the case of patients admitted through emergency services, all physicians of the facility may access the data until discharge, limited to the relevant emergency healthcare service. For personnel who violate data security, the sanction of “revocation of authority” has been replaced by the provision of “disciplinary action to be taken by the disciplinary superior.”
E- e-Nabız Security Settings and Code-Based Access Mechanism
As a step toward strengthening personal data privacy, e-Nabız security settings and exceptions related thereto have also been determined within the scope of the Regulation. Individuals may regulate access to their past data within the framework of their own security settings; however, the Ministry of Health shall not be held liable for any disruptions or damages that may occur in the provision of healthcare services due to such settings.
Access to the data of individuals who prefer to conceal their past records has been made conditional upon the sharing of the code sent to the phone number declared by the individual with the physician. Nevertheless, the Regulation stipulates that security setting checks shall not be applied in critical cases such as hospitalization and emergency admissions. In such cases, the individual’s confidentiality preference shall not be applied, provided that it remains limited to the conditions under Article 6/3 of KVKK.
Moreover, even if individuals have activated e-Nabız security settings, no security setting checks shall be carried out in situations where they cannot access the code, such as detention and imprisonment; in such cases, the family physician and all physicians who examine the individual may access the health data in accordance with KVKK conditions. Once these exceptional circumstances cease to exist, the individual may re-select their security settings. These regulations aim to protect personal privacy rights while ensuring that the quality of healthcare services is not compromised in cases of vital danger or legal necessity.
F- Custody Criterion in Parents’ Access to Children’s Health Data
With regard to access to children’s health data, custody status has been taken into account. The party to whom temporary custody is granted during a divorce proceeding, or the party to whom custody is awarded following the finalization of the divorce, shall be entitled to access the child’s health data. Upon the application of the parent who does not hold custody, as a result of an assessment to be carried out by the General Directorate, only the data that allow inferences regarding the child’s health shall be shared with the applicant parent, after being stripped of data such as location and contact information.
G- Access to the Health Data of Deceased Persons
The legal heirs of the deceased shall be individually authorized to obtain the health data of a deceased person by submitting a certificate of inheritance. With the amendment introduced by the Regulation, the retention period of the health data of deceased persons has been extended from 20 years to 30 years.
H- Legal Assessment and Conclusion
Regarding the evaluation on this amendment, it is observed that the Regulation aims to integrate the KVKK principles of “Data Minimization” and “Need-to-Know” more strictly into the healthcare system.
Allowing attorneys to obtain data based on a general power of attorney and the retention of deceased persons’ data for 30 years will facilitate evidence-gathering processes.
The “prohibition on forcing disclosure of past data” directly affects recruitment processes and insurance policy issuance procedures. Companies are required to discontinue the practice of requesting manual data from candidates/customers.
The exclusion of the Ministry’s liability for medical damages that may arise due to patients’ privacy preferences will constitute a significant defense argument for physicians in malpractice allegations. Physicians will be able to prove that they could not establish a diagnosis due to the patient’s concealment of data.
The amendments necessitate technical updates in the Hospital Information Management Systems (HBYS) used by healthcare service providers to ensure that access durations are automatically restricted based on the moment of “discharge.”
In divorce cases, allowing the non-custodial parent to access the child’s health data in a “sanitized” (masked) manner establishes a fair balance between the parent’s right to information and the child’s safety.
You may access the relevant Regulation via this link.