Privacy statement concerning patient data

OLVG is happy to explain to you, in this privacy statement, how we handle patients' medical data, how we guarantee its confidentiality and what rights you, as a patient, have with regard to this data.

OLVG processes the data of patients who come to us for care. The first thing we'll do when you come to OLVG is note down your name, address and telephone number. We are also legally obliged to record your Dutch Social Security Number (BSN) and check your identity (based on your proof of identity).

If you are being treated at OLVG, we are also legally obliged to keep a medical record of you in which we record the relevant data in connection with your treatment.

1. Confidentiality

All healthcare providers working at OLVG have a duty of confidentiality. This means that, in principle, none of your data will be provided to others without your permission. There are (statutory) exceptions to this 

All other employees (support services at the hospital) also have a duty of confidentiality which is laid down in their employment contract or other contract that is entered into with the hospital.

2. Protection of medical data

OLVG has an extensive security policy with regard to patient data.

3. Who can access your medical data at OLVG?

At OLVG, only healthcare providers who are directly involved in your treatment can access your medical data. Other support employees can only view the data that is necessary in connection with their role. Some employees can only view your address details and, for example, schedule appointments for you or send invoices, but are not authorised to view your medical data. Other employees, for example those working in healthcare administration, can view medical data if this is necessary for sending or checking invoices.

In the context of patient safety, a healthcare provider with whom you do not yet have a treatment relationship can still view your file in an emergency situation. Before he/she can see your file, the healthcare provider must first indicate, in the digital file, why he/she wants access to your file. This is important if, for example, you are admitted in an emergency situation and are not able to communicate. In any event, OLVG can always check who has viewed your file afterwards.

4. Organisation of the medical records at OLVG

OLVG stores your medical data in an electronic patient file (Epic). OLVG gives you the option to access some of the data stored in this electronic patient file using the MijnOLVG patient portal. In the future, more and more information from your file will become accessible using the patient portal.

The patient portal is a secure environment which you can only access having identified yourself and completed a 2-step authentication process. 

5. Providing and exchanging medical data with third parties

OLVG can only provide data to third parties with your permission. This permission is assumed when providing information about your treatment to your GP, so no permission is requested for this.

However, we will always ask for your permission if we want to provide medical data to another healthcare institution (or to other third parties). OLVG offers the possibility of exchanging digital medical data with a number of care institutions via a secure system. Once you have given us your permission for this, it means that if you are admitted to AMC or VUmc, for example, the healthcare providers there can also consult your OLVG medical data.

You can register your permission to exchange data with these healthcare institutions using a consent form. This only needs to be done once. In the future, OLVG will expand the number of healthcare institutions that data can be digitally exchanged with securely.

For medication data, data can be retrieved by OLVG from the National Switch Point (Landelijk SchakelPunt, NSP). You must give permission to your pharmacy for this first before OLVG can consult this data. 

There are some exceptions to the principle that your permission is required to provide data. If there is a legal obligation to provide data, such as to your health insurer, then your permission will not be required. 

You can also share the medical data on your portal (MijnOLVG) with others.

6. Retention period

The retention period for medical data is at least 15 years. There are a few exceptions to this: if there is a legal obligation to retain data for a longer period of time, or if it is necessary for proper provision of care (for example in the case of chronic diseases) or if it concerns data that is important to third parties (for example, hereditary disorders).

7. Scientific research and quality improvement

OLVG often conducts research into the quality of care provision. The law also obliges us to conduct these types of investigations. If an external agency is involved in this research to process data, we always conclude an agreement with the external agency to guarantee the security and confidentiality of patient data.

When it comes to medical scientific research into certain treatments, your permission is, in principle, required. Consult the rules regarding medical scientific research.

8. Your rights vis-à-vis the medical records

a. Right of access

You have the right to access your medical records. You can ask your practitioner to allow you to inspect the data stored in the electronic patient file.

If you are being treated by several specialisms, you should ask the practitioner of the department whose details you want to view.

b. Right to receive a copy

You can request a copy of your medical records. You can indicate which specialism and which period of time you want to receive a copy for. We will send you the data on a secure USB stick. The password to open this stick will be sent to you by e-mail separately.

There are no costs associated with provision of the first copy. If you ask for another copy of information that has already been provided to you, we can charge you for this.

c. Right to correction and supplementation

You have the right to correct your medical records. This right to correction only relates to factual inaccuracies (for example, your name or date of birth). Otherwise, you can supplement the information in your records. Your statement can be added to the data stored.

You can ask your practitioner to make a correction or to supplement your records.

d. Right to deletion

You can ask that your medical records, or part of your medical record, be deleted. There are exceptions to the right to delete your records. The hospital cannot grant this request if there is a legal obligation to retain this data, or if the data is important for third parties. If the request is granted, OLVG must comply with a request to delete data within 3 months.

You can ask your practitioner to delete your file, or you can request this through the Legal Affairs department.

9. Representation

Who gives permission to provide/exchange data with the third parties mentioned under point 5 and who exercises the rights with regard to the medical records mentioned under point 8?

  • For children under 12 years of age, the parents decide.
  • Parents and children are jointly authorised for children aged 12 to 16.
  • For children aged 16 and over, the child decides.

10. Complaints about privacy regarding your medical records

If you have complaints about the way in which your medical data is handled, you can contact your healthcare provider or the OLVG complaints officers about this.

If you believe that your medical records have been unlawfully accessed, you can also submit a complaint (with grounds) about this to the complaints officers. The complaints officers can then request the OLVG medical records inspection committee to initiate an investigation into this.

If you believe that data processing at OLVG is not done in accordance with legislation and regulations, you can report this to OLVG's Data Protection Officer.

The Dutch Data Protection Authority is the independent regulator with regard to compliance with privacy legislation. You will find a lot of information about privacy regulations and data processing in healthcare (among other things) on the Dutch Data Protection Authority's website

11. Further information

For further information about the General Data Protection Regulation (GDPR), we also refer you to the central government's website