Balancing Access and Privacy: Medical Record Release & Personal Data Protection in Malaysia

July 22, 2024

Whilst obtaining a patient's medical records is crucial to any assessment of the patient’s case, the ownership of such records resides with the medical practitioner/ hospital and procuring the same from private or public hospitals may pose a challenge.

What constitutes Medical Records?

The Medical Act 1971 (Act 50), an Act receiving much attention in recent days for different reasons with amendments just passed to address the issue of parallel qualification, does vest the authority to regulate the practice of medicine with the Malaysian Medical Council (MMC). This gives MMC the power to enact regulations necessary to address issues pertaining to the practice of medicine /the Act. 

MMC’s Guideline 002/2006: Medical Records and Medical Reports (“MMC Guidelines”), defines medical records widely to include all documented information about the health of an individual and has been understood to cover physical and electronic forms1. A non-exhaustive list of the contents of a patient’s medical records can be found under clause 1.2 of the MMC’s Guidelines.

Who Is the Legal Owner of Patients’ Medical Records?

MMC’s Guideline 002/20062 and the Private Healthcare Facilities and Services Regulations 2006 (“PHFS Regulations”) recognise that patients’ medical record belong to the medical practitioner/ health facility3.

Although ownership of medical records resides with the practitioner/ health facility, personal information recorded by healthcare workers as well as the results of any tests and investigations, belongs to the patient4.

Are Patients Entitled to their Medical Records?

The MMC Guidelines explicitly addresses patients' access to medical records and outlines situations where patients/ appointed agents are entitled to medical records as being for various purposes, ranging from need to seek second opinion, to seek further treatment elsewhere, or for litigation. The Guideline recognises that healthcare facilities and services should not object to the release of results and reports of diagnostic tools and provides that if all else fails the patient may resort to civil action, and further states that the withholding of information of the care, diagnosis, treatment and advice given to the patient and relevant copies of the medical records is unethical5.

Whilst private hospitals are usually ready to release medical records upon a patient’s request, a similar request to a public hospital is often met with reluctance premised on the Ministry of Health’s (MOH) Guideline, 'Garis Panduan Pengendalian dan Pengurusan Rekod Perubatan Pesakit di Fasiliti KKM' and the retort that hospitals are allowed to provide the medical records of a patient, but only in the form of a medical report, unless a court order is obtained.

However, the above MOH Guideline only states that medical records cannot be disclosed, disseminated, or transmitted to anyone without the consent of the medical director or the administrator of the hospital or clinic, unless a court order is obtained6.

In Nurul Husna Muhammad Hafiz & Anor v Kerajaan Malaysia & Ors7, the leading authority on disclosure of medical records Justice Vazeer Alam Mydin Meera, then sitting at the High Court, took the position that parties who wish to obtain and access medical records should not be required to resort to a court order for access of their own records, highlighting that: 

“The prevalent common practice among medical professionals and hospitals is to refuse to give copies of patient's medical records unless ordered by the court to do so. This has necessitated the filing of applications by patients seeking court's intervention to order production of the medical records. In most cases, when the application comes for hearing, the respondent throws in the towel and agrees to produce copies of the medical records sought. In a handful of cases, there is resistance and the court determines the issue to order production. This guarded conduct of the medical professionals and hospitals has caused patients to incur avoidable costs and delays by filing originating processes for an order for discovery of their medical records.” 

In regard to private hospitals, Justice Vazeer Alam interpreted Regulation 44(2) of the PHFS Regulations 2006 as follows: -

“Regulation 44(2) does not stipulate that whenever a patient wishes to have access to his medical records, he must get a court order. Therefore the reliance of private healthcare operators on reg. 44(2) to withhold patient's access to medical records until the patient obtains a court order is entirely misconceived. There is no requirement in law that the patient first obtain a court order to get access to his medical records.”8

Justice Vazeer Alam summarised the legal position by stating that although ownership of patients medical records vests with the physician or hospital, they must deal with the medical records in the best interest of the patient, and a patient has an innominate and qualified right of access to his medical records and that there is a corresponding general duty on the part of the physician or hospital to disclose the patient's medical records to the patient, his agents, medical advisers or legal advisers.9

Justice Vazeer Alam also considered the rights of a doctor to refuse disclosure, stating that such right may apply where disclosure would cause serious harm to the patient or any other person in the medical records, and where disclosure would divulge information relating to or provided by an individual, other than the patient, who could be identified from that information.10

An example of a case for non-disclosure can be seen in R v Mid Glamorgan Family Health Services Authority and Another where the English Court of Appeal upheld the decision of Popplewell that disclosure of the medical records in this case risked causing or aggravating the injury which previously they undertook to prevent or cure. The Appellate Court found this to be a valid reason for holding that any common law right of access ought to be refused.11

Discovery Application to Obtain Medical Records

In the event access is denied, a patient may pursue a civil action to compel the medical facility to provide the medical records by securing a court order. To accomplish this, a discovery application can be initiated in accordance to Order 24 of the Rules Of Court (ROC) 2012.12

The general test for disclosure as set out in Yekambaram Marimuthu v Malayawata Steel Berhad13 applies such that there must be documents, the documents must be relevant to the facts of the case, documents must have been in the possession, custody or power of the defendant/ person authorised by the defendant, and the plaintiff must set out and justify the importance of accessing records to establish the damage suffered.

Confidentiality of Medical Records: Personal Data Protection Act 2010 (“PDPA 2010”)

That confidentiality of medical records is paramount is obvious given the ethos of patient privacy and confidentiality. This ensures that sensitive personal health information is not disclosed without the explicit consent of the patient. Besides, confidentiality fosters trust between patients and healthcare providers, encouraging patients to seek medical care without fear of their information being misused. 

It is pertinent to note that in most instances14 where hospitals process personal data of patients, the hospital would have obtained the explicit consent of the patient by making the patient complete and sign off on various forms providing consent prior to processing the personal data of the patient.

Insofar as the PDPA 2010 is concerned, the Act does not apply to the Federal Government and State Government and this extends to government agencies/hospitals/medical facilities.15

The Code of Practice For Private Hospitals In The Healthcare Industry16 (“Code”) which covers all private hospitals that are licensed under the Private Healthcare Facilities & Services Act 1998 provides that a patient should have access to his personal data that is contained in the medical records maintained by the hospital17. This right is also set out in the MMC Guidelines as the patient shall:

(a) have access to records containing information about his/her medical condition for legitimate purpose and in good faith;
(b) know what personal information is recorded and processed;
(c) expect the records to be accurate, and
(d) know who has access to his/her personal information.

Therefore, private hospitals and medical practitioners are obliged to provide comprehensive medical reports when requested by the patient or by the next of kin in the case of children or minors, or by the employer with the patient’s/patient’s specific and explicit consent within the time stipulated in the PDPA 2010.

In this respect, the hospital may deny access to the contents of the medical record, if in their considered opinion:

(a) the hospital is not supplied with sufficient information to satisfy itself as to the identity of the requestor;
(b) the contents if released may be detrimental or disparaging to the patient, or any other individual;
(c) liable to cause serious harm to the patient’s/ data subject’s mental or physical health or endanger his life;
(d) if there is no written consent from the patient, or his legal next-of-kin or guardian, for release of the contents of the medical record to a third party; or
(e) any of the scenarios mentioned in Section 32 of the PDPA is applicable.

Additionally, under the Personal Data Protection (Amendment) Bill 2024, personal data of deceased individuals are now expressly excluded from scope of PDPA 2010 and as such will no longer be governed by the personal data protection laws. On the other hand, biometric data (i.e. any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person) is proposed to be also considered as “sensitive personal data” and would be subject to the stringent processing rules set out further below for all such data. 

Sensitive Personal Data

“Sensitive personal data” is defined under the PDPA 2010 as “any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette” and would therefore cover medical records of a patient which relate to the physical or mental health or condition of such patient. “Sensitive personal data” is subject to the provisions relating to the processing18 of such data under Section 40 of the PDPA 2010.

The processing19 of sensitive personal data may be carried out by the hospital without obtaining the patient’s explicit consent if, (i) the information contained in the personal data has been made public as a result of steps deliberately taken by the patient; or (ii) in any one of the scenarios set out in Section 40 of the PDPA 2010. 

However, patient records which do not fall within the definition of “sensitive personal data” (e.g. telephone numbers, credit card details) under the PDPA 2010 would still be subject to the disclosure principle under Section 8 of the PDPA 2010 which places an embargo on release without consent of the patient for any purpose unless such disclosure is the purpose/ directly related to the purpose for which personal data was to be disclosed at the time of collection of the personal data or to a party/ class of third parties listed in section 7(1)(e) of the PDPA 2010.20

Section 8 is expressly subject to section 39 PDPA 2010 (also found in MMC’s Guidelines on Confidentiality21,) which sets out exceptions to the rule of confidentiality including where consent has been granted by the person whose data is being disclosed, or where disclosure is necessary under any law or by court order.22

Medical Specialists

The Code further stipulates that medical specialists23 who are engaged under a contract for service (i.e. Consultants) have a unique relationship with the hospital and to their assigned patients. Although such medical specialists are not employees of the hospital, they are granted access to all of the personal data and sensitive personal data stored by the hospital as a data user under the PDPA 2010. 

In this regard, the hospital must ensure that the written agreement governing the relationship between the hospital and the medical specialists includes sufficient contractual safeguards. These safeguards could include mandating that medical specialists comply with PDPA requirements to handle patient personal data in accordance with hospital policies, the PDPA 2010, the Code, and applicable laws, rules, and regulations. Medical specialists should be informed of their responsibilities towards personal data of patients, and the hospital ought to provide adequate training on the PDPA 2010 to the consultants.

With respect to medical specialists who are employed under a contract of service with the hospital, all obligations under the PDPA 2010 will be applicable to such medical specialists as employees of the hospital.

Malaysia Health Data Warehouse & National Electronic Medical Records System

The Government had via a MOH initiative in 2010 started the Malaysia Health Data Warehouse (MyHDW) project which was aimed at developing a centralized repository for health care data in Malaysia, synchronizing the medical records of patients from private and public clinics and hospitals with data from the National Registration Department (NRD). 

Further, it has been reported24 that the national Electronic Medical Records (EMR) system which was introduced in 2021 and termed as the “digitalisation of healthcare services” targeted at streamlining access to patients’ medical information and history across healthcare providers in the public and private sectors is targeted for a nationwide rollout by 2026. 

As at the date of this alert, we note that both the MyHDW and EMR initiatives have been implemented in phases and it will be interesting to see how personal data protection will apply in the context of these initiatives. 

Conclusion

Balancing patient access and data protection remains a critical consideration. Perhaps it is justified for the current legislation that governs access to medical records including the PDPA 2010 to be reassessed in conjunction with global developments and the healthcare initiatives proposed by the Government particularly with regards to the MyHDW and EMR.

Alert by Annabel Kok (Corporate Partner) & Raaswin Roshan Raj (Associate) of Messrs. Rajasekaran.

The contents of this alert do not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. If you require any further information, kindly contact annabel@rajasekaran.co.

Contact Information:
Photo 

Annabel Kok Keng Yen

Partner

+6012 905 1082

Read Bio

annabel@rajasekaran.co

 

Photo 

Raaswin Roshan Raj

Associate

Read Bio

raaswinroshan@rajasekaran.co


1 MMC Guideline 002/2006: Medical Records and Medical Reports, page 6, clause 1.1 para 1
2
MMC Guideline 002/2006: Medical Records and Medical Reports, page 12, clause 1.12, para 1
3
Regulation 44(1) of Private Healthcare Facilities and Services Regulations 2006 
4
MMC Guideline 002/2006: Medical Records and Medical Reports, page 13, clause 1.12, paras 3-4
5
MMC Guideline 002/2006: Medical Records and Medical Reports, pages 14-15, clause 1.15
6
Garis Panduan Pengendalian Dan Pengurusan Rekod Perubatan Pesakit Di Fasiliti KKM Bil. 5/2023, page 12, para 3.4.3
7
[2015] 1 CLJ 825
8
Ibid, para 22
9
Ibid, para 21
10
Ibid, para 21(c)
11
R v Mid Glamorgan Family Health Services and Another, ex p Martin [1995] 1 All ER 356 at 366
12
Order 24 of Rules of Court 2012
13
[1994] 2 CLJ 581
14
As provided under the MMC Guidelines
15
Due to the broad definition provided under Interpretations Act 1948 and 1967
16
Issued by the Association of Private Hospitals of Malaysia 
17
 Code of Practice For Private Hospitals In The Healthcare Industry by the Association Of Private Hospitals of Malaysia, page 21, para 5.2.5
18
Pursuant to Section 4 of the PDPA 2010, the term “processing” in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data,
including —
(a) the organization, adaptation or alteration of personal data;
(b) the retrieval, consultation or use of personal data;
(c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
(d) the alignment, combination, correction, erasure or destruction of personal data.

19 Ibid
20
Section 7(1)(e) & Section 8 of the PDPA 2010
21
MMC Guidelines on Confidentiality, page 2, para 3
22
Section 39 of Personal Data Protection Act 2010 (Act 709)
23
Paragraph 6.3 of the Code
24
https://www.thestar.com.my/news/nation/2023/05/20/aiming-for-nationwide-rollout-of-emr

back to top icon