Page 1

Search for laws, regulations, judgments, Storting decisions, collective agreements etc.

Search

Act on the processing of health information in the provision of health care (Patient Records Act) Table of contents

sign in

Regulations of the law

➦ Go to the originally announced version

Act on the processing of health information when providing health care
(Patient Records Act)
Date LOV-2014-06-20-42
Department of Health and Care Services
Last amended LOV-2019-04-10-11
Published in 2014 issue 8
Entry into force 01.01.2015
Announced 20.06.2014 at 15.50
Short title Patient Records Act

Chapter overview:
Chapter 1. General provisions (§§ 1 - 5)
Chapter 2. Patient records and other treatment-oriented health registers (§§ 6 - 14)
Chapter 3. Duty of confidentiality, right of access and right to oppose processing of health information (§§ 15 - 18)
Chapter 4. The undertaking's duties in processing health information (§§ 19 - 25)
Chapter 5. Supervision and sanctions (§§ 26 - 31)
Chapter 6. Entry into force, etc. (§§ 32 - 33)

See also Act of 2 July 1999 No. 63 Chapter 5, 2 July 1999 No. 64, Chapter 8 andAct of 15 June 2018 no. 38 on the processing of personal data.

Chapter 1. General provisions
§ 1. Purpose of the Act
The purpose of the law is that the processing of health information shall take place in a manner that
a) provides patients and users with good quality health care by providing relevant and necessary information in a fast and efficient manner
become available to health personnel, at the same time as the protection against information being given to unauthorized persons is safeguarded, and
b) ensures patients 'and users' privacy, patient safety and the right to information and participation.

§ 2. Definitions
For the purposes of this Act:
(a) " health care" means any action that has a preventive, diagnostic, therapeutic, health-preserving, rehabilitative or nursing and
care purposes, and which are performed by health personnel, cf. the Health Personnel Act § 3 first paragraph
b) health information: personal information about a natural person's physical or mental health, including the performance of
health services, which provide information about the person's state of health, cf. the Privacy Ordinance Article 4 no. 15
c) processing of health information: any operation or series of operations performed with health information, either
automated or not, such as collection, registration, organization, structuring, storage, customization or modification,
retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available,
assembly or alignment, restriction, deletion or destruction, cf. Article 4 (2) of the Privacy Regulation
d) treatment-oriented health register: patient record and information system or other register, register or the like, where
health information is stored systematically, so that information about the individual can be found again, and which should provide a basis for
health care or administration of health care to individuals
e) data controller: responsible for the processing of health information in accordance with the Privacy Regulation, Article 4 (7).
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 3. Factual scope
The law applies to all processing of health information that is necessary to provide, administer or quality-assured health care to
individuals.
For information that is confidential pursuant to the Health Personnel Act § 21, and for information on deceased persons applies
the provisions of the Act here on the processing of health information as far as they are appropriate.
The King in Council may, in regulations or individual decisions, decide that the Act shall apply in whole or in part to the processing of
health information for purposes other than health care.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 4. Geographical scope
The law applies to data controllers established in Norway. The King may in regulations decide that the law shall apply in whole or in part
Svalbard and Jan Mayen, and may lay down special rules on the processing of health information for these areas.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 5. The relationship to the Privacy Ordinance and the Personal Data Act
The Privacy Ordinance and the Personal Data Act do not apply as far as nothing else follows from the Act here.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

Chapter 2. Patient records and other treatment-oriented health registers
§ 6. Right to process health information
Treatment-oriented health registers must have a legal basis.
Health information in treatment-oriented health registers can only be processed when it is necessary to be able to provide health care, or
for administration, internal control or quality assurance of health care.
When processing health information for internal control or quality assurance, the information shall be processed as far as possible
without the name and birth number of the data subject appearing.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 7. Requirements for treatment-oriented health registers
Treatment-oriented health registers must support patient processes in clinical practice and be easy to use and find.
Treatment-oriented health registers shall be designed and organized so that requirements laid down in or pursuant to law can be met.
This applies, among other things, to rules on:
a) duty of confidentiality, cf. § 15,
b) prohibition against unlawful acquisition of health information, cf. § 16,
c) the right to oppose the processing of health information, cf. section 17,
d) the right to information and access, cf. § 18 ,
e) health personnel's documentation obligation, cf. Health Personnel Act § 39,
f) making health information available, cf. §§ 19 and20 and
g) information security and internal control, cf. §§ 22 and 23.
The Ministry may in regulations issue further provisions on the obligation to have electronic systems, on the approval of software
and certification and on the use of standards, standard systems, coding systems and classification systems.

§ 8. Companies' duty to provide treatment-oriented health registers
Companies that provide health care must ensure that they have treatment-oriented health registers for the implementation of health personnel
documentation obligation, cf. Health Personnel Act § 39.

§ 9. Cooperation between enterprises on treatment-oriented health registers
Two or more enterprises may co-operate on treatment-oriented health registers, cf. section 8. The companies must then be entered into in writing
Deal about
a) what the collaboration includes,
b) how the patient's or user's rights are to be safeguarded,
c) how the health information is to be processed and secured, also in the event of changes in or termination of the collaboration, and
d) data responsibility.
The Ministry may, in regulations or individual decisions, lay down conditions for such co-operation.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 10. Establishment of national treatment-oriented health registers
The King in Council may issue regulations on the establishment of national treatment-oriented health registers as in specific areas
replaces registers pursuant to §§ 8 and 9.
The regulations shall provide more detailed provisions on the operation, processing and security of health information, on data responsibility, on
access control and how the rights of the patient or user are to be safeguarded.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 11. Systems for case processing, administration, etc. of health care
The King in Council may issue regulations on the processing of health information for case processing, administration, settlement and
implementation of health care for individuals.
The duty of confidentiality does not preclude the processing of the information. The health information can be processed without regard to consent
from the patient. The degree of personal identification shall not be greater than necessary for the purpose in question. Information about
diagnosis or disease can only be treated when it is necessary to achieve the purpose of processing the information.
The regulations shall provide further provisions on the processing of the information, on which information can be processed, on
the individual's right to oppose the processing of the information and data liability.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 12. The prescription broker
The King in Council may issue regulations with further provisions on the processing of health information in the national database for
prescriptions (Prescription mediator).
The information can be processed without the consent of the patient.
The regulations shall provide further provisions on the purpose of the processing of the information, which information shall
processed, and who is the data controller for the information.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 13. National core journal
The King in Council may issue regulations on the processing of health information in the national core medical record.
The National Core Journal is a central business-wide treatment-oriented health register. The journal must contain a
to a limited extent, relevant health information that is necessary to provide proper health care.
Information can be registered and otherwise processed without the consent of the patient. The registered person has the right to object
that health information is processed in the register.
Health personnel with service needs when providing health care may, with the consent of the registered person, be given access to necessary and
relevant health information from the national core medical record. By consent is meant any voluntary, specific, informed and unambiguous
expression of will from the patient where the person in question by a statement or a clear confirmation gives his consent to such access being given, cf.
Article 4 (11) of the Privacy Ordinance When it is necessary to provide proper health care, the King in Council may in regulations
exemption from the requirement for consent. By way of exemption from consent, the Health Personnel Act § 45 first paragraph first sentence applies correspondingly.
The King in Council may in regulations issue further provisions on the operation and processing of health information, for example which ones
information to be processed, who is the data controller, rules on deletion, access and access control, as well as the patient's
rights.
0 Modified bylaws 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195),10 Apr 2019 No. 11 (ikr. 10 Apr 2019 according to res. 10 Apr 2019
No. 473 ).

§ 14. Registration and notification of health information
Businesses and health personnel who offer or provide services covered by the Pharmacy Act, the Public Health Act, health and
the Care Services Act, the Medicines Act, the Infection Control Act, the Specialist Health Services Act or the Dental Health Services Act, duties without hindrance
of the duty of confidentiality to register or report information as determined in regulations pursuant to §§ 11 to 13.
The King may in regulations issue further provisions on the collection of health information to registers covered by §§ 11 to 13,
including deadlines, formal requirements, use of notification forms and standards.
The recipient of the information shall notify the person who has registered or reported the information if the information is incomplete.
0 Amended by Act 16 June 2017 no. 55 (ikr. From the time the King decides).

Chapter 3. Duty of confidentiality, right of access and right to oppose treatment of
health information
§ 15. Duty of confidentiality
Everyone who processes health information in accordance with this Act has a duty of confidentiality the Health Personnel Act §§ 21 et seq. Others who receive
access to or knowledge of health information from a treatment-oriented health register has the same duty of confidentiality.

§ 16. Prohibition of improper acquisition of health information
It is forbidden to read, search for or otherwise acquire, use or possess health information from treatment-oriented
health registers without it being justified in health care for the individual, administration of such services or has special authority in law or
regulation.

§ 17. The right to oppose the processing of health information
The patient or user may object to that
a) health information in a treatment-oriented health register established on the basis of §§ 8 to 10 are made available to health personnel
after § 19 , cf. the Health Personnel Act §§ 25 and45 and the Patient and User Rights Act § 5-3 ,
b) information on deductibles paid in connection with decisions on exemption cards and reimbursement is automatically registered in a system established with
authority in § 11, and
c) health information is registered or processed in other ways in a national core medical record established on the basis of § 13.
The rules on consent competence in patient and the Users' Rights Act §§ 4-3 to4-7 applies correspondingly to the right to oppose
processing of the information.

§ 18. Information and access
The patient or user has the right to information and access in accordance with the Patient and User Rights Act § 3-6 third paragraph and § 51 and to the Privacy Regulation Articles 13 and 15.
When it is necessary to provide access, the data controller may obtain personal information from the National Population Register. This
applies regardless of whether the information is subject to a duty of confidentiality under the Population Register Act.
The King may in regulations issue further provisions on the right of access to treatment-oriented health registers.
0 Modified bylover 9 Dec 2016 No. 88 (ikr. 1 Oct 2017 acc.res. 9 June 2017 no. 718 ), 15 June 2018 no. 38 (i.e. 20 July 2018 according to announcement 17 July 2018 no.
1195).

Chapter 4. The company's obligations when processing health information
§ 19. Health information by health care
Within the framework of the duty of confidentiality, the data controller shall ensure that relevant and necessary health information is available
available to healthcare professionals and other collaborating personnel when necessary to provide, manage or quality assure
health care for the individual.
The data controller decides how the information is to be made available. The information shall be made available
in a way that safeguards information security.
The Ministry may, in regulations, issue further provisions on how health information in treatment-oriented health registers may be
made available.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 20. Health information for purposes other than health care
The data controller may make health information available for purposes other than health care when the individual consents or
this is stipulated by law or pursuant to law. By consent is meant any voluntary, specific, informed and unequivocal expression of will from it
registered where the person in question by a statement or a clear confirmation gives his consent to the processing of health information which
applies to the person in question, cf. Article 4 (11) of the Privacy Ordinance.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 21. Personal information from the National Register
The data controller may obtain personal information from the National Population Register when this is necessary to fulfill it
duties of data controllers according to the law. This applies regardless of whether the information is subject to a duty of confidentiality under the Population Register Act.
0 Modified bylover 9 Dec 2016 No. 88 (ikr. 1 Oct 2017 acc.res. 9 June 2017 no. 718 ), 15 June 2018 no. 38 (i.e. 20 July 2018 according to announcement 17 July 2018 no.
1195).

§ 22. Information security
The data controller and the data processor shall implement technical and organizational measures to achieve a level of security that is
suitable with regard to the risk, cf. Article 32 of the Privacy Ordinance. The data controller and the data processor shall, among other things, ensure
for access control, logging and subsequent control.
The Ministry may, in regulations, lay down further requirements for information security in the processing of health information.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 23. Internal control
The data controller shall implement technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance
with the Privacy Ordinance, the Personal Data Act and this Act, cf. Article 24 of the Ordinance.
The data controller must document the measures. The documentation must be available to its employees
data controllers and at the data processor. The documentation must also be available to the supervisory authorities.
The Ministry may in regulations issue further provisions on internal control.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 24. Transfer or cessation of business
Upon transfer or cessation of business, treatment-oriented health register can be transferred to another business. The individual
patient or user may oppose the transfer of their medical record and instead demand that the register be transferred to another specific
business. If practicable, the patient or user should be made aware of this right.
The Ministry may in regulations issue further provisions on the transfer of health information upon termination or transfer of
business.

§ 25. Duty to preserve or delete
Health information shall be stored until it is no longer assumed to be used for the sake of the nature of the health care. The same
applies to information about who has had access to or been provided with health information related to the patient's or user's
name or birth number.
If the information is not then to be preserved in accordance with the Archives Act or other legislation, it must be deleted.
The King may in regulations issue further provisions on the preservation or deletion of information as mentioned in the first paragraph.

Chapter 5. Supervision and sanctions
§ 26. Supervision
The Norwegian Data Protection Authority supervises compliance with the law and regulations issued pursuant to the law. This does not apply to supervisory tasks
which is incumbent on the Norwegian Board of Health Supervision or the County Governor pursuant to the Health Supervision Act.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 27. (Repealed by Act of 15 June 2018 no. 38. )

§ 28. (Repealed by Act 15 June 2018 no. 38. )

§ 29. Infringement fee
When processing health information in violation of the Act or regulations issued pursuant to the Act, the Data Inspectorate may impose
infringement fines under Article 83 of the Privacy Regulation and the Personal Data Act §§ 26 and27 .
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

§ 30. Penalties for breach of confidentiality
Violation of section 15 on the duty of confidentiality is punishable under section 209 of the Penal Code , however, so that complicity is punished.
0 Modified byLaws of 19 June 2015 No. 65 (effective 1 October 2015),15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195),10 Apr 2019 No. 11
(ikr. 10 Apr 2019 according to res. 10 Apr 2019 no. 473).

§ 30 a. Penalty for wrongful acquisition of health information
Anyone who intentionally or with gross negligence violates the prohibition against unlawful acquisition of health information in § 16, punished with
fines or imprisonment for up to 1 year.
Serious wrongful acquisition of health information is punishable by imprisonment for up to 3 years.
In deciding whether the improper acquisition of health information is serious, special emphasis shall be placed on
a) the risk of major injury or inconvenience to the patient or user,
(b) the intended gain from the infringement;
c) the duration and extent of the infringement,
d) the guilt shown, and
e) whether the act was committed by someone who has previously been charged with a criminal offense for similar acts.
0 Added byAct 10 Apr 2019 No. 11 (ikr. 10 Apr 2019 according to Res. 10 Apr 2019 No. 473).

§ 31. Compensation
The data controller and the data processor shall compensate for damages that have arisen as a result of health information being processed in
in violation of the Privacy Regulation, pursuant to Article 82 of the Regulation and the Personal Data Act § 30 . The responsibility applies correspondingly to
violation of this law or regulations issued pursuant to the law.
0 Modified byAct of 15 June 2018 no. 38 (ikr. 20 July 2018 according to announcement 17 July 2018 no. 1195).

Chapter 6. Entry into force, etc.
§ 32. Entry into force
1 King may decide that the individual provisions of the Act shall enter into force
The law comes into force from the time the King decides. The

different time.
1 From 1 Jan 2015 according to res. 19 Dec 2014 No. 1732.

§ 33. Continuation of regulations
Regulations issued pursuant to Act of 18 May 2001 no. 24 on health registers and processing of health information, also applies after
the law here has entered into force.

Information på norsk Adjust text size Help Contact

⎙

