- in Turkey
The Regulation Amending the Regulation on Personal Health Data ("Amending Regulation") was published in the Official Gazette dated 3 December 2025 and numbered 33096.
The Amending Regulation introduces significant revisions to the Regulation on Personal Health Data ("Regulation"), particularly concerning the processing, access, protection, and transfer of personal health data.
Scope and Applicability of the Amendments
The Amending Regulation does not modify the overall scope of the existing Regulation on Personal Health Data. The Regulation continues to apply to the practices carried out by the Ministry of Health and its affiliated and related institutions. Accordingly, the amendments do not establish a general framework applicable to all health data processing activities. Instead, they are limited to activities integrated into the processes and practices falling within the scope of the Regulation. Within this framework, the Amending Regulation primarily introduces provisions governing the parties entitled to access personal health data and the specific conditions under which such access may be granted, in line with the relevant data processing activities.
New Rules on Access to Health Data
The Amending Regulation introduces specific rules regarding the procedures and conditions governing access to health data by various third parties. These amendments aim to clarify how and under what circumstances such access may be granted, ensuring greater alignment with the principles of data protection and confidentiality.
Access by Healthcare Professionals and Access to Historical Health Data
- The provisions governing healthcare professionals' access to personal health data have been completely restructured in line with the conditions for processing special categories of personal data set forth under Article 6(3) of the Personal Data Protection Law No. 6698 ("PDPL"). Under the new framework, access to health data is permitted only to the extent necessary for the provision of healthcare services and within the scope of Article 6(3) of the PDPL. In this context, the Regulation clearly defines the time periods during which physicians may access patient data: Family physicians have unrestricted access to their patients' health data.
- Attending physicians and other physicians within the same healthcare institution may access the data until the completion of the medical procedures, including the consultation and follow-up periods, and—if the patient is hospitalized—throughout the duration of the hospitalization.
- For individuals admitted through emergency services, all physicians working at the respective emergency facility may access the data only for the duration of the emergency medical service, until the patient is discharged.
Furthermore, the previous mechanism providing a separate access scenario for individuals without an e-Nabız account has been abolished. The new rule stipulates that access shall be granted in accordance with the security settings defined by the individual via their e-Nabız profile. However, in cases where any delay in medical intervention could pose a risk—such as in emergency treatment or hospitalization—the application of these security settings may be suspended, provided that such access remains within the limits of Article 6(3) of the PDPL.
With respect to individuals who wish to restrict access to their historical health data, the mechanism based on the transmission of a verification code sent to the phone number registered in their e-Nabız profile has been preserved. While the previous Regulation applied this mechanism under the "privacy preference" option, the Amending Regulation redefines it under the concept of a "security preference." Additionally, for the first time, a specific exemption regime has been introduced for circumstances where the verification code cannot be practically obtained—such as in cases of detention or imprisonment—explicitly identifying situations in which the security preference control will not apply.
Access by the Ministry of Health and Its Units
Under the Amending Regulation, users authorized by the General Directorate of Health Information Systems ("General Directorate"), upon the request of unit supervisors, may exercise their authority to match health data— transferred to the central health data system in a pseudonymized form—with the relevant individuals. Such authority, however, may be exercised only within the limits of the processing conditions set forth under Article 6(3) of the Personal Data Protection Law ("PDPL") and in compliance with the general principles of personal data protection legislation. Previously, Article 7(3) of the Regulation provided that the purpose of planning and managing healthcare services and their financing would be determined based on the duties assigned to the relevant unit under applicable legal and administrative regulations. The Amending Regulation repeals this provision in its entirety. As a result, the purpose of data matching has been narrowed and strictly confined to a limited, lawful, and clearly defined framework, eliminating the possibility of broad administrative interpretations.
Access to Children's Health Data
Under the previous version of the Regulation, in cases involving divorce or custody disputes, access by the non-custodial parent to the child's health data was subject to a broad discretionary mechanism. This access was to be granted by the General Directorate of Health Information Systems within limits it would determine, taking into account the best interests of the child and the custodial parent, and in accordance with personal data protection legislation. The Amending Regulation eliminates this ambiguity and establishes a clear and tiered framework that specifies who may access a child's health data and to what extent, depending on the status of the custody relationship. During ongoing divorce proceedings, the parent holding temporary custody is granted direct access to the child's health data. After the divorce, only the parent to whom custody is awarded may access the data. Where the noncustodial parent requests access, the General Directorate will evaluate the request. In such cases, any data to be shared must exclude information containing location, address, or other security-sensitive details.
Access to the Health Data of Persons with Disabilities
Under the amended article, the scope of the provision has been expanded so that it now applies not only to relatives of the patient, but also to relatives of the person receiving healthcare services in general. In addition, a new rule has been introduced which was not included in the previous version. It explicitly provides that the health data of persons holding a disability report may also be accessed by their caregivers.
Access by Attorneys to Their Clients' Health Data
The provision that restricted attorneys' access to their clients' health data and required a specific power of attorney expressly granting consent for such access has been repealed. Requests made by attorneys will now be evaluated under the general provisions of the applicable legislation.
Retention of Deceased Persons' Health Data
The Amending Regulation extends the retention period for the health data of deceased individuals from 20 years to 30 years. This amendment aims to ensure the integrity of medical records and to facilitate the retrospective traceability of healthcare services provided.
Correction of Erroneously Created Data
Under the Amending Regulation, the procedure for handling requests for the rectification of personal health data has been revised. The new provision stipulates that the Provincial Health Directorate shall conduct the necessary inquiry at the relevant healthcare institution concerning the rectification request.
Accordingly, individuals seeking the correction of their personal health data must now submit their request to the Provincial Health Directorate, which is required to carry out its review in line with the rules and procedures issued by the General Directorate of Health Information Systems.
Conclusion
The Amending Regulation introduces a comprehensive revision package that does not radically alter the existing framework governing the processing of personal health data, but rather clarifies, narrows, and harmonizes the rules regarding data access, data security, and practical ambiguities. Overall, the amendments define the scope of data access authorizations through explicit rules, thereby narrowing discretionary interpretations and reducing uncertainties in practice. Organizations are encouraged to update their internal processes and policy documents in line with this new framework to mitigate compliance risks and promote consistency in implementation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
