Sharing health data with third parties

There are various situations in which a healthcare provider (such as a family doctor, dentist or specialist in a hospital) may provide health data to third parties. Organisations outside healthcare are allowed to use and exchange health data for certain tasks or purposes. Examples include pension funds, schools or insurers.

On this page

General rules on sharing data

Care providers may provide health information to others if:

  • Such is regulated by law. Sometimes, a care provider is legally obliged to share health data outside of healthcare. In that case, the patient’s consent is not required. Examples are the Burial and Cremation Act, the Healthcare Insurance Act (Zvw), the Long-Term Care Act (Wlz) and the Public Health Act (Wpg).
  • The patient gives explicit consent for this. The patient must be properly informed by the care provider or the receiving party about the reason for providing the data.

Organisations outside healthcare that receive health data must comply with confidentiality obligations. They are also not permitted to provide health data to other organisations, unless the law states that this is permitted in a certain situation.

Sharing data with a healthcare insurer

A healthcare provider is obliged to provide certain information to the patient’s healthcare insurer. You can read more about this under Healthcare Insurers.

Sharing data with an administration office or medical factoring company

If a healthcare provider transferred the collection of invoices to an administration office or medical factoring company, the healthcare provider may provide the information required by this company to send the invoice to the healthcare insurer or the patient.

The company has a duty of confidentiality. This means this company may only use the data for that purpose and may not share it with others.

Sharing data with a legal representative

Care providers may provide information to a patient’s legal representative. But only if necessary to obtain consent for the treatment. Or if it concerns a request for access or copies. For example, when treating an adult, incapacitated patient . Or when treating a minor. If it concerns a child aged 12 to 16, they can consent to providing the information themselves. This is stated in the Medical Treatment Contracts Act (WGBO). In these cases, the duty of confidentiality does not apply.

Care providers do not provide data to legal representatives if the adult incapacitated patient or the minor objects to this and/or if it is contrary to good care provision. For example, if providing data is against the interests of the adult incapacitates patient or minor .

Breach of medical confidentiality

In exceptional cases, a care provider is authorised to breach medical confidentiality. That is if there is a conflict of duties.

For example, if the care provider can prevent a dangerous situation for someone else, and this care provider cannot ask for consent in advance, for example, in the event of (suspected) child abuse.

The care provider must have tried everything to solve the problem without breaching medical confidentiality.

Also read: Health data in a record