Recent Amendments to the Regulation on Personal Health Data

I. Introduction 

The Regulation Amending the Regulation on Personal Health Data, was published in the Official Gazette dated 3 December 2025 and entering into force on the same date (“Amending Regulation”), introducing several significant amendments to the Regulation on Personal Health Data dated 21 June 2019 and numbered 30808 (“Regulation”), which sets out the procedures and principles to be complied with in processes and practices carried out by the Ministry of Health and relevant institutions and organizations. Within this scope, substantial amendments have been introduced in areas such as access to personal health data, data processing processes relating to children, arrangements concerning persons with disabilities, and access in the capacity of a proxy.

The full Turkish text of the Amending Regulation is available here.

II. Amendments Introduced to the Regulation 

1. New Term Introduced Under the Definitions Article: Care Provider 

With the Amending Regulation, the definition of “care provider” has been introduced under Article 4 of the Regulation, titled “Definitions”. This term refers to the child’s parent or legal guardian, or natural or legal persons authorised to be responsible for the care and supervision of the child. Accordingly, the scope of the definitions set out under the Regulation has been expanded by the Amending Regulation.

2. General Principle: Prohibition on Forcing the Disclosure of Past Health Data Records 

With the Amending Regulation, the phrase “required for the provision of healthcare services” set out in the third paragraph of Article 5 of the Regulation has been replaced with “as stipulated under the processing conditions set forth in the third paragraph of Article 6 of the Law”. Accordingly, the principle that individuals may not be compelled to submit or disclose records of their past health data has now been directly linked to the processing conditions listed under Article 6/3 of the Law No. 6698 on the Protection of Personal Data (“Law”). 

3. Persons Authorised to Access Personal Health Data 

With the Amending Regulation, significant amendments have been introduced to Article 6 of the Regulation titled “Access of Health Personnel to Data”. Within this scope, the second, third, fourth and fifth paragraphs of the article have been revised.

Prior to the Amending Regulation, the second paragraph of Article 6 of the Regulation set forth that “health data of individuals who have an e-Nabız account may be accessed within the framework of their own privacy preferences. The data subjects shall be informed in detail about privacy preferences and their consequences. The Ministry shall not be held liable for any disruptions or damages that may arise in the provision of healthcare services due to privacy preferences and the inability to view past health data.” Pursuant to this provision, access to the health data of individuals with an e-Nabız account was limited to the scope determined by their own privacy preferences. With the Amending Regulation, this provision has been repealed, and the access regime has been comprehensively restructured as set out below. Accordingly;

• Access to personal health data shall be granted solely to the following health personnel, limited to the processing conditions stipulated under the third paragraph of Article 6 of the Law No. 6698 on the Protection of Personal Data:
• By the individual’s registered family doctor, without any time limitation;
• By the family doctor to whom the individual applies for the purpose of receiving healthcare services, until the completion of procedures directly related to the healthcare service received, including the days on which healthcare services are provided, consultation, or follow-up examination periods;
• By family doctors working at the healthcare service provider to which the individual applies for the purpose of receiving healthcare services, until the completion of procedures directly related to the healthcare service received, including the days on which healthcare services are provided, consultation, or follow-up examination periods;
• By family doctors working at the healthcare service provider where the patient is hospitalised, until the patient is discharged from the healthcare service provider;
• In respect of individuals admitted through the emergency department, by all family doctors working at the healthcare facility where the relevant emergency department is located, limited to the relevant healthcare service, until the individual is discharged.

With this amendment, the persons authorised to access personal health data, and the durations of such access have been regulated in detail; the uncertainties that existed under the previous regime have been eliminated, and the limits of access conditions have been clearly defined both in terms of authorised personnel and duration.

On the other hand, prior to the Amending Regulation, the third paragraph of the same article set forth a separate access regime for individuals who did not have an e-Nabız account. In this respect, access to the health data of such individuals was restricted by certain time limits and conditions. Access authorization was granted only to specific groups of physicians and subject to time-based restrictive provisions. Accordingly, a two-tier system was applied, under which access rules and durations differed depending on whether or not the individual had an e-Nabız account. With the Amending Regulation, the third paragraph has been entirely repealed and replaced with the following provision:

“Access to the health data of individuals who have selected security settings through their e-Nabız account shall be provided within the scope of their own security settings. The data subjects shall be informed in detail about the security settings and their consequences. The Ministry shall not be held liable for any disruptions or damages that may arise in the provision of healthcare services due to security settings and the inability to view past health data. The first sentence of this paragraph shall not apply in the cases specified under subparagraphs (ç) and (d) of the second paragraph, provided that processing is limited to the conditions set forth in the third paragraph of Article 6 of the Law.”

With this amendment, the access regime is no longer differentiated based on whether an individual has an e-Nabız account. Under the new framework, access to personal health data regulated under Article 6 of the Regulation is now subject to a fully uniform model and may be carried out, irrespective of the existence of an e-Nabız account, solely by the physician groups specified in the Regulation and within the prescribed time periods.

With the amendment made to the fourth paragraph of Article 6 of the Regulation, it has been explicitly stipulated that access to personal health data is now subject to the individual’s affirmative consent:

“In cases where individuals do not wish their health data to be accessed under the available security settings, access to their past health data shall be possible only if the code sent to the telephone number declared by the individual in their profile is shared with the physician and entered into the system by the physician.”

This provision introduces an additional verification and approval mechanism for individuals whose security settings restrict access to health data. Access to past health data is now possible only where all of the following conditions are met: (i) A mobile verification code is sent to the individual, (ii) the individual personally shares this code with the physician, and (iii) the code is verified in the system by the physician. Unlike a passive privacy preference, this mechanism requires the individual to demonstrate a conscious declaration of intent for access. Accordingly, access to the data subject’s health history cannot be carried out unilaterally by the physician; rather, the explicit and active consent of the personal data subject is required.

In addition, the fifth paragraph of Article 6 has been entirely amended, and it has been stipulated that, for individuals who are unable to access the verification code due to reasons such as detention or imprisonment, access may be granted by the family doctor and the physicians to whom the individual applies to, irrespective of security settings.

4. Amendments Regarding Access to Children’s Personal Data 

Amendments have been made to the second paragraph of Article 8 of the Regulation titled “access to children’s health data”, and new subparagraphs have been introduced under the article.

Prior to the amendment, the second paragraph provided a framework solely for access to a child’s health data by the non-custodial parent in the event of the parents’ divorce. With the amendment, this scope of this regulation has been expanded, and relevant procedural scenarios have been addressed in greater detail. 

First, by amending the second paragraph, it has been explicitly stipulated that the party to whom custody is provisionally granted during the pendency of a divorce proceeding shall be authorised to access the child’s health data, thereby eliminating uncertainties regarding interim custody arrangements during divorce proceedings. Accordingly; 

“During the pendency of a divorce proceeding, the party to whom custody is provisionally granted may access the child’s health data.”

The Amending Regulation has also clarified the scope of access authorization following the completion of the divorce process by addressing two separate scenarios:

Pursuant to the third paragraph, in the event that the divorce is finalized, the party to whom custody is granted shall be entitled to access the child’s health data. Accordingly, it has been clarified that the authority to access the child’s health data rests with the party holding custody as a result of the divorce.

Under the fourth paragraph, an application mechanism has been introduced that allows non-custodial parent to access the child’s health data in a limited manner. Accordingly, where the non-custodial parent applies to the General Directorate for Health Information Systems requesting access to data, such application shall be evaluated and, if deemed appropriate, only information from which conclusions may be drawn regarding the child’s health status — excluding data such as location, address or contact information — may be shared with the applicant. This new arrangement prevents the non-custodial parent from being entirely excluded from access, while significantly restricting the scope of data to be shared by taking into account the best interests and privacy of the child.

5. Access to Health Data of Individuals Holding a Disability Report 

With the Amending Regulation, the title of Article 9 of the Regulation has been amended to read “Access to Health Data by Relatives of Patients and Relatives of Persons Receiving Healthcare Services”, and a specific provision regarding individuals holding a disability report has been introduced as follows:

“Health data of individuals holding a disability report may also be accessed by care providers as defined under the Regulation.”

Through this amendment, access to the health data of individuals with a disability report has been extended beyond patient relatives to also include persons who assume responsibility for their care and supervision.

6. Access of Lawyers to Health Data 

With the Amending Regulation, Article 10 of the Regulation has been repealed. Prior to the amendment, this article was titled “access of lawyers to health data” and stipulated that lawyers could not request their clients’ health data on the basis of a general power of attorney. Accordingly, for health data to be transferred to a lawyer, it was mandatory for the power of attorney to contain a specific provision explicitly granting consent for the processing and transfer of sensitive personal data.

The repeal of Article 10 does not mean that lawyers may now obtain unlimited access to all health data on the basis of the general power of attorney. In practice, healthcare service providers are expected to continue to require safeguards such as explicit consent, a power of attorney containing specific authorization, or a court order, within the framework of Article 6(3) of the Law, with respect to the processing of sensitive personal data.

III. Conclusion 

With the Amending Regulation, the rules governing access to personal health data have been restructured; the categories of persons authorised to access such data, data processing processes concerning children and individuals with disabilities, and the conditions for lawyers’ access have been revised. The amendments introduce significant changes aimed at strengthening data security, clarifying access mechanisms, and enhancing the data subject’s control over personal data. In practice, healthcare service providers and other data processing parties are required to ensure compliance with the new provisions and to update their processes accordingly.

 

Dr. iur. Onur Ergönen, Managing Partner
Gamze Güngör Bulut, Senior Associate
Işıl Gizem Demirtaş, Associate