
Accessing a medical record without authorisation is not a minor internal matter. It is a processing operation involving special category data. Health data is protected under Article 9 GDPR and may only be processed when there is a valid legal basis and a legitimate purpose.
The original case behind this article shows a simple rule: having a username and password is not enough. Access to clinical records must be connected to a healthcare, administrative or legal function. Curiosity, personal relationships or private conflicts do not justify access.
In this article we will discuss...
Why medical records require stronger protection
Medical records may include diagnoses, treatments, tests, reports and other information about a person’s private life. The Spanish Data Protection Authority explains that health data is specially protected, and the GDPR only allows processing in specific circumstances.
The AEPD also provides a guide for patients and users of healthcare services, which is useful for understanding data protection rights in this sector.
When access is allowed
Access should be limited to people who need the information to provide care, manage the service, comply with legal duties or respond to patient rights. Staff should not consult the records of relatives, friends, colleagues or former patients unless they are directly involved in their care or management.
Controls healthcare organisations should apply
- Role-based access, avoiding generic users and excessive permissions.
- Access logs showing who accessed what information and when.
- Periodic permission reviews, especially after role changes or departures.
- Specific training on confidentiality and health data.
- Incident response procedures for unauthorised access or suspected breaches.
What to do after unauthorised access
The organisation should investigate, preserve evidence, limit the impact, document the incident and assess whether a personal data breach must be notified. Where health data is involved, the risk assessment must be especially careful.
It is also important to review whether technology providers or clinical management suppliers are properly documented. In some cases, the data processing agreement and related security measures should be updated.
Conclusion
Access to medical records must be justified, recorded and limited. For clinics and healthcare providers, permission reviews and access traceability are not paperwork: they are essential safeguards for patient trust and GDPR compliance.
