PROCEDURE FOR THE DISCLOSURE OF MEDICAL RECORDS

§1. Legal Basis

This procedure has been developed based on:

Articles 23–30 of the Act of 6 November 2008 on Patient Rights and the Ombudsman for Patient Rights,
Article 9(2)(h) of the GDPR,
Article 15 of the GDPR,
The Regulation of the Minister of Health on the types, scope, and templates of medical documentation.

§2. Scope of the Procedure

This procedure defines the rules, mode, and forms of providing access to medical documentation maintained by One and Only Clinic.
The procedure applies to all personnel of the Data Controller.

§3. Persons Authorized to Access

Medical documentation may be made available to:
- the patient,
- the patient’s legal representative,
- a person authorized by the patient,
- entities authorized under applicable law.
Authorization must be in written or electronic form and attached to the documentation.

§4. Forms of Access to Documentation

Medical documentation may be made available:

in electronic form.
for review on-site,
by issuing extracts, copies, or duplicates,
by releasing the original document upon receipt (if permitted by law),

§5. Application Procedure

Access to documentation is granted upon request.
A request may be submitted:
- in person,
- in writing,
- electronically.
The Controller verifies the identity of the person submitting the request.

§6. Timeframes for Providing Access

Documentation is made available without undue delay.
In the case of electronic documentation – no later than within 30 days.

§7. Fees

Access to documentation for on-site review is free of charge.
Fees for preparing copies may be charged only within the limits permitted by law.

§8. Security Rules

Documentation is provided in a manner that ensures confidentiality of data.
Every instance of access is recorded.
Personnel are bound by medical confidentiality.

§9. Final Provisions

This procedure is effective from the date of publication and constitutes an integral part of the Controller’s GDPR documentation.