Joris DeeneHospitals are sometimes confronted with healthcare providers who, out of curiosity, access patients' electronic patient records (EPR) without any therapeutic need. When this happens, the individual healthcare provider exceeds the authority granted to it and generally acts as the data controller for the unlawful processing itself. Yet the hospital as an institution does not go scot-free: the Data Protection Authority (DPA) rules that hospitals can be sanctioned if their internal access controls and structural security measures prove insufficient to effectively prevent such privacy breaches.
The facts
In a notable case, the Litigation Chamber of the Belgian Data Protection Authority considered a complaint against a hospital (decision 209/2025). An independent physical therapist, affiliated with the hospital in question, had unauthorizedly accessed the results of a former patient's NIPT test through the computer system. Her purpose was mere curiosity to discover the sex of the patient's unborn baby.
After the patient discovered through her formal right of access that this employee had viewed her file, the hospital took immediate action by terminating the cooperation agreement with the physical therapist for cause. However, the child's parents did not stop there and filed a complaint with the DPA against the hospital, judging that the hospital had failed to adequately secure personal data.
The decision
The DPA's Litigation Chamber had to answer two key questions: who bears responsibility for this data breach and did the hospital fulfill its duty to protect patient data?
First, the DPA surprisingly ruled that the physical therapist was acting as a separate controller for the unauthorized consultation. Because there was no longer a therapeutic relationship that could justify an inspection of a NIPT test, she had unlawfully exceeded her authority.
Second, however, the DPA ruled that the hospital remains undiminished as the data controller for the overall management and security of the Electronic Patient Record (EPR). In its defense, the hospital argued that their third-party software vendor did not allow fine-grained management of access rights, which by default allowed all paramedics full access to all records. The DPA formally rejected this argument: a data controller may not hide behind its processor (software vendor) and is obliged to choose a party that provides adequate safeguards (Article 28 GDPR). Because the hospital environment had implemented insufficient preventive measures and control mechanisms, the hospital violated articles 5.1.f, 5.2, 24 and 32 of the GDPR, among others, and suffered a formal reprimand.
Legal analysis and interpretation
This decision contains legal insights, first, regarding the status of “data subject” within the meaning of the General Data Protection Regulation (GDPR). The DPA expressly attributed a litigation interest to the unborn child (who was now born alive and viable at the time of the complaint). By coupling a teleological interpretation of the DPA with the private law adage infans conceptus pro nato habetur quoties de commodis eius agitur, the DPA ruled that medical and genetic records of the unborn child enjoy autonomous protection, separate from the mother's own right.
Moreover, the ruling provides a clear warning about the level of data security in healthcare facilities. The DPA emphasizes that mere organizational measures - such as contractual agreements, information technology charters, internal circulars and severe retrospective sanctions - fall short when it comes to processing large-scale, particularly sensitive health data. Healthcare institutions are urged to implement robust, technical access controls. In doing so, the regulator explicitly refers to the Role-Based Access Control (RBAC) principle, inspired by the access matrix of the eHealth network. The principle is clear: need-to-know. Finally, merely storing logs is not enough; the absence of structural, random checks on these logs devalues the efficacy of the security measure, the regulator said.
What this specifically means
- For hospitals and healthcare facilities:
It is important to audit access rights to your EPR systems. You need to ensure that healthcare providers can only access those specific data types that are necessary for their function.
Merely logging accesses is insufficient; the implementation of random, proactive checks of these logs is indispensable to detect unauthorized accesses. - For health care providers (physicians, nurses, paramedics):
You may review a patient's file only when a current and defensible therapeutic relationship exists.
If you do look into a file out of personal curiosity, you not only risk severe labor law sanctions such as dismissal for cause, but you are also personally liable as a data controller for the privacy violation. - For patients:
If you suspect that someone has illegally accessed medical information about you, you can request a log extract from the hospital through your right to review to find out who accessed your record and at what time.
If unauthorized access is found, you may take legal action, including filing a formal complaint.
Frequently asked questions (FAQ)
Can a paramedic (such as a physical therapist) see my complete patient record?
No, that is not allowed in principle. Access to a patient record must be strictly limited to the information that the specific provider absolutely needs to provide quality care. For example, a physical therapist does not need access to complex lab results such as a genetic NIPT test.
What can I do if someone snooped on my medical records without permission?
In the first instance, you can request from the hospital a list of all accesses to your medical records in a given period, in accordance with your GDPR rights. If this shows that someone viewed your data without a valid reason, you can file a complaint with the Data Protection Authority and seek damages in the competent civil court.
Does an unborn child enjoy data protection under European regulations?
Yes. The Data Protection Authority has confirmed that the medical and genetic data of an unborn child, provided it is later born alive and viable, are considered independent personal data that enjoy protection under the GDPR, independent of the mother's rights.
Conclusion
The security of electronic patient records is not a casual matter, but requires conclusive technical guarantees and active control mechanisms. Both medical professionals who exceed their authority and healthcare institutions that fall short in their data security expose themselves to legal and financial consequences in Belgium.
Dutch 
English