The SIC sanctions SOS EPS for disclosing the medical records of an HIV patient without authorization.
The Office for the Protection of Personal Data of the Superintendency of Industry and Commerce (SIC) confirmed, in a statement, the sanction imposed on the health promotion entity Servicio Occidental de Salud SA (SOS EPS) for violating the personal data protection regime.
The situation exposes the owner to situations of vulnerability and impacts on his or her work environment. Photo: iStock
The decision confirmed that SOS EPS breached the obligations established in Law 1581 of 2012 by disclosing, without legal justification or prior informed authorization, a patient's complete medical history, including highly sensitive information such as his positive diagnosis for the human immunodeficiency virus (HIV).
"This information was sent by SOS EPS to four executives of the patient's employer as part of a process to determine the occupational origin of a musculoskeletal condition, in which there was no need or relevance to sharing data about his serological status," the document explains.
The entity concluded that this conduct constituted a direct and serious violation of the fundamental rights to privacy, habeas data, and non-discrimination, by exposing the holder to situations of vulnerability and impacts on his work environment, such as unjustified changes of area and the need for psychological care after his diagnosis was revealed.
In its decision, the SIC also rejected the EPS's argument that no specific harm was evident and that there was no proof of damage, and emphasized that the guarantee of the right to protection of personal data is not only activated in the event of actual damage , but also in the event of a risk or danger of the rights and interests protected by law being affected.
The SIC also rejected the EPS's argument. Photo: Private
Medical records are a systematic collection of sensitive personal data whose processing is subject to strict rules of restricted circulation and confidentiality. Disclosure of all or part of the information contained therein, without legal justification or authorization from the data subject, violates the patient's fundamental rights and disregards the principles of necessity and purpose, as well as the general rule of restricted access and circulation of sensitive data.
With this decision, the SIC reiterates that:
- Sensitive data, such as health data, enjoy special constitutional and legal protection.
- The provision of personal data to third parties is only legitimate when it serves a specific, necessary, and legally protected purpose or with the data subject's authorization.
- Data controllers must implement effective, not just formal, measures to ensure the comprehensive protection of data subjects.
Sensitive data enjoys special constitutional and legal protection. Photo: iStock
eltiempo
