Amendment to the Regulation on Personal Health Data Published.

The Regulation Amending the Regulation on Personal Health Data (the “Amending Regulation”) was published in the Official Gazette dated December 3, 2025, and entered into force. The Amending Regulation introduces significant changes to the Regulation on Personal Health Data (the "Regulation"), which governs the activities of private law real and legal persons and public law legal entities processing personal health data, specifically concerning the processes and applications carried out by the Ministry of Health.

The main provisions introduced by the Amending Regulation are set forth below.

Scope, Definitions, and Legal Basis

• The phrase "affiliated and related institutions" in the first paragraph of Article 1 of the Regulation has been replaced with "institutions affiliated with and related to the Ministry of Health," thereby clarifying the scope of the Regulation.

• 
  

• The fundamental articles of the Basic Law on Health Services, on which the Regulation is based, have been clarified, and the relevant Presidential Decree has been amended to rely on Articles 352, 358, and 508 of the Presidential Decree No. 1 on the Presidential Organization. Furthermore, the Law on the Protection of Personal Data ("LPPD") has been added to the legal basis of the Regulation.

  
  

• The definition of 'Caregiver' has been added to the Regulation, regulating the legal personalities of the child's parent or guardian, or real or legal persons authorized to be responsible for their care and supervision.

  
  

• The phrase "required for the provision of health services" in the third paragraph of Article 5 of the Regulation has been amended to "stipulated by the processing conditions contained in the third paragraph of Article 6 of the Law," thus ensuring compliance with the regime stipulated in the LPPD regarding the processing conditions for special categories of personal data concerning the processing conditions of personal health data.

  
  

Authority to Access Health Data, Confidentiality Conditions, and E-Nabız Security Settings

• The Amending Regulation has re-regulated the authority and duration of healthcare personnel's access to patient data in a manner that ensures the continuity of healthcare services and the integrity of treatment. Strict time limitations, such as 'appointment day' or 'twenty-four hours' found in the previous regulation, have been removed and replaced with a more comprehensive approach based on the treatment process. According to the new regulation, physicians in the healthcare institution where the person applies for health services will be able to access the patient's data until all procedures related to consultation, control examination, and treatment are completed.

  
  

• A special provision has been introduced for emergency room services, making it possible for all physicians employed at that health facility to access the data of patients admitted through the emergency room until the patient is discharged.

  
  

• While continuing to base access on the confidentiality preferences and security settings set by individuals through the e-Nabız system, significant exceptions to the application of these preferences have been introduced in cases of medical necessity. While access to the information of a patient who normally conceals their past data was only possible by sharing a verification code sent to the patient's phone with the physician, with the amendment, e-Nabız confidentiality settings will be deactivated in cases where the patient is hospitalized or admitted through the emergency room. In such vital emergency situations, physicians are enabled to access the data without the need for any code approval.

  
  

• In situations such as detention and conviction, where the person's phone, and thus the code, cannot be reached, physicians are enabled to access the health data without requiring code approval, limited to the duration of the treatment process, for the purpose of protecting the health rights of these individuals.

  
  

• It has been regulated that the Ministry of Health units may use their authority to access personal health data in compliance with the circumstances for processing special categories of personal data enumerated restrictively in the LPPD.

Access to Children's Health Data

• The Amending Regulation stipulates that the party to whom the right of custody is provisionally granted during divorce proceedings may access the child's health data.

  
  

• After the divorce, only the party to whom the right of custody is granted may access the child's health data. The party not granted custody may only access data from which inferences regarding the child's health can be made, provided that the data is stripped of information such as location, address, or communication details pertaining to the child and the custodial parent, following a successful application to the General Directorate of Health Information Systems.

  
  

  
  

Access to Health Data of Persons with Disabilities

• In line with the definition of 'Caregiver' added to the Regulation and mentioned above, a provision has been introduced stating that the health data of persons with a disability report can also be accessed by their caregivers.

Requirement for Special Authorization in Powers of Attorney for Access to Health Data

The Amending Regulation also introduces a significant change for attorneys. Accordingly, Article 10 of the Regulation titled 'Attorneys' access to health data' has been repealed.

In the previous regulation, attorneys could not request their clients' health data with a general power of attorney, and a special provision indicating the client's explicit consent to the processing and transfer of special categories of personal data was required in powers of attorney issued for the transfer of clients' health data to the attorney. With the repeal of the article, the processing of personal health data by attorneys has been subject to general provisions, aiming to ensure compliance with the amendments made to the LPPD.

Previously, the Istanbul Bar Association had filed a lawsuit before the Council of State seeking the annulment of the regulation that required special authorization in the power of attorney for attorneys to access health data. However, this lawsuit was rejected by the 10th Chamber of the Council of State on November 7, 2023, with the decision numbered E. 2019/9732 K. 2023/6565.

In the case, the Istanbul Bar Association argued that attorneys should be able to access their clients' health data with a general power of attorney, that the requirement for a 'special provision in the power of attorney' stipulated in the Regulation was contrary to the Attorneys' Act, that public institutions were obligated to assist attorneys in the performance of their duties pursuant to the Attorneys' Act, and that the Code of Civil Procedure enumerated the cases requiring a special power of attorney, and obtaining patient records was not among them. The Ministry of Health argued that, under the LPPD, health data is classified as "special categories of personal data" and can only be processed with explicit consent.

The 10th Chamber of the Council of State ruled that the LPPD is a special and priority law concerning the protection of personal health data, that a general power of attorney cannot be deemed sufficient due to the sensitivity of this data, and that the requirement for a special provision in the power of attorney indicating the client's explicit consent was in compliance with superior legal norms, thus rejecting the case.

Conclusion

As a result, significant amendments covering various matters have been introduced with the Amending Regulation, aiming to ensure compliance between the Regulation and the LPPD. Various stakeholders, primarily private law real and legal persons and public law legal entities processing personal health data, are required to comply with the provisions that have entered into force with the Amending Regulation.