Amendments to the Regulation on Personal Health Data

The Regulation Amending the Regulation on Personal Health Data (Amendment Regulation) entered into force upon its publication in the Official Gazette dated December 3, 2025, and numbered 33096. The Amendment Regulation introduces important changes in areas such as the processing of health data, access conditions, and personal data security. In this context, notable amendments have been made to the provisions of the Regulation on Personal Health Data (Regulation), particularly regarding caregivers' access authorizations, e-Nabız security settings, and the periods of access to health data.

The key points are summarized below:

• The provision requiring a specific authorization in the power of attorney for attorneys to access their clients’ health data has been repealed.
• In the processing of health data, an explicit reference has been made to the conditions for processing special categories of personal data set out under Article 6/3 of the Personal Data Protection Law No. 6698 (PDPL). Physicians’ access authorizations have been restricted in line with this provision.
• The access process to personal health data has been restructured through the e-Nabız system. Individuals will determine their security settings regarding access preferences via e-Nabız. Health data that is restricted from access due to the individual’s security settings may be made accessible through the sharing of a verification code sent to the individual’s mobile phone with the physician.
• In cases where detention or imprisonment prevents access to the verification code, access to health data may be granted without applying the security settings, if it remains limited to the conditions for processing special categories of personal data set out under Article 6/3 of the PDPL.
• Physicians’ access authorizations to health data have been restricted to procedures and periods directly related to the provision of healthcare services; however, in emergency departments, it has been regulated that all physicians on duty may be granted access under certain conditions.
• The retention period for the health data of a deceased one has been extended from 20 years to 30 years.
• Within the scope of the regulations concerning custody, the parties authorized to access the child’s health data during and after divorce proceedings have been determined. Accordingly, once the divorce case is finalized, the parent without custody is required to file an application with the General Directorate of Health Information Systems to access the child’s health data.
• It has been stipulated that caregivers may access the health data of individuals who hold a disability report. At the same time, the term “caregiver” has been defined for the first time as the parent, guardian, or the person responsible for the care of the child.