Nov

16

Key Points in the Minister of Health Regulation (PMK) No. 24 of 2022 on Medical Records in Indonesia

On 31 August 2022, the Ministry of Health of Indonesia issued the Minister of Health Regulation No. 24 of 2022 on Medical Records (“PMK 24/2022”). The PMK 24/2022 is a regulatory framework that functions as the implementation of the health technology transformation in Indonesia, which is Indonesia's sixth pillar of Health Transformation. The PMK 24/2022 has replaced the PMK No. 269 of 2008 on Medical Records. The main issues in the PMK 24/2022 are data storage and transfer, which are also subject to Law No.27 of 2022 concerning Privacy Data Protection (“PDP Law”). Prior to the PDP Law, there was no protection for data privacy under the law in Indonesia. The PDP Law will affect every business sector, including healthcare, which is reflected by the issuance of PMK 24/2022. Regulations in Indonesia continue to develop to provide ease of doing business, as well as to protect the public interest.

Article 3 (1) of PMK 24/2022 mandates the use of Medical Electronic Records (MER) in all types of healthcare facilities. This means that patients’ health data and their medical history recording system must be kept electronically with a backup system. Furthermore, Article 45 of the PMK 24/2022 stipulates that the transition process deadline to implement the digitization nationwide is 31 December 2023.

According to Article 8 of the PMK 24/2022, the patients' electronic medical records are facilitated by the Ministry of Health' electronic system and integrated platform, in this case the SATUSEHAT platform, which then can be accessed with the COVID-19 mobile contact-tracing application, PeduliLindungi.

Based on Article 25 (1) of PMK 24/2022, the contents of the medical records are owned by the healthcare facilities, but Article 26 of the PMK 24/2022 states that all contents of medical records are owned by the patients, and with their permission, the content can be delivered to other parties with secrecy guaranteed, and parties with access to the data are required to maintain the medical record’s secrecy. With regards to transferring medical data, Article 55 paragraph (1) of the PDP Law states that the personal data controller may transfer personal data to other personal data controllers in the jurisdiction of Indonesia. However, those transferring personal data and those who receive personal data transfers are required to protect the personal data as stipulated in the PDP Law.

According to Article 35 and 36 of the PMK 24/2022, in certain events and for certain needs, access to the patients' electronic medical records can be done without the patients' permission and without revealing their identity, but with the Ministry of Health's approval, in accordance with laws and regulations. In the event of needing to fulfill a court order, the minister's approval is not needed.

Regarding data storage, Article 39 of the PMK 24/2022 states that the patients' electronic medical records will be stored in the system for at least 25 years after their last health checkup. And after it expires, the data will either be erased or continue to be used.

According to Article 42 of the PMK, the healthcare facilities that are not in compliance with the implementation of the Electronic Medical Records can be sanctioned by the Minister of Health through the Director General. The sanctions can be in the form of a written warning and/or a revocation recommendation or accreditation status revocation.

How Schinder Can Help

Schinder Law Firm is a leading corporate law firm in Indonesia, practicing commercial dispute and general corporate matters, which covers PDP Law compliance services. Our team of corporate lawyers and dispute lawyers have forged a reputation for assisting various clients across the globe. Moreover, our Privacy, Data Protection and Cybersecurity practice group is a pioneer in providing data privacy law services in Indonesia. As Indonesian business lawyers, we have extensive experience providing daily legal services in commercial contract law and and regulatory compliance. If you have inquiries related to PMK No. 24/2022 compliance, please feel free to send us a message at info@schinderlawfirm.com for further consultation.

Author: Budhi Satya Makmur

Let Us Be Your Guide.
Our thorough understanding of local culture
ensures that your business will be in compliance
with all laws and regulations and receive
a warm welcome in the community.

Dear valued Visitor,

Data is a valuable currency in this new world. In the midst of digital transformation, the Indonesian government has taken the final decision to pass the Pelindungan Data Pribadi (PDP) Bill by September 2022. The PDP Law applies to all businesses established in Indonesia and puts the consumer in control. The task of complying with this regulation falls upon businesses.

The PDP Law affects a variety of business operations, including how your sales team prospect and how marketing initiatives are managed. Businesses have had to reassess their business procedures, applications, and forms. Additionally, all businesses that work with personal data should designate a Data Protection Officer (DPO) or data controller to oversee PDP compliance.

In line with this spirit, it gives us great pleasure to announce and share with all our esteemed clients and business associates that Schinder Law Firm is prepared to assist your company to understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. Our Privacy, Data Protection, and Cybersecurity practice group is a pioneer in providing data privacy law services in Indonesia. Personal data protection services include but are not limited to:

  • Assessing the existing systems, processes, and controls, etc.
  • Providing provide gap assessment on the existing systems, processes, and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDP Law
  • Developing policies, best practices, and procedures
  • Advising on the security of personal data and managing data breaches
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role, and responsibilities of a data protection officer
  • Advising on cross-border transfers of personal data
  • Carrying out data protection impact assessments and data protection audits
  • Recommending other necessary corrective actions in order to comply with the PDP Law
  • Training on the PDP Law tailored to clients’ businesses

We look forward to many more opportunities in the year ahead with your continued support and trust. For consultation, please send us a WhatsApp or Email.

Warmest regards,
Naz Schinder
Managing Partner

Keep Up with the New Law in Indonesia: Personal Data Protection

  • Assessing the existing systems, processes and controls, etc.
  • Providing provide gap assessment on the existing systems, processes and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDPL.
  • Developing policies, best practices and procedures.
  • Advising on security of personal data and managing data breaches.
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role and responsibilities of a data protection officer.
  • Advising on cross-border transfers of personal data.
  • Carrying out data protection impact assessments and data protection audits.
  • Recommending other necessary corrective actions in order to comply with the PDPL.
  • Training on the PDPL tailored to clients’ businesses.
Privacy, Data Protection and Cyber Security
We help our clients to understand the impact of the Personal Data Protection Law (PDPL) on their companies and take the required measures to comply with the law.