Patient Rights
What patients can do with their data — access, correct, delete, export, and control who sees it.
Overview
Patients are not passive users of the platform. Under GDPR (and HIPAA for US patients), they have enforceable legal rights over their personal data. The platform is built to honor these rights as part of its normal operation — not as an exception process.
Rights and How They Work
Right to access
"Show me all the data you have about me."
Patients can export all their data as a structured file through the platform. This includes their profile, appointment history, form responses, consent records, and treatment plan data.
Right to rectification
"My data is wrong — fix it."
Patients can update their own profile data directly. For clinical records, they can request corrections through clinic staff. All changes — whether made by the patient or by staff — are recorded in the audit trail.
Right to erasure
"Delete my data."
When a patient requests erasure:
- Their personal data is anonymized — all identifying information is removed
- Medical records are anonymized rather than fully deleted, because Romanian and EU law require minimum retention periods for healthcare records. GDPR explicitly allows this under Article 17(3)(c).
- The anonymization is irreversible — once done, the patient cannot be re-identified from the remaining data
- The audit trail records that erasure was performed, when, and by whom
Right to be informed
"Tell me what you're collecting and why."
Each clinic presents its privacy policy during onboarding as a blocking consent form. The policy must explain what data is collected, for what purpose, how long it's kept, and the patient's rights. Consent is recorded with a timestamp, method, and the exact policy version that was presented.
Right to restrict processing
"Stop using my data for this purpose."
Consent can be withdrawn per purpose:
- Marketing communications
- Analytics
- SMS reminders
- Profile sharing with a specific clinic
Withdrawal takes effect immediately and is recorded in the audit trail. Withdrawing profile-sharing consent with a clinic means that clinic can no longer see the patient's full profile — only their name.
Right to data portability
"Give me my data in a format I can take elsewhere."
The data export produces a structured, machine-readable format that the patient can provide to another healthcare provider or platform.
Consent is Per-Clinic
A critical aspect of patient rights on the platform: consent given at one clinic does not extend to another. Each clinic relationship is fully independent.
How it works in practice
1. First visit — patient books at Clinic A
The patient creates an account and gets a portable profile — their basic identity and health facts (name, date of birth, blood type, allergies, insurance). This profile belongs to the patient, not to any clinic.
At the same time, the platform registers that this person is now a patient at Clinic A. But Clinic A can't see the full profile yet — only the patient's name, which is the minimum needed for scheduling.
Clinic A then presents its consent forms: privacy policy, profile sharing consent, and any activity-specific consents. These are blocking — the patient must sign before proceeding. Once the profile sharing consent is signed, Clinic A's staff can see the full portable profile.
All consent is recorded under Clinic A specifically.
2. Later — same patient books at Clinic B
The platform recognizes the patient already has an account and reuses the same portable profile. But from Clinic B's perspective, this is a brand new patient relationship.
Clinic B presents its own consent forms — under Clinic B's branding and privacy policy. The patient must consent again, independently. Until they do, Clinic B staff can only see the patient's name, just like Clinic A before consent was given.
3. What each clinic can see
| Data | Visible to the other clinic? |
|---|---|
| Patient name | Always — minimum needed for scheduling |
| Portable profile (date of birth, allergies, blood type, insurance) | Only after that clinic's own profile sharing consent is signed |
| The other clinic's appointments, forms, reports, prescriptions | Never — clinical records are completely isolated between clinics |
| The other clinic's consent records | Never — consent is recorded per clinic |
This means a patient can share their profile with Clinic A but not Clinic B, or withdraw consent from one clinic without affecting the other.
How Records Cross Clinics
They don't — by design.
If a patient wants Clinic B to see records from Clinic A, they do it the traditional healthcare way: export or download from Clinic A and provide it to Clinic B themselves.
The platform does not share records between clinics automatically. This is a deliberate design choice — automatically sharing records would classify the platform as a Health Information Exchange (HIE), which carries significantly heavier regulation under both HIPAA and GDPR.
Summary
| Right | What the Patient Does | What Happens |
|---|---|---|
| Access | Requests data export | Receives structured file with all their data |
| Rectification | Updates profile or requests correction | Data updated, change logged in audit trail |
| Erasure | Requests deletion | Data anonymized, medical records preserved without identifiers |
| Information | Reviews privacy policy | Presented during onboarding, consent recorded with policy version |
| Restriction | Withdraws specific consent | Processing stops for that purpose immediately |
| Portability | Requests portable export | Receives machine-readable data file |
For developers
Technical details — anonymization implementation, data export endpoints, consent tracking schema, and GDPR operation logging — are available in the GDPR Compliance reference.