Follow us :
General

Patient Data Security in Healthcare: KVKK and Türkiye's New Rules

Patient data security and KVKK compliance in healthcare — Xen Bilişim General

On 3 December 2025, an amendment to Türkiye’s Regulation on Personal Health Data (Kişisel Sağlık Verileri Hakkında Yönetmelik) was published in the Official Gazette, and it redraws who can reach a patient’s record, when, and for how long. At first glance it reads as an administrative tweak. In practice it is clear: a healthcare provider’s information system can no longer run on a “let everyone see every record” model. On access rights, logging and internal audit, the infrastructure at many clinics, private practices and labs simply was not built for this.

And this is not only about a regulatory clause. Patient data is both the most heavily protected category in law and the data attackers want most. The two have to be handled together.

KVKK is Türkiye’s data protection law (No. 6698), broadly aligned with the EU’s GDPR. VERBİS is the national data controllers’ registry, and e-Nabız is the Ministry of Health’s central patient record platform.

Why patient data is protected differently

Health data is treated as special-category personal data under Article 6 of Law No. 6698. This is the class of data whose processing is bound by the strictest legal conditions.

The amendment introduced by Law No. 7499, effective 1 June 2024, moved an important threshold. Previously, health and sexual-life data sat under a separate regime and could, as a rule, only be processed with explicit consent or by persons under a duty of confidentiality. The new text places all special-category data under the same set of conditions: within the exceptions listed in Article 6/3 — protection of public health, treatment and care services, planning of healthcare — it can be processed without explicit consent. The takeaway is that “we collected consent, we’re done” no longer holds. Which legal basis the processing rests on, who accessed the record, and whether that was logged now matter as much as consent itself.

What the December 2025 amendment changed

The Ministry of Health’s amendment tied access to concrete rules. Which clinician can reach the data, and for how long, is now defined:

RoleScope of access
Family physicianContinuous access to their registered patient’s data
Treating physicianUntil the health service is completed
Other physicians at the facilityOnly for the period care is provided
InpatientThe relevant team, until discharge
Emergency departmentEmergency physicians, until discharge

On e-Nabız, patients set access through their own security preferences; in emergencies and hospital admissions where medical delay creates risk, those settings can be overridden within the limits of Article 6/3. The retention period for a deceased person’s health records was also raised from 20 to 30 years.

The practical consequence is that healthcare providers must rebuild their authorization matrices, user profiles and access-logging systems around this new access structure. Logging that can answer “who opened which patient record, and when,” together with a mechanism that reviews those logs regularly, is now inseparable from compliance. Technical measures taken without a current risk analysis carry limited weight in an audit.

Why ransomware is a distinct problem in healthcare

Patient data is valuable on the black market and leverage for an attacker. When a scheduling and lab system is locked, the cost is not just the ransom; it is deferred treatment, halted workflows and reputational damage.

According to SophosState of Ransomware in Healthcare 2025, exploited vulnerabilities became the most common technical root cause of attacks on healthcare providers for the first time — the entry point in roughly a third of incidents was an unpatched flaw. In the same period, attacks that steal data without encrypting it and then extort tripled; your data can be stolen and turned into a disclosure threat even if nothing is encrypted. In IBM’s Cost of a Data Breach 2025, healthcare remains the most expensive sector by average cost per breach, as it has for 14 years.

The lesson is plain: relying on backups alone is not enough. Patching discipline, a defense that also covers data exfiltration, and monitoring that spots an attack early matter as much as the recovery plan.

A control framework for healthcare providers

The headings a provider aiming for both compliance and security should review:

  • Access authorization matrix: Does role-based access match the time limits in the regulation? Can everyone see every patient?
  • Logging and internal audit: Are record accesses logged, and are those logs reviewed regularly?
  • Backups: Is at least one copy immutable and offline? Has recovery been tested with a drill?
  • Patch management: Are internet-facing systems and medical-device software up to date?
  • Authentication: Is multi-factor authentication (MFA) enforced on the health information system and email?
  • Network segmentation: Are medical devices, guest Wi-Fi and the administrative network separated?
  • Processor agreements: Are there KVKK-compliant contracts with the health information system vendor, cloud and archiving providers?
  • Staff awareness: Is there regular training on phishing and social engineering?

If you need help mapping your organization’s current state across these headings into a clear picture and building a roadmap, get in touch — we assess the compliance and security sides together.

Frequently asked questions

We are a single-physician practice — do these obligations apply to us? Yes. The obligation comes from processing patient data, not from the size of the organization. The scope can be kept narrow, but you are not exempt; access control, logging and backups are baseline expectations.

Has explicit consent gone away entirely? No. Under the Article 6/3 exceptions such as treatment, care and public health, explicit consent may not be required. For processing outside those exceptions (e.g. marketing) consent is still needed. The right move is to document the legal basis for each processing activity.

Patient data already sits with the state in e-Nabız — what’s left for us? The transfer to e-Nabız is one thing; the records you hold in your own systems are another. As the data controller you are responsible for the security of appointments, clinical notes, imaging, lab and accounting records.

Our health information system is in the cloud — could our data be leaving Türkiye? Clarify where your cloud provider’s servers are, and if a cross-border transfer is involved, that it rests on a KVKK-compliant mechanism such as a standard contract. The provider agreement should state this explicitly.

What do we do if there is a breach? Once you become aware of a personal data breach you must notify the Board as soon as possible and no later than 72 hours, and inform the affected individuals. That is why monitoring that detects a breach and a ready incident-response plan are critical.

Sources

Share this post
Türkçe oku

Related Posts