Patient rights

Patient rights

The operation of Kanta Services is based on complying with Kela's statutory obligations. The operation observes the rights based both on the citizen's legal rights and those under the EU General Data Protection Regulation.

Kanta Services permit the processing of information reliably and securely.

You have the following rights regarding Kanta Services

These rights are described below in more detail.

Right to be informed

Patient information may be provided

  • verbally
  • in writing
  • via an electronic service. 

Practices vary between service providers. You can confirm information as received in My Kanta Pages.

Information about Patient Data Repository

Patients must be informed about Patient Data Repository at the time of the first treatment event. Patients must be told

  • the grounds on which information entered in Patient Data Repository may be disclosed
  • how the patient can control how their details are handled
  • other issues important to the patient. 

Information about the Common Register

The patient has the right to be informed about the Common Register. The Common Register is the communal aggregate of the patient records registers of all municipal healthcare service providers in the Healthcare District. 

Medical records from different operational units in the Common Register may be disclosed without the patient's consent after 

  • they have been informed about the Common Register, 
  • and when they have a treatment relationship with the healthcare unit requiring the information.

At the time of being informed, the patient must also be told of their right to refuse consent to having their information disclosed within the Common Register. 

Right to decide on disclosure of your information

Medical records stored in Patient Data Repository are available to the healthcare unit that has entered the information. Medical records stored in Patient Data Repository may only be used by healthcare employees who have access rights to the information in Patient Data Repository. 

The patient's consent is required when medical records are retrieved by one unit from another unit's patient register in Patient Data Repository.

The patient's records may be disclosed without a separate consent when the patient has been informed about the Common Register (see above) and when they have a treatment relationship with the unit requiring the information.

Consent and refusals of disclosure

A consent you have given is in force until further notice and covers 

  • all your medical records already in Patient Data Repository
  • also any of your medical records to be entered in it later. 

Before giving their consent, patients must be informed

  • about the information entered in Patient Data Repository and its use
  • as well as of the fact that the patient can set constraints on the disclosure of their information.

You can set limits on the coverage of your consent with refusals of disclosure. You can also set refusals even if you have not given your consent. 

You can define with refusals of disclosure which treatment details cannot be disclosed to other healthcare service providers. The information subject to refusals is available only to the service provider that entered it. 

In the public health service, you can set refusals of disclosure of medical records to cover either 

  • individual treatment visits or
  • all medical records created by a certain healthcare service provider under one refusal.

In the private health service, refusals can only cover individual treatment visits. 

However, when setting refusals, you can make a separate provision for consenting access to the information covered by refusals in an emergency. 

Information entered by a service provider is always available within the same provider, for example at different health centres of the same city, or different outpatient clinics of the same hospital.

Setting consents and refusals

You can set consents and refusals

  • most easily in  My Kanta Pages  under 'Suostumus ja kiellot'
  • or at a healthcare unit. 

Consents and refusals related to disclosure of medical records made at a healthcare unit must be issued in writing and always signed. Official forms are available from the healthcare services. 

Consents and refusals given may be cancelled at any time.

Right of access to your information and right to obtain log data

Under the EU General Data Protection Regulation (, you have the right to obtain

  • access to your own information 
  • details of the information entered about you in different registers, so that you can ascertain that it is correct.

You also have the right to obtain log data, or know

  • what details about you have been entered in Kanta Services
  • who have handled your details
  • the parties to which your details have been disclosed.

You can request the information about you entered in Kanta Services or the log data concerning handling of such information from the data controller of the information in question. The function of data controller for each Kanta Service and the information entered in this service is defined in the legislation.

Right to demand amendment of incorrect information 

If you find errors or shortcomings in your prescription, patient or client records, you have the right to demand amendment of the incorrect information.

The incorrect record is amended in the social and healthcare service provider's unit or pharmacy where the entry was made. Service providers and pharmacies are always responsible for the content and correctness of the prescription, patient or client information they have entered.

Kanta Services are unable to amend the records. My Kanta Pages can only show information as it was entered into Kanta Services by the social or health services or pharmacy. You cannot amend your information in My Kanta Pages yourself either.

Deleting and transferring information 

In order that Kela's statutory obligation is fulfilled, the registered person has no right to 

  • delete their information entered in Prescription Centre 
  • delete their information entered in Data Management Service
  • transfer their information from one system to another.

The details of an electronic prescription are kept for 22.5 years, after which they are destroyed.

The national legislation also determines how long information must be kept. It is not possible to delete records at the client's request (unless it is a case of incorrect information) or by appealing to the EU General Data Protection Regulation, but the records are destroyed after the statutory storage periods have ended. 

Further information

Last updated 28.01.2021

Child pages for part Patient rights