Privacy Policy

PRIVACY POLICY

PRIVACY AND DATA PROTECTION POLICY OF THE NATIONAL HEALTH INFORMATION SYSTEM

 

INTRODUCTION

The National Health Information System (NHIS) is an information infrastructure and platform of the Ministry of Health of the Republic of Bulgaria (MH), where information about the health status of the population is collected, processed, and stored through the creation and maintenance of an electronic health record for each citizen. The system includes the electronic health records of citizens and all registers, information databases, and systems that are maintained by the Ministry of Health and secondary budget administrators under the Minister of Health, by medical and health institutions, by the National Health Insurance Fund, and by insurance companies licensed under item 2 or items 1 and 2 of Section II, letter "A" of Appendix No. 1 to the Insurance Code. This privacy policy is designed to inform citizens as users of the system how the MH, as the administrator, collects and processes personal data when using the system and the "Mobile Health Record-eHealth" application (hereinafter referred to as "the mobile application" or "eHealth").

NHIS collects and processes health information about you within the meaning of Article 27, paragraph 1 of the Health Act. This includes your personal data related to your health status, physical and mental development, as well as any other information contained in medical prescriptions, prescriptions, protocols, certificates, and other medical documentation. NHIS does not collect or process health data that is not available in an existing medical document.

The purpose of this policy is to describe how NHIS collects, uses, and shares information about you through our online interfaces (NHIS Portal www.his.bg). The mobile application has a separate privacy and data protection policy, which you can review when accessing it. Please read this privacy and data protection policy carefully to understand what we do. If you do not understand any aspects of this policy, you can request clarifications at support@his.bg.

For the normal functioning of NHIS, in addition to your medical information, we also collect and process other personal data specified below in the section "What data we collect," including data related to account registration (your names and email), data from your access requests, information from usage surveys you participate in voluntarily, identification and verification (authentication) data, and information about the use of our application and services by each user.

We collect and process your personal data only for the purposes specified below in the section "Purposes of collecting and processing personal data," related to your quality and timely medical service, the normal functioning of NHIS, and the need to maintain a high level of information security in it, conducting surveys and research related to medical service, and restricting access to information for persons who do not have the right to access it.

In connection with the provided personal data, you have rights that you can exercise as described below in the section "Your Rights."

Each section of this policy contains information about us and how we collect, process, and store personal data.

If you register and use your access to NHIS, you agree to the collection and use of information in connection with this policy. The personal information we collect may also be used to improve your service. We will not share your personal data with anyone except as described in this policy.

NHIS operates as a separate functional subsystem "Mobile Health Record" - the mobile application "eHealth." This is an application program to ensure your access to your electronic health record personally and exclusively to you. The mobile application operates under a separate Data Protection Policy, which you can review when downloading and installing it. This policy does not apply to the mobile application.

ADMINISTRATOR

NHIS is owned by the Ministry of Health of the Republic of Bulgaria, which, in addition to being the administrator of the system, is also the administrator of the personal data contained in it (hereinafter referred to as "Administrator").

WHAT DATA WE COLLECT

This Policy covers the health data about you that we collect from medical and health institutions and the registers of the MH through system integration means, as well as data we use for your identification.

What is a medical institution?

According to the Medical- Treatment Facilities Act, medical treatment facilities are:

  1. Medical treatment facilities for outpatient care: out-patient offices for primary medical care (individual and group practices, including general practitioners), out-patient offices for specialised medical care, which can be: individual and group practices, including medical centres and medical anddental centres and diagnostic andconsultative centres (DCC); self-sufficientclinical -diagnostic and clinical technical laboratories; dental centers and outpatient offices for medical care;
  2. Medical treatment facilities for in-patient care;
  3. All transfusion haematology centres, mental health centres, skin and veneric disease centres, oncology centres, integrated care centres  for children with disabilities and chronic diseases, as well as homes for medico-social care for adults, hospices, dialysis centers, and tissue banks.

What is a health institution?

According to the Health Act, health institutions are national centres on public health issues; the National Expert Medical Commission (NEMC); health offices in kindergartens and schools; health offices in places for social and integrated health-social services for residential care for more than 20 users and in social services for providing shelter, as well as pharmacies and optics.

Categories of collected data

The MH, as the Administrator of NHIS, collects and processes the following categories of your personal data:

  • Personal data related to your physical identity, provided by medical/health institutions: full name; personal identification number (PIN), gender, permanent or current address, and for individuals - foreign citizens - personal number of a foreigner (PNF), if available, or date and place of birth, citizenship, and gender; as well as phone and/or email for contact (feedback). We also collect contact data for close persons - names, phone, when received in NHIS from a medical/health institution or when you provide, update, or change them through the health information web portal his.bg.
  • Personal data constituting health information. We store and process your health information only to the extent that it is legally obtained in NHIS from medical or health institutions on the grounds provided by law.

Your electronic health record consists of electronic health records, each containing a separate medical document or a group of related such documents issued by a medical or health institution. The structure of your electronic health record specifies the specific types of data about you that we collect and process. These are:

  1. Your identification data: names and PIN/PNF, and for foreign citizens without PNF - date of birth in the format applicable for PIN, or social security number, or identity document number; citizenship;
  2. Information about the newborn;
  3. Medical examinations, including information about your contacts with infectious patients;
  4. Issued medical referrals;
  5. Results of performed medical-diagnostic activities;
  6. Hospitalizations;
  7. Immunizations;
  8. Prescriptions (electronic prescriptions);
  9. Dispensary;
  10. Medical expertise of temporary incapacity for work, expertise of permanently reduced working capacity/type and degree of disability;
  11. Information about your expressed disagreement for donation, according to the Organ, Tissue, and Cell Transplantation Act and Ordinance No. 21 of 3.05.2007 on the circumstances and data entered in the registers of the Executive Agency "Medical Supervision," the procedure for entering and using the information (promulgated, SG No. 39 of 2007);
  12. Other data relevant to feedback with you: permanent and/or current address, residence status (for foreign citizens), phone and other means of contact, e.g., email;
  13. Data provided by you for contact with your close persons in case of need or emergency (names, phone, etc.);
  14. Date of death.

We receive all this data from medical and health institutions (defined above: What is a medical institution? and What is a health institution?), where you have received medical, health, or social services.

  • When accessing your electronic health record through the health information web portal his.bg, we may collect and analyze information about specific pages of the electronic health record that are visited, the order in which this happens, and the hyperlinks that were clicked, but without any connection to data individualizing the user. We collect information about the URLs from which users connect to NHIS. Collecting such information may include logging the IP address, operating system, and browser software used by each user of our site. Based on the IP address used, we may be able to determine the user's internet service provider and geolocate the corresponding connection point. We use or may use cookies and pixel markers (web-beacons) when you access the Application. More information about this can be found in the "Cookie Policy" section.

All personal data we process is visible to you when accessing your electronic health record. All other data we use and that is not visualized for you is anonymized.

Which data is anonymized?

Anonymized data is technically processed data with the aim of definitively and irreversibly eliminating the possibility of identifying the subject to whom it relates. The technical processing of data in the anonymization process ensures that your health information cannot be linked to you as an individual, with your name and PIN/PNF, or with your image. Furthermore, the applicable technologies in anonymization do not allow your personal data to be linked back to your health information at any subsequent moment.

General Information and Provided Data

Additionally, specific information that can be defined as personal data may also include your name, email address, IP address, and device identifier from which you access the system, along with other technical data. The accuracy and reliability of the personal information and personal data you provide to the system are your responsibility. Inaccurate information may affect your ability to use the system, the information you receive when using it, and our ability to contact you when necessary. The email address you provide as the primary means of communication with us must be kept up to date.

BASIC PROVISIONS

Your Access

Access to NHIS is provided through the health information web portal www.his.bg as a single entry point. No special software is required from your side, except for a standard internet browser through which you access web addresses on the network. Your access to electronic administrative services provided by NHIS can also be carried out through the Unified Portal for Access to Electronic Administrative Services under Article 12, paragraph 1 of the Electronic Governance Act, subject to the technical conditions specified there.

You have the right to personal free access to the electronic health records in your electronic health record and the right to familiarize yourself with all the health information in them. You can do this personally or through an authorized person. The power of attorney issued by you must be in simple written form, explicitly stating that you authorize the person to access your electronic health record. Your access is automated and through reports generated by NHIS.

The system provides the right of access to parents, guardians, and custodians to the electronic health record of their minor children or wards. After the person reaches the age of 18, the parents' access to their electronic health record is automatically terminated, except in the presence of a guardianship or custodianship document. Persons aged 14 and over have the right to independent access to their electronic health record, parallel to that of their parent or guardian.

The system also provides access to the electronic health record of your deceased relative if you are their heir or relative in a direct or collateral line up to the fourth degree inclusive. This access is obtained based on your application submitted online to the NHIS administrator and signed with a QES. Based on the application, the administrator will generate a password for access and send it to the email address you provided after conducting an official check of your kinship ties in the population register in the relevant cases.

Identification upon Access

Your access is provided after you identify yourself through your personal qualified electronic signature or through the means of electronic identification within the meaning of the Electronic Identification Act. If you are unable to apply these technologies, you can gain access through our mobile application "Mobile Health Record." The application only allows you to view your data.

Access for Official Purposes

The system does not allow third parties to access your health information, except in cases explicitly specified by law, to explicitly authorized persons, and only for official purposes. The ordinance defines the disclosure of your health data to these persons as "access for official purposes."

These are state authorities granted this right by law, medical and health institutions other than those where your medical documents were generated, emergency services, insurers, and other persons specified in a regulatory act.

What are official purposes?

Official purposes are all purposes related to the processes of your individual health and social care, your health insurance, and health insurance, as well as the purposes of justice and the protection of your rights. For the needs of medical science and statistics, only previously anonymized data is used, and your identity cannot be established by the data user.

In which cases can your health data be accessed for official purposes?

Your health information is created by issuing the relevant medical documentation in the medical or health institution where you receive medical or social care. These documents are entered into the system through system integration means or created directly in it online in electronic form by the relevant official providing you with health or social service at your request or with your consent. Further disclosure of your health data to third parties is not allowed, except by exception, in the cases explicitly provided for in Article 28 of the Health Act, namely:

  • When your treatment needs to continue in another medical institution.
  • When there is a threat to the health or life of other persons. In this case, you will be notified in advance.
  • When necessary for the identification of a human corpse or to establish the causes of death.
  • When necessary for the needs of state health control to prevent epidemics and the spread of infectious diseases.
  • When necessary for the needs of medical expertise and public insurance.
  • When necessary for the needs of the Ministry of Health, the National Center of Public Health and Analyses, NHIF, or regional health inspections.
  • When necessary for the needs of your health insurer, licensed under Section I of Appendix No. 1 or item 2 or items 1 and 2 of Section II, letter "A" of Appendix No. 1 to the Insurance Code.

When parts of your health information are needed for the needs of medical statistics or medical scientific research, all your data identifying you as an individual will be previously deleted (data anonymization process).

The use of your personal data for official purposes is not allowed when it is unnecessary or exceeds the needs of legitimate users. In all cases, third-party access is proportional to the functions they perform. A guarantee for this is the subsystem for registering and controlling access (system logs), which allows the identification of each user of your data at any time.

Your Consent for Access for Official Purposes

Access for official purposes by the persons listed above is provided only and solely based on your prior, explicit, and written consent. This consent must be given before access is provided and based on information previously presented to you about why it is necessary, how it is carried out, and to whom this access is provided.

You can also provide access to the electronic health records for your minor child or ward for whom you are a guardian or custodian. In this case, the consent must be given by you unless otherwise follows from the scope of guardianship specified in the act establishing it under the Family Code.

Your consent can be given in one of the following ways of your choice and depending on the available technical means:

  • By declaring and signing it through your qualified electronic signature (QES) in the health information web portal of the system his.bg.
  • By declaring and signing it in the form of an electronic document certified with a QES generated by the information system of the medical or health institution currently serving you.
  • By declaring and signing it through a technical means for applying an electronic signature (e.g., an electronic pen or tablet that transfers the signature in digital form onto an electronic document, where the signature can be equated to a handwritten one). In this case, you must sign your explicit consent before the medical or health institution for using this electronic signature in the relations between you, the institution, and NHIS and for its equivalence to a handwritten signature.

In the three cases above, an electronic document containing your consent is generated, sent to the system, and stored in it as an electronic health record.

  • By a one-time code generated by NHIS and sent to the phone number you provided, which is indicated by the medical or health institution in your consent declaration created as an electronic document. In this case, your consent will have the force of being certified with an electronic signature applied by you. In these cases, you need to sign your explicit consent at the medical or health institution for using this electronic signature in the relations between you, the institution, and NHIS and for its equivalence to a handwritten signature;
  • By declaring and signing it on paper before a medical or non-medical specialist serving you in the medical or health institution. If technically possible, your signed consent will be scanned and sent to the system as an electronic health record, and in other cases, the fact of its presence in the medical or health institution and its content will be noted in your electronic health record.

Your consent for access to your electronic health record for official purposes can be given for one-time access or apply only to one or several of the entities and institutions listed above.

When your electronic health record is initially generated, as well as during each subsequent contact with a medical or health institution serving you and where health documentation is created for you (i.e., electronic health records are generated), you can provide a phone number and/or email for contact with you, to receive messages from NHIS regarding the processing of data in your electronic health record. You can also opt-out of receiving such messages at any time.

The consent you give for access to your personal data becomes an integral part of your electronic health record and is visible to all entities entitled to access for official purposes. NHIS generates reports on the presence or limitation of the consent you have given without providing your personal data.

Options for Withdrawing Your Consent

Both the giving and withdrawal of your consent for access to your personal data can be done unconditionally and at any time. This is done in the same manner as giving consent (see above section "Your Consent for Access for Official Purposes"), without additional procedures and conditions. With the withdrawal of your consent, all access to your health information by all entities is automatically terminated. If these entities have made and stored a copy of your health records, they are obliged to delete them immediately.

Limiting Access by Time

The time for access to your electronic health record is limited depending on the user. Medical specialists from outpatient medical institutions for specialized medical care (e.g., in DCC, MC, etc.) have the right to access all health records in your electronic health record for a period not exceeding thirty calendar days from their initial examination.

Medical specialists from hospital medical care have the right to access all health records in your electronic health record in connection with your hospitalization for a period not exceeding thirty calendar days from your discharge from the medical institution, as well as during the period of performing medical activities that do not require your hospitalization.

Access is proportional to its purposes and is based on the principle of "need to know." In any case, only medical specialists directly involved in your care have the right to access and only in connection with or on the occasion of performing their functions related to that care.

Limiting Access by Content

Medical specialists from health institutions have the right to access only your health records related to the performance of their specific activity, in connection with and on the occasion of performing their functions. Which institutions are health institutions is specified above (see section "What is a health institution?").

Insurance companies have the right to access only the relevant health records related to and on the occasion of performing their functions in connection with a specific insurance event under your voluntary health insurance based on a medical insurance contract within the meaning of Chapter Forty, Section IV of the Insurance Code, which you have concluded with the insurer.

Limited Access for Emergency Medical Assistance

If you fall into a condition requiring emergency medical assistance, in which you are unable to make legal statements, the medical specialists providing it will receive the right to temporary and limited access to your electronic health record without your consent, regardless of whether they work in emergency services or are other specialists providing emergency assistance in the same medical institution. In this case, they will receive the data that identifies you (name and PIN/PNF) and the following health information about you: blood type; allergies; mandatory and other immunizations; past acute infectious diseases; established chronic diseases or disabilities; ongoing or conducted medication or other treatment; medical devices implanted in your body and contact details of your close persons (names, phone, etc.). All this data will be obtained solely to provide effective assistance and overcome the emergency condition threatening your health or life. In these cases, the need for access to your health information will be declared by the respective doctor electronically in NHIS using a QES, and you will be notified of the access used when you are able to do so.

Access through Official Registers

Medical specialists from outpatient medical-treatment facilities for primary medical care have the right to unlimited access to all health records in your electronic health record if you are their patient and are listed in their registers. They can also obtain such access in cases where you are not listed in their registers but have approached them for the respective medical or social care, i.e., when you have the status of their patient. In the second case, the need for access to your health records outside the medical institution's register is declared in NHIS by the respective doctor electronically through a qualified electronic signature, with which they identify themselves.

In any case, medical specialists have this access only in the performance of their functions, i.e., only when there is a professional need to familiarize themselves with your health information in connection with your treatment, consultations, and similar.

Access by Law Enforcement Authorities

Pre-trial authorities (prosecutors, investigators, investigating police officers), the court, and the experts appointed by them have the right to access the health records from your electronic health record only in connection with pending pre-trial or judicial proceedings. This access is carried out through the respective medical or health institution that made the records, based on a court order or a decree of the supervising prosecutor. Your identification, the scope of access, and its purpose will be explicitly stated in this order or decree.

Access Control

Every act of access to your electronic health record is recorded in the system for the purposes of control and prevention of unauthorized access, on the one hand, and ensuring traceability of access, on the other. Traceability is ensured by the so-called audit log of each user's actions (audit records). The attributes that are retained upon access in these cases include at least the following data: date/time of the action; system module in which the action is performed; action; object on which the action is performed; IP address. If necessary, you can be notified of the access performed. Audit records are stored for the entire existence of your electronic health record.

Technical Conditions for Access for Official Purposes

Access for official purposes is carried out through the health information web portal of the system www.his.bg via system integration resources (automated):

  • Through a secure communication link/channel for data exchange - for the integrated software platforms of medical and health institutions.
  • For insurance companies licensed under item 2 or items 1 and 2 of Section II, letter "A" of Appendix No. 1 to the Insurance Code.
  • For state authorities for whom access to nationally significant registers is provided by law. This category includes executive agencies in the MH system, regional health authorities, and NHIF authorities, who also have the option of access through system integration.

Outside these cases, access through system integration means is provided only to anonymized data, i.e., your personal data is not provided, and you cannot be identified unless otherwise specified by a regulatory act. The process of providing access also includes the use of the electronic authentication system, built and maintained by the Ministry of Electronic Governance. As a protective measure, mechanisms preventing data copying are maintained, if technically possible.

Communications with the System

The system does not provide access to other applications except for the mobile application "eHealth." Links to such applications will not be made or available.

Third-Party Sites

The system does not provide access to third-party sites, including social networks, so your personal data is not accessible to third-party sites, nor does it give you access to such sites.

Partner Sites

The system has no connection with other sites and does not provide access to such. According to the requirements of the Ordinance, it serves only you and the persons who create and use your health information on a legal basis.

Change Control

To control access for official purposes, as well as access on your behalf, the system maintains a chronological register of all corrections made to the electronic health record, organized as a subsystem for their monitoring, reporting, and control. Every correction of inaccuracy or incompleteness is registered in the subsystem. The chronological register is accessible to you, allowing you to personally control access.

PURPOSES OF COLLECTING AND PROCESSING PERSONAL DATA

We collect and process your personal data on explicitly specified legal grounds described in the section "Legal Grounds for Using Your Personal Data."

Your health information constitutes a special category of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR), hereinafter referred to as "the Regulation" or "GDPR," as it necessarily contains data about your health status, possibly including genetic and biometric data. However, exceptions are provided that allow this processing, and these exceptions arise from the purposes for which your personal data is processed. In this context, your personal data is processed:

  • For the purposes of preventive or occupational medicine, for assessing your work capacity, medical diagnosis, providing and receiving health or social care or treatment.
  • For the purposes of managing health care and social care services and systems based on the law of the Republic of Bulgaria.
  • For reasons of public interest in the field of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of health care and medicinal products or medical devices, based on the law of the Republic of Bulgaria, which provides appropriate and specific measures to guarantee your rights and freedoms, including the protection of professional secrecy.
  • In cases where it is necessary to provide you with emergency medical assistance (access in this case is limited only to certain data necessary for the case) or if you fall into an emergency risky medical condition that does not allow informed consent to be obtained for the respective medical procedure. The aim is to protect your vital interests in a situation where you are physically unable to give your consent for access to your personal data in your electronic health record.

There may be hypotheses where (in combination with the above circumstances) the processing and, accordingly, access to your personal data are required for the purposes of fulfilling the obligations and exercising the special rights of the MH or your personal rights under labor law and social security and social protection law.

In all the above cases, access to your personal data and their processing are limited to the necessary minimum and do not exceed the scope set out in the Health Act.

LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

Your personal data, including those related to your health status, constituting special categories of personal data within the meaning of Regulation (EU) 2016/679, are processed based on Article 6, paragraph 1, letters "c" and "f," under the conditions of Article 9, paragraph 2, letters "h" and "i" of Regulation (EU) 2016/679, in connection with Articles 28, 28a, 28b, 28c, and 28d of the Health Act.

AGE RESTRICTIONS

The system provides access to the electronic health record of any adult capable person. Access to the health records of minors and fully incapable persons is provided to their legal representatives: parents and guardians. If you are a minor but have reached the age of 14, you have the right to independent access (in addition to that of your parents) to your electronic health record. If you are under this age, please do not access NHIS in any way. We have no other age restrictions for access to the system.

HOW YOUR PERSONAL DATA IS USED

Information related to the use of our site

We may use information related to your access to the system and the services you receive from it (e.g., notifications or feedback) to improve the quality of access, the conditions of use of the system, and its efficiency, for the purposes of statistical analysis of the collective characteristics of users, as well as for measuring demographic data and interests regarding specific types of data. We may also use this information to ensure the security of the system as a whole. In these cases, the data is completely anonymized, and your personal data is not collected and therefore not accessible.

Technical Support and Security

We may use your personal data to provide technical support when necessary and to ensure the security of NHIS.

Data for Communication Purposes with NHIS

When you send us a message or otherwise contact us and request a response, we will use the information you provide for feedback to respond to your message. We may also archive this information and/or use it for future communication with you when we have a legal right to do so. When we send you emails, we may track how you interact with those emails (e.g., when you open an email or click on a link in an email). We use this information only for the purposes of securing our communications with you and tailoring and optimizing them to your needs.

Communications with Partners and Suppliers

We do not share and will not share your personal data with content providers or partners in any way, so they cannot and will not be able to share information about their products and services, regardless of whether they have a legal right to do so.

Research

We may share only aggregated data about your activity on the NHIS Portal www.his.bg and demographic data from surveys conducted by us for the needs of the Ministry of Health, which may use the data for health-related research. In none of these cases do we provide, or will we provide your personal data in any way, and all provided and processed data will be anonymized.

Additionally, aggregated data from the system may be used and provided to other official institutions for the purposes of managing the health care system, medical science, financing, and statistics. Such data may also be provided for deceased persons within the retention period of their health records. In all these cases, only anonymized data can be provided, i.e., your personal data will not be provided or processed.

State Authorities and Procedural Obligations

State authorities granted the right by law to access nationally significant registers may have access for official purposes to NHIS, but only to the extent necessary to exercise their specific powers, i.e., their access is proportional to the functions they perform. In other cases, access to your personal data can only be provided to law enforcement authorities and only based on a final court or prosecutorial act (see section "Access by Law Enforcement Authorities").

Disclosure of Information to Acquirers

The system may transfer your personal data only to the successor of the Administrator in cases of transfer of the Ministry of Health's powers to manage the system to another state administration.

E-readers

If we receive any personal information related to the extent to which you use different types of electronic devices to access the System, we may archive it by deleting the link to your personal data and use it for technological research and improvements or for statistical purposes. In this case, only anonymized data will be processed, i.e., your personal data will not be processed.

COOKIE POLICY

For the proper functioning of the System as a whole, we sometimes place small data files called "cookies" on your device with which you access it.

What are cookies?

Cookies are small text files that are stored on your device/computer when you visit a website. They allow the website to remember your actions and preferences (such as username, language, font size, and other display settings) for a certain period, so you don't have to enter them every time you visit the site or move from one page to another.

How do we use cookies?

The system uses cookies that are not absolutely necessary for it to work but make it more convenient to use. You can delete or block cookies, but if you do, some functions of the System may not work properly. Cookies are used to remember:

  1. Your display settings, such as navigation language, contrast, font size, used device, search result preferences, and notifications.
  2. Your last visit to the System (for statistical purposes) and the last three pages you visited (to facilitate our help desk in case you submit a request).
  3. Information on whether you have accepted or not the use of cookies on this site.

Additionally, embedded help videos on our pages may also use cookies to collect anonymous statistics on how you reached the respective page and which videos you watched.

Cookies and Personal Data

The information related to cookies is not used to establish your identity, and the data patterns are entirely under our control. Cookies are not used for purposes other than those stated here.

Third-party Cookies

We do not allow third-party services to send cookies to users.

How to Control Cookies

You can control and/or delete cookies as you wish. You can delete all cookies that are already stored on your device, and you can also set most browsers to block them. However, if you do this, you may need to manually adjust some parameters each time you visit the site, and some services and functions may not work.

Opt-out of Cookies

You can freely accept or decline the use of cookies on this site with a single click on one of the following links:

  • Accept cookies
  • Decline cookies

In this case, you decline all cookies except the one that remembers this choice.

  • Decline cookies entirely.

In this case, you will see our cookie banner every time you visit the NHIS Portal www.his.bg. You can decline the use of only non-essential cookies. Some cookies are absolutely necessary for you to use the NHIS Portal as without them we will not be able to provide you with certain functions, such as automatic login to it.

RETENTION PERIOD OF PERSONAL DATA

The time we retain your personal data arises from the purposes for which we collect and use it and/or according to the requirements to comply with applicable laws and to establish, exercise, or defend our and your legal rights. The electronic health record of each citizen will be retained for fifty years from the date of his/her death. The long period is determined in the interest of the heirs of each citizen, who should have the opportunity to protect their legal rights if this requires the use of data about the deceased, as well as for the traceability of genetic predispositions and other similar data that can directly affect the quality and effectiveness of health care for descendants. After the mandatory retention period expires, personal data is deleted, and the remaining data is anonymized and can only be used for medical science, management, forecasting, and statistics.

SECURITY IN PROCESSING AND STORING PERSONAL DATA

We will use a series of standard physical, technical, and administrative (organizational) security measures to keep your personal data confidential and secure.

Organizational Security Measures

All state authorities, medical and health institutions that create or access data in your electronic health record apply the minimum and recommended measures for network and information security under the Cybersecurity Act and the Ordinance on Minimum Requirements for Network and Information Security, adopted by Decree No. 186 of 2019 (promulgated, SG No. 59 of 2019). All employees who manage or work with the system are bound by the obligation of professional secrecy. The purposes of accessing for official persons are precisely defined. Working with your personal data outside these purposes is not allowed.

Continuous support for current information security standards and upgrade capabilities is provided according to the recommendations of competent authorities in the field of cybersecurity.

The ordinance provides mandatory requirements for their network and information systems through which data in NHIS is generated or accessed. Outside state authorities, all medical and health institutions, insurance, and insurance institutions that have the right to access for official purposes and that have their information systems and databases are required to maintain security levels according to the standards applicable to administrative authorities.

Technological Security Measures

The security of the system is ensured through a series of technological measures, procedures, and protocols provided in the Ordinance, including:

  • Restrictions on access to the System and its duration;
  • Appropriate software and hardware solutions regarding system architecture and component configuration;
  • Mandatory high levels of security for applied electronic identification schemes;
  • Limiting access to databases only to the modules that serve them, etc.;
  • Development and application of a proprietary security standard for NHIS;

Necessary technological means for protection are provided: a data centre with a high level of security and a backup centre, component instantiation, a network security system, the ability to restore the necessary set of data and/or settings from the past, encrypted data exchange. The system provides two types of audit archives - one for communication through the public application programming interface and one for user access to medical information.

To ensure the necessary levels of security, where applicable, please use secure systems to contact us (email), as the Internet is not a completely secure environment, and there is some risk that an unauthorized third party may find a way to bypass our security systems through the device you use to access us. Therefore, it is your responsibility to protect the security of your login data. Please note that email communications are generally not encrypted and should not be considered secure.

Traceability

Every action performed is recorded in a system log, which stores information about each action performed, including access, the module, the object on which the action was performed, and the user who performed the action. All records in the system log are stored for the entire retention period of your electronic health record.

SERVICE PROVIDERS

The data processor does not use service providers for the System and does not hire other persons for this, except for its employees working under an employment contract, who are assigned to perform activities on its behalf. Employees are required not to disclose or use the information for any other reasons than those described in this policy. These obligations are assumed with their employment contracts and the confidentiality documents they have signed and are secured with all forms of legal responsibility.

OBJECTIONS, QUESTIONS, AND SUGGESTIONS

If you have questions, suggestions, unresolved issues, or complaints related to the privacy and protection of your personal data in NHIS, you can contact us through the NHIS Portal, through the mobile application, or at the email addresses listed below. If you reside or are located in the European Economic Area, our data protection officer and the system management team can assist you with any questions related to the processing of your personal data. If you reside or are located in a country in the European Economic Area, you can also file a complaint with the Data Protection Commission or file a claim with the competent Bulgarian court if you believe your rights have been violated.

For all questions related to the processing of your personal data and the exercise of your rights under Articles 15-22 of Regulation (EU) 2016/679 and the Personal Data Protection Act, you can contact the data protection officer of the Ministry of Health directly:

Alexander Maslarski

Address: Pl. "Sveta Nedelya" No. 5, Sofia 1000

email: dpo@mh.government.bg

YOUR RIGHTS

You have the right to exercise your rights under Articles 15-22 of Regulation (EU) 2016/679 before the Ministry of Health for your personal data stored and processed in NHIS:

  1. You have the right to access your personal data and the following information: (a) the purposes of processing; (b) the relevant categories of personal data; (c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations; (d) where possible, the envisaged period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data is not collected from the data subject, any available information about their source; (h) the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. All listed categories of information can be found in the relevant sections of this policy.

You have the right to obtain a copy of your personal data undergoing processing, provided that this does not adversely affect the rights of other persons.

  1. You have the right to rectify or update any of your personal information that is inaccurate or outdated, including confirming that your personal data remains accurate and up-to-date. This right also includes the possibility of having your personal data completed when it is incomplete.
  2. You have the right to request the erasure of personal data related to you if you believe that it is no longer necessary for the purposes for which it was collected or is being processed unlawfully.
  3. You have the right to request the restriction of the processing of your personal data when you believe that its processing is unlawful or inaccurate.
  4. You have the right to object to the processing of your personal data based on Article 6, paragraph 1, letter d) or letter e), including profiling based on the specified provisions.
  5. You have the right not to be subject to automated decision-making that affects you. These are decisions based solely on automated processing of personal data, including profiling, which would create legal consequences for you or significantly affect you in an adverse way.
  6. You have the right to lodge a complaint with the Data Protection Commission regarding the processing of your personal data by us as the Controller or by the data processors to whom we have provided this data.

If you need additional information regarding your rights or if you want to exercise any of them, you can also contact us through the procedure for submitting objections, questions, and suggestions (see above section "Objections, Questions, and Suggestions").

DATA PROCESSOR

The data processor of your personal data is the company "Information Services" JSC, UIC 831641791, which is the national system integrator of the state's information systems by government decision. The processor receives the data as an established service operator in the field of information and communication technologies and the maintenance of the NHIS Portal www.his.bg .

CHANGES TO THIS POLICY

We periodically review our privacy policy for compliance with applicable legal requirements for personal data processing and safety standards, as a result of which it is subject to change. We recommend regularly checking its content for changes. Any subsequent amendment, update, or addition to the Privacy Policy will take effect immediately upon publication. We will notify you of any significant changes to this policy by posting on the NHIS Portal www.his.bg within a reasonable period before such an update. The effective date of the publication of the change is indicated below, at the end of this policy. We recommend periodically checking this page to be promptly informed of the current version of this Privacy Policy.

This privacy policy is effective from 1.2.2025.

 

Managing your privacy

Тhis website uses cookies in accordance with the Privacy policy. By clicking the Accept button, you confirm that you have read and agree to it.