https://jetbis.al-makkipublisher.com/index.php/al/index
667
Journal Of Economics, Technology, and Business (JETBIS)
Volume 2, Number 3 March 2024
p-ISSN2964-903X;e-ISSN2962-9330
PROTECTION AND LEGAL RESPONSIBILITY FOR BPJS PATIENT
MEDICAL RECORDS IN THE PERSPECTIVE OF LEGAL CERTAINTY
Clarita Ayu Putri Setya
1
, Abdul Kholib
2
, Handoyo Prasetyo
3
Universitas Pembangunan Nasional "Veteran" Jakarta, Indonesia
Email: clarithaayu297@gmail.com
1
, handoyopra[email protected]c.id
2
3
KEYWORDS:
Medical Records, BPJS,
Legal Protection, Legal
Certainty.
ABSTRACT
Medical records as a record are the responsibility and obligation of
every medical and health worker to keep the health data of the patients
they handle confidential. However, in 2021 there was a data leak from
BPJS Health membership patients, where there were 279 million
records of BPJS Health patient personal data information spread and
traded on Raid Forums. Then it happened again in early 2022. This
research aims to analyze and describe the protection and legal
responsibility for the medical records of patients of the Social Security
Organizing Agency in the perspective of legal certainty and to analyze
and describe the implementation of the regulation of patient medical
records of the Social Security Organizing Agency based on applicable
provisions. This research uses empirical normative legal methods
(Socio-Legal). The results of the study show that the implementation
of the regulation of medical records of patients of the Social Security
organizing agency is technically carried out on the basis of the
Minister of Health Regulation Number 24 of 2022 concerning
Medical Records. In the regulation, there are conditions that are
difficult to distinguish related to the responsibility of the Ministry of
Health and the relevant hospitals. The researcher concludes that the
policy of protection and legal responsibility for the medical records of
patients of the Social Security organizing body in the perspective of
legal certainty is currently not fully realized.
INTRODUCTION
Health is a fundamental right for all individuals and is the most important part of efforts
to achieve prosperity in accordance with the vision of the state. Health care security as a human
right, especially for Indonesian citizens, has been guaranteed in Article 28H paragraph (1) of
the 1945 Constitution of the Republic of Indonesia: "Everyone has the right to live in physical
and spiritual prosperity, to live and obtain a good and healthy environment and to obtain health
services"(Kolib, 2020).
The government has the responsibility to ensure that public health services are available
in an equitable and quality manner. Then it is also regulated in Article 34 paragraph (3) which
states that the state is responsible for the provision of proper health care facilities and public
service facilities (Mariani, 2015).
Hospitals are one form of healthcare facility that has an important role in achieving
Vol 3, No 3 March 2024
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
668
https://jetbis.al-makkipublisher.com/index.php/al/index
optimal public health status. The hospital is an organization or business entity in the health
sector that has an important role in realizing optimal public health status(Arifin, 2016). A
hospital is required to be able to manage its activities by prioritizing the responsibilities of
professionals in the health sector, specifically medical personnel and nursing personnel in
carrying out their duties and authorities(Wahyudi, 2011).
Article 296 Paragraph (1) of Law Number 17 of 2023 Concerning Health states that every
medical and health worker who provides individual health services is obliged to make medical
record data. Thus, hospitals and their components have an obligation to make documented
records about patients called medical records in the delivery of health services. Medical records
have a significant impact on the quality of service to patients. In addition, medical records can
be a documentation tool regarding all events related to patients while in health facility services,
and make a communication medium between health workers in supporting the importance of
health services today and in the future(Ohoiwutun, 2007).
Medical records include a variety of information, both recorded in writing and recorded
relating to patient identity, history taking, physical examination, laboratory results, diagnoses,
and all types of medical services and actions obtained by patients, both inpatient, outpatient,
and emergency services. Medical records are documents that contain records regarding patient
identity, examination, treatment, actions, and other services that have been provided to patients
(Sugiarti, 2020).
Health insurance is inseparable from social insurance. Referring to existing regulations,
Law No. 40 of 2004 concerning the National Social Security System and Law No. 24 of 2011
concerning the Social Security Organizing Agency are the basis for the implementation of
health social security under the sole control of BPJS Kesehatan. In terms of the implementation
of health social security, the Indonesian government organizes the National Health Insurance
(JKN) as a form of health insurance for every citizen. In line with this, JKN organized by the
BPJS Health Agency invites the public to actively participate in the Health Insurance program.
Although the explanation of the contents of medical records may only be carried out by
all parties involved in health services at Health Care Facilities even though the patient has
passed away as stated in Article 32 Paragraph (1) of the Minister of Health Regulation Number
24 of 2022 concerning Medical Records. However, this phase can open up space for the
practice of misuse of medical record data.
In 2021, there was a data leak from BPJS Health membership patients, where there were
279 million records of BPJS Health patient personal data information spread and traded on
Raid Forums. Dedy Permadi as a representative of the Ministry of Communication and
Information revealed that an assessment of the leaked data sample had been carried out and it
had been confirmed that the scattered personal information was thought to have come from
BPJS Health data. Dedy also mentioned that the claim was even more convincing after seeing
various information scattered, including BPJS participant card numbers, BPJS office codes,
family information, dependents covered by health insurance, and payment status (Kebocoran
Data Pribadi, BPJS Kesehatan Bakal Digudat, 2023).
Based on the above case, several times there have been frequent leaks of patient medical
record data so it requires more attention related to the personal data owned by patients in the
medical record. Any health data recorded or recorded in medical records is confidential and if
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
Vol 3, No 3 March 2024
https://jetbis.al-makkipublisher.com/index.php/al/index
669
used it needs to be with good and correct ethics. So it is necessary to carry out supervision
related to management to ensure the protection of patient medical record data in the hospital
environment.
The issue of medical records from the perspective of data protection is not only related
to the Health Law but also intersects with other laws, such as Law Number 27 of 2022
concerning Personal Data Protection and Law Number 8 of 1999 concerning Consumer
Protection.
In the Personal Data Protection Law, hospitals and BPJS are also part of what is called a
public body that carries out its main functions and duties related to state administration,
especially related to the health sector. In the PDP Law, medical records are included in the
specific personal data criteria. In the PDP Law, these two elements are included in the form of
personal data controllers who have the obligation to protect and ensure the security of the
Personal Data they process.
The hospital as a party that runs a business or as a business actor has an obligation to
fulfill every health service including in terms of efforts to protect patient data as a consumer.
So important is the medical record containing patient data that it becomes important to protect
and when inappropriate actions occur, this action is a form of violation of the law.
In such a context, every hospital that is a business actor in the health sector is prohibited
from providing services that do not meet or do not comply with the required standards and
provisions of laws and regulations. In this case, the provision in question is the obligation to
protect medical records.
The three laws above actually recognize efforts to guarantee patient data as a consumer
to be maintained and kept confidential, both by the hospital and BPJS. In supporting this, the
hospital needs a competent management team to supervise the use of patient health information
data. The managerial function here is not only limited to when submitting claims but also
includes comprehensive management of health information data, including maintaining the
confidentiality of patient medical record information.
In addition, effective regulations and good supervision are needed to ensure that the use
of medical record information can run in accordance with existing legal guidelines and does
not violate existing provisions. The use of information referred to here refers to the act of
disclosing the information to a third party without the consent of the patient, which will
certainly result in a violation of the patient's right to privacy. This also includes a situation
where the officer does not provide an explanation to the patient or his family about the use of
patient medical record information data.
When referring to the three regulations above, when there is a misuse of medical record
data that harms patients, if traced, no responsibility is given to whom the data leak can be held
accountable. The condition between the hospital and BPJS will certainly be more complex
when there are administrative issues that accompany it.
Based on the above background, the researcher is interested in conducting research on
Legal Protection and Responsibility for BPJS (Social Security Organizing Agency) Patient
Medical Records from the Perspective of Legal Certainty.
Vol 3, No 3 March 2024
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
670
https://jetbis.al-makkipublisher.com/index.php/al/index
RESEARCH METHODS
This research uses empirical normative legal research methods. Where on the basis of
normative legal research objectives include research on legal principles, research on the level
of legal synchronization, legal history research, and comparative legal research. And empirical
legal research, which includes research on legal identification (unwritten) and research on legal
effectiveness (Mukti Fajar & Achmad, 2010).
In supporting the type of research and answering the legal issues raised by the author, the
author approaches the research through a statutory approach, and conceptual approach, and
conducts interviews with the hospital on the form of protection of patient medical records.
Then this research is analyzed using a qualitative descriptive method where the
researcher explains, describes, and illustrates according to the problems that are closely related
to this research, and then draws a conclusion based on the analysis carried out.
RESULTS AND DISCUSSION
Implementation of Medical Record Regulations for Patients of the Social Security
Organizing Agency Based on Applicable Provisions
Affirmation of the choice of the rule of law in Indonesia can be found in the formulation
of Article 1 paragraph 3 of the 1945 Constitution of the Republic of Indonesia, which explains
that Indonesia is a state of law. Under these conditions, Soetandyo Wignyosoebroto elaborated
that the concept of the rule of law in Indonesia is the ideal of the Indonesian nation and has
been regulated in every Constitution.
The rule of law is a state system that is governed by law that applies to justice. In realizing
this goal, the law has a role to guarantee and provide protection for every citizen's rights. The
main idea of the rule of law is the recognition of human rights based on the principles of
freedom and equality (Bachtiar, 2015).
The written form of law in question is the existence of laws and regulations that form the
basis of state administration, including in the health sector. Various written regulations that are
the basis of state administration confirm that the civil law legal system adopted in Indonesia is
practiced by regulating the health sector in the form of legislation as mentioned by the author
that legal provisions relating to the health sector have been regulated in the 1945 Constitution
to other derivative regulations such as the Health Law, the SJSN Law, and regulations of the
minister of health.
One of the components of health management is health information management and
regulation. To organize effective and efficient health efforts, health information is needed.
Health information is used as input for decision-making in every health management process,
both health service management, health institution management, and health development
program management or regional management. In addition, in an effort to improve the degree
of public health, the government makes it easy for the public to gain access to health
information.
The Health Information System will actually improve the quality and speed of work
processes and optimize data flow so as to increase the availability and quality of health and
related data/information, especially in Health Care Facilities such as hospitals. However, as
described by the author in the background section and the topic of this research, there was a
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
Vol 3, No 3 March 2024
https://jetbis.al-makkipublisher.com/index.php/al/index
671
leak of BPJS patient medical record data. In fact, the use of an integrated health information
system shows the transformation of health services that are carried out based on the principles
of legal certainty, good faith, usefulness, good governance, data availability, timeliness,
standardization, integration, security and confidentiality of information, and technological
neutrality.
Such conditions indicate that there is an implementation in the field that is not in line
with the provisions of existing regulations, both between health facilities, especially hospitals,
and BPJS as a related party regarding health insurance for a patient who accesses health
services. On the other hand, the leakage of medical record data that occurs is due to a weak
health information system that is utilized by irresponsible parties to then use it for personal
gain.
The enactment of the Health Law with its status as an omnibus law is a legal umbrella in
realizing a major transformation of national health. There are several issues behind the
formation of the Health Law that are also related to problems in the Indonesian health sector,
one of which is related to the inadequate health system.
One form of health system regulated in the Health Law is about medical records. The
organization of medical records is the responsibility of hospitals as health service providers as
stated in Pasal 173 and Pasal 189.
Furthermore, the provision of medical records is a right for patients as stated in pasal 276
which states that every patient has the right to gain access to information contained in medical
records.
The protection of medical record data is reaffirmed in pasal 297 ayat (3) which states that
Health Service Facilities are obliged to maintain the security, integrity, confidentiality, and
availability of data contained in medical record documents.
However, the overall responsibility for national data on medical records is the
responsibility of the Ministry of Health as stated in the provisions of Pasal 298, namely the
Ministry whose government affairs in the health sector is responsible for organizing the
management of medical record data which includes policy formulation, collection, processing,
storage, security, data transfer, and supervision. This is done in the context of national health
data management.
The broad scope of the Health Law can be seen from the substance of this law which
contains 20 chapters consisting of pasal 458. Therefore, further regulation of this Health Law
through Government Regulations is given a one-year responsibility for the government to
make. One part that needs to be further regulated is the provision of medical records. This refers
to the provisions of pasal 299 of the Health Law which states that further provisions regarding
medical records are regulated by Government Regulation.
There is no Government Regulation that regulates medical records. In addition, there are
also things that are not in accordance with the medical records regulated in the Health Law.
this is the absence of criminal provisions or sanctions that will be given when there is a misuse
of medical record data.
According to the author, this is a mistake in the regulation of medical records in the
Health Law. The responsibility for the hospital as the organizer of health service facilities and
the Ministry of Health, which has overall responsibility for medical record data, is not given
an early warning through the provisions of sanctions governing the leakage of medical record
Vol 3, No 3 March 2024
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
672
https://jetbis.al-makkipublisher.com/index.php/al/index
data in the future.
The absence of sanctions against the responsibility and authority of medical records on
the relevant parties opens space for potential misuse of medical record data that can be done
because no sanction will ensnare the irresponsible party. The lack and not optimal role of
harmonization in the formation of regulations, weak synergies between regulations, and weak
regulatory planning also play a role in causing bad regulations (Prasetyo & Setiadi, 2023).
So electronic medical record data becomes increasingly vulnerable to misuse if referring
to the Health Law as the main regulation in the health sector does not contain these sanctions.
Therefore, a complete, clear, and easy-to-understand regulation is needed to determine who
should be responsible what form of responsibility, and how the distribution of the burden of
responsibility is (Prasetyo & Setiadi, 2023).
The contents of electronic medical records must be kept confidential by all parties
involved in health care and medical services at healthcare facilities (not only health workers
and medical personnel but also students on duty at healthcare facilities, leaders of healthcare
facilities, personnel related to health care financing and medical services, other parties who
have access to patient health data and information at health care facilities), even though the
patient has died (Prasetyo & Setiadi, 2023).
Such conditions, release BPJS as the health social security organizer related to the
obligation to maintain confidentiality and provide protection to patient medical record data.
Although BPJS is a different institution and is not within the Ministry of Health, but related to
patient data and the provision of health services, BPJS should also have the responsibility to
maintain the confidentiality and protection of patient medical record data. This responsibility
was not found by researchers in the medical record regulations related to the current BPJS
position.
Based on this description, BPJS is the space in realizing SJSN in Indonesia, while the
Hospital is a partner that provides health services so both BPJS and the Hospital play an
important role in realizing SJSN in Indonesia. In connection with the substance of the issues
discussed in this study regarding medical records, especially medical record data owned by
patients who are also BPJS participants, both the SJSN Law and the BPJS Law do not mention
the provisions of medical record regulations.
Protection and Legal Responsibility for Patient Medical Records of the Social Security
Organizing Agency in the Perspective of Legal Certainty
Based on this, it can be said that rights can be defined as something inherent to human
nature, and their exercise is applied to the scope of freedom and equality when interacting with
people and institutions. Based on this definition, rights can be qualified as something that must
be considered.
Several rules in national legal systems divide information about health into two
categories: public law features and private law aspects. These categories are considered distinct
from each other. In the realm of public law, there are two categories of health information:
general and specialized. Both of these categories are considered health information.
Various important factors contributing to the urgent need for disclosure of information
to the general public need to be considered, governments need to start opening up to any access
to information required by the public. This is because we live in an age of globalization,
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
Vol 3, No 3 March 2024
https://jetbis.al-makkipublisher.com/index.php/al/index
673
characterized by the fact that access to information from government records occurs almost
anywhere in the world (Yustina, 2014).
In terms of the implementation of health services, the openness of the right to access
health information is also part of the focus of attention that is considered the most important.
This is because the fulfillment of patients' rights as consumers is related to the implementation
of health services. By the provisions of Law Number 8 of 1999 concerning Consumer
Protection and Law Number 17 of 2023 concerning Health.
It can be emphasized that the public, in their capacity as consumers and patients who use
health services, have the right to receive clear and honest information while obtaining health
services from the organizers. This is because the requirements mentioned above are related to
the fulfillment of public health information.
After the researchers have discussed the rights of the public in the level of disclosure of
public medical information, the researchers will then discuss the type of private health
information that is the topic of discussion in this study, namely medical records. The scope of
medical records includes the patient's data and health status, both of which are formed in
medical record data and known by health service providers, which include hospitals, clinics,
and doctors. All information included in a patient's medical record is considered sensitive
personal data.
This is inseparable from the potential legal issues that are feared to arise, such as the
collection, access, and distribution of medical record data to other parties who do not have the
necessary expertise, without the knowledge and consent of the patient himself. This is
important to protect due to the possibility of abuse on the part of the service provider sector.
Article 4 Paragraph 1 of the PDP Law consists of specific personal data and general
personal data. Specific personal data is personal data that, if processed, may cause a greater
impact on the Personal Data Subject, including acts of discrimination and greater harm to the
Personal Data Subject.
Based on what the researchers have described above, medical record data is specific
information and is confidential data that is strictly limited to be published to the public. If
someone violates this provision, they may be subject to legal consequences by the rules and
regulations relevant to the situation. This data can only be accessed with the consent of the
owner or by order of laws and regulations. Based on the explanations given earlier, it can be
asserted that information on public health is easily accessible to the general public.
It can be seen that the protection of consumers is a principle in this regulation. It is
intended that in the relationship between consumers and business actors, consumers are
protected from things that can harm the consumers themselves.
Article 36 of the PDP Law states that personal data controllers are obliged to maintain
the confidentiality of personal data. Then, pasal 37 states that the personal data controller is
obliged to supervise each party involved in personal data under the control of the personal data
controller. Pasal 38 then states that the personal data controller shall protect personal data from
unauthorized processing. Then pasal 39 adds that the personal data controller shall prevent
personal data from being accessed unlawfully.
The obligations of the personal data controller related to the protection of personal data
that we have described above will be subject to administrative sanctions in accordance with
Article 57 of the PDP Law if there are proven violations of the articles that we have described
Vol 3, No 3 March 2024
Protection And Legal Responsibility For BPJS Patient Medical
Records In The Perspective Of Legal Certainty
674
https://jetbis.al-makkipublisher.com/index.php/al/index
above.
CONCLUSION
The implementation of the regulation of patient medical records by the Social Security
organizing body needs to be improved in regulations related to medical records to ensure the
protection of patient rights and data security and improve the availability and quality of health
services in accordance with the principles of a just legal state. Legal protection and
accountability for patient medical records by BPJS need to pay attention to aspects of legal
certainty, by upholding patient rights and regulating obligations and sanctions for parties
involved in managing medical record data.
BIBLIOGRAPHY
Arifin, D. A. (2016). Kajian yuridis tanggung jawab perdata rumah sakit akibat kelalaian dalam
pelayanan kesehatan. Jurnal Idea Hukum, 2(1), 77–89.
Bachtiar, P. I. P. M. K. (2015). pada Pengujian Undang-Undang Terhadap Undang-Undang
Dasar. Jakarta: Raih Asa Sukses.
Kebocoran Data Pribadi, BPJS Kesehatan Bakal Digudat. (2023). CNN Indonesia. ”,
Kebocoran Data Pribadi, BPJS Kesehatan Bakal Digugat (cnnindonesia.com)
Kolib, A. (2020). Analisis Yuridis Perbandingan Risiko Medis dengan Kelalaian Medis. AL-
MANHAJ: Jurnal Hukum Dan Pranata Sosial Islam, 2(2), 238–254.
Mariani, M. D. (2015). Perlindungan Hukum Terhadap Rekam Medis Pasien di Rumah Sakit.
Jurnal Magister Hukum Udayana, 4(2), 44155.
Mukti Fajar, N. D., & Achmad, Y. (2010). Dualisme penelitian hukum: normatif & empiris.
Pustaka pelajar.
Ohoiwutun, Y. A. T. (2007). Bunga rampai hukum Kedokteran: Tinjauan dari berbagai
peraturan perundangan dan UU Praktik Kedokteran.
Prasetyo, H., & Setiadi, W. (2023). Reformasi Regulasi Melalui UU Cipta Kerja Sebagai
Landasan Sinergitas Nasional Dalam Upaya Mengantisipasi Resesi Global. Jurnal
Legislasi Indonesia, 20(1), 136–150.
Sugiarti, I. (2020). Legal protection of patient rights to completeness and confidentiality in
management of medical record documents. 2nd Bakti Tunas Husada-Health Science
International Conference (BTH-HSIC 2019), 179–191.
Wahyudi, S. (2011). Tanggung Jawab Rumah Sakit Terhadap Kerugian Akibat Kelalaian
Tenaga Kesehatan Dan Implikasinya. Jurnal Dinamika Hukum, 11(3), 505–521.
Yustina, E. W. (2014). Hak atas informasi publik dan hak atas rahasia medik: problema hak
asasi manusia dalam pelayanan kesehatan. PADJADJARAN Jurnal Ilmu Hukum (Journal
of Law), 1(2).
licensed under a
Creative Commons Attribution-Share Alike 4.0 International License
