From 1 December 2026, it will be compulsory to maintain digital medical records. There are still cases of healthcare professionals keeping paper medical records and using software that does not meet data security and access control standards. The Directorate of Health urges all healthcare providers to address this and ensure the secure digital documentation of medical records in a system that complies with data security and access control requirements.

The law's definition of medical record information has been broadened, indicating that data generated during digital health services is also considered medical record information.

It is stressed that the law permits a patient or their guardian to receive a copy of the patient's medical record, provided specific conditions are met, but not direct access to the record. The same applies to a copy of a deceased individual's medical record.

It is no longer compulsory to mention the patient's job title and marital status in medical record entries.

The guardian of medical records is now authorised to grant health sciences students access to medical records for educational purposes under the supervision of an instructor in organised clinical studies related to a patient's treatment. The students shall have undertaken a duty of confidentiality and secrecy comparable to that of healthcare professionals.

Doctors and pharmacists responsible for creating a patient's central medication profile are now authorised to access medical records, but only to medication information and solely to the extent necessary to develop the central medication profile. The Directorate of Health wishes to remind you that access to medical records is permitted only if there is a legal basis for it, in accordance with the provisions of the Health Records Act or other relevant laws. Please note that all medical record lookups are traceable, so it is essential to document the purpose of each lookup.

From 1 December 2026, a patient's right to access their own medical record will also include information obtained from sources other than the patient or healthcare professionals. However, this applies only to information recorded in the medical record from 1 December 2026 onward.

The Directorate of Health, therefore, advises healthcare professionals to bear this in mind.
However, a patient's request for a copy of the medical record may be denied if it is deemed necessary to protect the interests of those who provided the information or the patient's relatives.

It is permitted to charge a fee for copying medical records, and prepayment may be required if the expected cost of reviewing and copying exceeds ISK 10,000. This is a new provision, and the Minister is expected to establish a price list before fee collection can commence.

It is clearly stipulated that those responsible for and in charge of medical records are responsible for ensuring that internal controls are in place for the registration and processing of medical record information, which entails a clear duty of supervision and responsibility for ensuring that healthcare professionals maintain medical records in accordance with the provisions of the Health Records Act. It is also stipulated that the processing of information in medical records must be in accordance with the provisions of the Health Records Act and the Act on Data Protection and the Processing of Personal Data, No. 90/2018. The Directorate of Health, therefore, directs those responsible for and in charge of medical records to carefully familiarise themselves with their responsibilities under the above and implement appropriate changes in their workplaces.

The roles of the Data Protection Authority and the Directorate of Health under the Health Records Act are now more clearly distinguished to avoid unnecessary duplication of work. Cases may be processed concurrently by both the Data Protection Authority and the Directorate of Health if there is suspicion of a breach of both the Health Records Act and the Act on Data Protection and the Processing of Personal Data.

A new requirement requires guardians and processors of medical records to report breaches of the Health Records Act to the Directorate of Health. The Directorate of Health emphasises this point to guardians and medical record processors.
Another change is that the Directorate of Health and the Data Protection Authority may exchange information on breaches under their respective supervision.

Before the changes discussed here, there was uncertainty about which party should report Health Records Act violations and under what circumstances. This has now been resolved, and it is stipulated that the Directorate of Health is authorised to report breaches of the Health Records Act to the police, but is obligated to refer major breaches to the police. A violation is considered significant if the act is committed in a particularly culpable manner or under circumstances that significantly increase the culpability of the offence.
As before, violations of the Health Records Act and regulations issued thereunder are punishable by fines or imprisonment for up to three years, unless a more severe penalty applies under other laws, and handling of such cases shall be in accordance with the Code of Criminal Procedure.
The Health Records Act now sets out the law's provisions, with violations punishable by fines or imprisonment. This change underscores the legislator's focus on safeguarding the sensitive personal data within medical records. The Directorate of Health, therefore, urges healthcare professionals to familiarise themselves with these provisions thoroughly and reminds them that, under the new regulations, the Directorate must refer significant violations to the police.