The protection of patients’ personal data constitutes a fundamental privacy right guaranteed under the rule of law. The digital transformation in healthcare services, particularly through electronic medical records in teaching hospitals, increases the risk of improper use of personal data. Law Number 27 of 2022 on Personal Data Protection provides a comprehensive legal framework regulating the classification of health data, principles of data processing, data subject rights, and the obligations of data controllers. This study analyzes the legal regulation, factors influencing the use of patients’ personal data, and the legal certainty of its implementation at Prof. Dr. Chairuddin P. Lubis Hospital, Universitas Sumatera Utara. Employing a normative–empirical approach, data were collected through statutory review, relevant legal literature, and interviews with the Head of Medical Records, physicians, and nurses, and were analyzed qualitatively. Findings indicate that while the normative framework is clear, implementation is affected by structural, technical, and cultural factors, rendering legal certainty still at the normative-administrative stage. Strengthening institutional governance, updating internal policies, implementing granular access controls, and enhancing legal literacy among healthcare staff are necessary to ensure effective protection of patients’ rights.
Copyrights © 2026