How to cite:

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana (2024) Legal Responsibility

of Hospitals in Maintaining the Security and Confidentiality of Patients' Electronic Medical Record

Data, (06) 06, https://doi.org/10.36418/syntax-idea.v3i6.1227

E-ISSN:

2684-883X

Published by:

Ridwan Institute

LEGAL RESPONSIBILITY OF HOSPITALS IN MAINTAINING THE SECURITY

AND CONFIDENTIALITY OF PATIENTS' ELECTRONIC MEDICAL RECORD

DATA

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

Universitas Hang Tuah, Indonesia

Email: [email protected], [email protected]

Abstract

The very rapid development in health services today requires that every health service

provider organize medical records electronically with the principles of security and

confidentiality of data and information. However, in practice, Elecronic Medical Records is

still experiencing many legal issues that are detrimental to both the Hospital and especially

the patients themselves. Therefore this study aims to analyze the legal basis of hospital

obligations for the security and confidentiality of electronic medical record patient data and

analyze the responsibility of hospitals for the security and confidentiality of patient’s EMR

data. The type of research used in this thesis is normative juridical research with statutory

approach and conceptual approach. The results still found some legal wins, ambiguities and

some shortcomings in implementing this EMR in full

Keywords: Elecronic Medical Record, Hospital, Security, Confidentiality

INTRODUCTION

The rapid development in health services today requires every health service provider to

immediately be able to meet the wishes of its customers. In order to support these health

services, health data must be stored neatly in an archive called Medical Records (hereinafter

referred to as RM). RM is one of the most important pillars in hospital administration. With

the development of medical science, health law and technological developments coupled with

patients or society who are increasingly smart and critical about their rights, therefore the

implementation of medical records should be developed even better (Hapsari, 2014)

The creation of medical records or RM in hospitals or by doctors on patient cards at the

place of practice has been carried out for a long time, but it has not become an obligation, so

the implementation is not considered so serious. Along with the development of a very

dynamic society, RM becomes important. . This is also stated in Law number 8 of 1999

concerning Consumer Protection (hereinafter referred to as UUPK). Consumer Protection is

any effort that ensures legal certainty to provide protection to consumers. In Article 4 number

1 of the UUPK which states that consumer rights are the right to comfort, security, and safety

in consuming goods and/or services. So that consumers, in this case patients in the hospital,

JOURNAL SYNTAX IDEA

p–ISSN: 2723-4339 e-ISSN: 2548-1398

Vol. 6, No. 06, Juni 2024

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2755

have the right to comfort, security and safety in receiving the services provided by the

hospital.

Therefore, in its initial history, the Indonesian government through the Ministry of

Health has issued Regulation of the Minister of Health Number 749a/MENKES/Per/XII/1989

concerning RM/ Medical Records. With the issuance of this PERMENKES, the procurement

of RM has become a must or has become a law that must be obeyed for every health service

facility, but the regulation still revolves around paper-based (conventional) RM. Furthermore,

PERMENKES No. 24 of 2022 concerning RM was issued, which specifically explains RME

that "Every Health Service Facility is obliged to carry out Electronic Medical Records”

(Hapsari, 2014)

However, in practice, RME still experiences many legal issues that are detrimental to

both the hospital and especially the patients themselves. One of the legal issues in January

reported on the tekno.kompas.com news page, it was reported that there had been a data leak

of 6 million patient RME data from various major hospitals in Indonesia. The data is known

to be used to trade unilaterally for payments in the form of cryptocurrency. This can certainly

be abused and result in great losses for the owner. If a patient who experiences a data leak

suffers from a certain disease or medical condition that is confidential, and if known by the

public, it will result in him being shunned or even dismissed from his job. In addition, if a

patient's medical photo that is inappropriate to see is then disseminated, it will have a severe

psychological impact on the patient (Riyanto, 2022).

In principle, the contents of the Medical Record belong to the patient, while the Medical

Record file (physically) belongs to the Hospital or health institution. This is in accordance

with Article 26 paragraph (1) of the Regulation of the Minister of Health of the Republic of

Indonesia Number 24 of 2022 concerning Medical Records. Maintaining security, in storing

data/information and ease of access is the obligation of the 3rd party to the authority.

Meanwhile, those who need data/information must always respect the privacy of patients.

Ensuring the quality of security, privacy, confidentiality, and safety of devices that fortify RM

data/information has been regulated in Article 23 of the Regulation of the Minister of Health

of the Republic of Indonesia Number 24 of 2022 concerning Medical Records. Therefore, all

authorities who need more detailed data/information in accordance with their duties are

obliged to maintain the four elements above (Gemala, 2008; Purba & Yulita, 2018).

To support the formulation of the above problem, the purpose of this study is to analyze

the basis of the legality of the hospital's obligation to the security and confidentiality of

patients' Electronic Medical Record data. To analyse the hospital's responsibility for the

security and confidentiality of patients' RME data.

RESEARCH METHODS

The type of research used in examining this problem is normative juridical research,

where the law is conceptualized as what is written in laws and regulations (law in books) or

the law is conceptualized as a rule or norm which is a benchmark for human behavior that is

considered appropriate (Kelsen, 2019). The research methods used are a statute approach and

a conceptual approach. The statute approach is a research that prioritizes legal materials in the

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2756 Syntax Idea, Vol. 6, No. 06, Juni 2024

form of laws and regulations as a basic reference in conducting research. Meanwhile, the

conceptual approach is a type of approach in legal research that provides an analytical

perspective on problem solving in legal research seen from the aspects of the legal concepts

behind it, or can even be seen from the values contained in the normation of a regulation in

relation to the concepts used (Rifa’i, 2023). The activity that will be carried out in the

Collection of Legal Materials in this study is a Literature Study by means of content

identification. The collection tool by identifying the content is obtained by reading, studying,

and studying literature materials in the form of laws and regulations, articles from the internet,

national seminar papers, journals, documents, and other data that are related to the legal

materials of this research.

The method of analysis of legal materials used in this study is a descriptive normative

method because this study does not use concepts that are measured/expressed by numbers or

statistical formulations, so the analysis of legal materials is carried out in a guided way or

based on legal norms/rules (in a broad sense, namely those consisting of legal values, legal

bases, legal rules in a narrow sense and authoritative texts or legal rules), Legal concepts or

legal doctrines contained in the framework of thought or literature review are used to answer

the problems in this research.

RESULT AND DISCUSSION

Hospital Legal Liability

The concept of responsibility was first proposed by the originator of pure legal theory,

namely Hans Kelsen. According to Hans, responsibility is closely related to obligations, but

they are not identical. This obligation arises because of the existence of legal rules that

regulate and provide obligations to legal subjects. Legal subjects who are burdened with

obligations must carry out these obligations as an order from the rule of law. As a result of

non-implementation of obligations, sanctions will be imposed. This sanction is a forced action

of the rule of law so that obligations can be carried out properly by legal subjects. According

to Hans, the subject of the law who is subject to the sanction is said to be "responsible" or

legally responsible for the violation (Kelsen, 2019).

Based on this concept, it can be said that responsibility arises from the existence of a

legal rule that gives obligations to legal subjects with the threat of sanctions if these

obligations are not implemented. Such responsibility can also be said to be a legal

responsibility, because it arises from the order of the rule of law/law and the sanctions given

are also sanctions stipulated by law, therefore the liability carried out by the subject of law is

a legal responsibility.

Hospitals are public service delivery organizations that have responsibility for every

health public service service they provide. This responsibility is to provide affordable quality

health services based on the principles of safety, comprehensiveness, non-discrimination,

participation and provide protection for the community as health service users (health

receivers), as well as for health service providers in order to realize the highest degree of

health (Prasada & Mudana, 2014).

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2757

In principle, the contents of the Medical Record belong to the patient, while the Medical

Record file (physically) belongs to the Hospital or health institution. This is in accordance

with Article 26 paragraph (1) of the Regulation of the Minister of Health of the Republic of

Indonesia Number 24 of 2022 concerning Medical Records. Maintaining security, in storing

data/information and ease of access are the demands of the 3rd party authorities. Meanwhile,

those who need data/information must always respect the privacy of patients. Security,

privacy, confidentiality, and safety of devices that fortify data/information in health records.

That way, various authorities who need more detailed data/information in accordance with

their duties must always maintain the four elements above.

A hospital is a public service organization that has responsibility for every health public

service it provides, including the maintenance of medical records, especially electronic. This

responsibility is to provide affordable quality health services based on the principles of safety,

comprehensiveness, non-discrimination, participatory and provide protection for the

community as health service users (health receivers), as well as for health service providers in

order to realize the highest degree of health.

As a center for the implementation of public services, hospitals as an organization are

required to provide quality medical services for the community. According to the Decree of

the Minister of Health of the Republic of Indonesia Number 722 / Menkes / SK / XII / 2002

concerning Guidelines for Internal Regulations of Hospitals (Hospital By Laws), that a

hospital is basically something that can be grouped into medical services in a broad sense that

concerns promotive, preventive, curative and rehabilitative activities of education and training

of medical personnel research and development of medical science. Based on these

provisions, there are basically four parts related to the responsibility of hospitals as medical

services, namely :

1. Responsibility for personnel;

2. Professional responsibility for quality;

3. Responsibility for facilities/equipment; and

4. Responsibility for building safety and maintenance.

According to Law Number 44 of 2009 concerning Hospitals Article 46, hospitals are

legally responsible for all losses caused by negligence committed by health workers in

hospitals. The legal responsibility of hospitals in the implementation of health services to

patients can be seen from the aspects of professional ethics, administrative law, civil law and

criminal law.

Administrative Legal Responsibility

Medical records have an administrative meaning because their content concerns actions

based on authority and responsibility for health workers. The legal aspects of administration

to health services, especially the implementation of medical records, are contained in several

laws that are sectoral. In article 29 paragraph (1) letter h of Law of the Republic of Indonesia

Number 44 of 2009 concerning Hospitals, it is stated that in providing health services,

hospitals are obliged to organize Medical Records. Then in article 3 paragraph (2) letter d of

the Minister of Health Regulation Number 24 of 2022 concerning Medical Records states that

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2758 Syntax Idea, Vol. 6, No. 06, Juni 2024

Health Service Facilities as referred to in paragraph (1) also list Hospitals as one of the health

facilities that are required to hold Medical Records, even stated in article 45 that All Health

Service Facilities must organize Electronic Medical Records in accordance with the

provisions in this Ministerial Regulation at the latest on December 31, 2023.

Administrative sanctions can be imposed on health workers and health service facilities

that are suspected of violating the provisions of Law No. 36 of 2009 concerning Health,

especially in article 57 paragraph (1) where everyone has the right to the confidentiality of

their personal health conditions that have been submitted to health service providers, but this

does not apply in article 57 paragraph (2) where the provisions regarding the right to

confidentiality of personal health conditions as referred to in paragraph (1) does not apply in

the event of: a legal order; court order; the permit concerned; community interests; or the

interests of the person.

The above administrative sanctions are written in the same Law in article 188 paragraph

(3) in the form of a written warning, revocation of temporary permits and/or permanent

permits. For corporations, in addition to the revocation of business licenses, they will be

subject to the revocation of legal entity status in accordance with article 201 paragraph (2).

The legal aspects of administration in medical practice are listed in article 36 of Law

No. 29 of 2004 concerning Medical Practice. The article states that every doctor and dentist

who practices medicine in Indonesia is required to have a practice license. A practice license

is written evidence given by the government to doctors and dentists who will practice

medicine after meeting the requirements.

In addition to medical practice, nursing practice also has an administrative legal aspect.

Article 19 of Law No. 38 of 2014 concerning Nursing states that nurses who practice nursing

are required to have a permit. This permit is given in the form of SIPP or called the nurse

practice license. The administrative sanctions are the same, listed in article 58 of Law no.38

of 2014 concerning nursing in the form of verbal reprimands, written warnings, administrative

fines and/or revocation of permits.

The legal aspects of administration to health services carried out by hospitals are

recorded in article 13 paragraph (1) of Law No. 44 of 2009 concerning Hospitals. The article

states that medical personnel who practice medicine in hospitals are required to have a

Practice License. Then for the hospital permit itself, it is stated in article 25 of Law No.44 of

2009 concerning hospitals which states that every hospital operator is required to have a

permit consisting of an establishment permit and an operational permit.

Sanctions against doctors and dentists are assigned to the Honorary Council of

Indonesian Medical Discipline in Articles 67-69 of Law Number 29 of 2004 concerning

Medical Practice to examine and complain about cases, where in article 67 it is written that

the Honorary Council of Indonesian Medical Disciplines has the right to examine and give

decisions on complaints related to the discipline of doctors and dentists, followed by article

68; If a disciplinary violation is found in the examination, the Indonesian Medical Discipline

Honorary Council forwards the complaint to a professional organization, where in article 69 it

is explained that the sanctions given can be in the form of:

1. Giving written warnings;

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2759

2. Recommendation for revocation of registration certificate or practice license and/or;

3. Obligation to attend education or training at a medical or dental education institution.

In this case, the hospital's administrative sanctions will be imposed if the party is proven

to meet points b and c above, where point b if it is proven that it does not meet the standard

requirements in the qualification of health workers' ability to organize medical records,

especially electronic and point c if it is proven that there is an act of misuse of electronic

medical record data. In Article 57 of Law Number 27 of 2022 concerning Personal Data

Protection, administrative sanctions are explained in the second to fifth paragraphs in the form

of;

a. Paragraph (2): Administrative sanctions as intended in paragraph (l) in the form of:

1) Written warning;

2) Temporary suspension of Personal Data processing activities;

3) Deletion or destruction of Personal Data; and/or

4) Administrative denda.

b. Paragraph (3): Administrative sanctions in the form of administrative fines as referred to in

paragraph (2) d up to 2 (two) percent of the annual income or annual receipts for the

violation variables.

c. Paragraph (3): Administrative sanctions in the form of administrative fines as referred to in

paragraph (2) d up to 2 (two) percent of the annual income or annual receipts for the

violation variables.

d. Paragraph (5): Further provisions regarding the procedures for the imposition of

administrative sanctions as referred to in paragraph (3) are regulated in the Government

Regulation.

Civil Law Liability

The hospital is a place where professionals work who carry out their activities based on

the pronunciation of the oath and code of ethics of their profession. Therefore, the Hospital is

required to be able to manage its activities, by prioritizing the responsibility of professionals

in the health sector, especially medical personnel and nursing personnel in carrying out their

duties and authorities (Wahyudi, 2011). However, medical services provided by health

workers at hospitals are not always able to provide results as expected by all parties. There are

times when there is negligence of health workers in these services that causes losses; As in

this context, it is a leak of medical record data, especially electronically, whether intentionally

or not.

Law Number 36 of 2009 concerning Health Article 58 paragraph (1) states that,

"everyone has the right to claim compensation against a person, health worker, and/or health

provider who causes losses due to errors or negligence in the health services he receives".

Based on these provisions, it can be seen that the prosecution of this compensation is either

due to mistake (intentional) or due to negligence in health services, and the prosecution is

directed at a person, health workers or the organizer (Hospital). Meanwhile, based on Law

No. 44 of 2009, the prosecution of losses is only aimed at the hospital, which is caused

specifically by the negligence of health workers in the hospital. Article 46 of Law Number 44

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2760 Syntax Idea, Vol. 6, No. 06, Juni 2024

of 2009 concerning Hospitals states that, "The Hospital is legally responsible for all losses

incurred due to negligence committed by health workers in the Hospital”.

Civil Liability of Hospitals for Negligence in the Implementation of Electronic Medical Records

Article 46 of the Hospital Law has guaranteed for patients that patients can hold the

hospital accountable if they suffer losses due to negligence committed by health workers in

providing health services. This is in accordance with the provisions contained in Law Number

36 of 2009 concerning Health Article 58 which clearly states that patients can sue or demand

liability to health workers or to health service agencies if they suffer losses due to intentional

or negligent health services.

However, the provisions of Article 46 of the Hospital Law also clearly limit that the

Hospital will only be responsible for losses experienced by patients due to negligence

committed by health workers in providing health services and in accordance with the scope of

their responsibilities at the Hospital. Based on the provisions of the above article, losses

caused by intentionality or medical risks carried out by health workers personally in health

services at the Hospital are not the responsibility of the Hospital and are the responsibility of

the health workers concerned. So that patients cannot sue the Hospital to take responsibility

due to intentionality or medical risks in health services carried out by health workers even

though it occurs in the Hospital itself.

The employer's liability in Article 1367 paragraph (3) of the Civil Code is not only

about responsibility in the work bond, including to a person who is outside the work bond has

been ordered by another person to do a certain job, as long as the person who is ordered to do

the work does his work independently either on his own leader or has done the work on his

instructions. As referred to in Article 1601 letter a of the Civil Code, the employer's liability

for unlawful acts of its employees is: "Labor agreement is an agreement with which one party,

the worker, binds himself to under the orders of the other party, the employer, for a certain

time to perform work by receiving wages”.

Comparing the sound of Article 46 of Law Number 44 of 2009 concerning Hospitals

with Article 1367 of the Civil Code paragraph (3) above, it can be concluded that Article 46

of Law Number 44 of 2009 concerning Hospitals is a derivative or derivative of Article 1367

of the Civil Code paragraph (3) which applies specifically to hospitals, or Article 46 of Law

Number 44 of 2009 is lex specialist.

The provisions of the above Article are also in line with the provisions of the doctrine of

superior respondeat. The doctrine of superior respondeat implies that an employer is a person

who has the right to give instructions and control the actions of his subordinates, both on the

results achieved and on the methods used. In addition, with the development of health laws

and the sophistication of medical technology, hospitals cannot escape from the responsibility

of the work done by their employees, including what is done by the medical staff (Nasution,

2005).

Hospital Civil Liability Compensation

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2761

The prosecution of compensation for losses experienced by patients in health services,

both by the patient himself and his family, has been regulated in Law Number 36 of 2009

concerning Health which is formulated in Article 58 paragraph (1) which states, "Everyone

has the right to claim compensation against a person, health worker, and/or health provider

who causes losses due to errors or negligence in the health services he receives”.

There are two forms of compensation due to unlawful acts that are commonly used in

patient lawsuits against health workers and hospitals in some cases, namely material damages

and immaterial damages:

a. Compensation material Ganti

b. Compensation imaterial

The provisions for compensation based on a default lawsuit based on Article 1246 of the

Civil Code will provide losses in the form of costs, losses and interest. However, the liability

provision based on the default lawsuit is the existence of a breach of promise or non-

fulfillment of the content of the agreement, in this case it is a breach of promise or non-

fulfillment of the therapeutic agreement.

The therapeutic agreement or agreement between doctors or health workers and patients

is in terms of achievements that must be fulfilled by doctors or health workers in the form of

seriousness, meticulousness, and prudence based on science and skills and experience as

doctors and health workers in carrying out medical procedures, especially in the

implementation of medical records (Dali, Kasim, & Ajunu, 2019). Where, doctors and health

workers must meet professional standards, medical service standards and standard operating

procedures, if these three things are met, doctors and other health workers can be free from

lawsuits and lawsuits. Based on the description above, the lawsuit is based on default, the

compensation obtained by the patient is compensation based on the content of the therapeutic

agreement that has been previously approved by the patient in obtaining health services. In the

form of compensation, compensation based on default in the form of material compensation,

namely losses that are actually suffered by the victim and the amount can be measured

mathematically. This material remedy is in accordance with the therapeutic agreement that the

patient has previously agreed.

The Civil Code does not expressly or even does not regulate in detail about certain

damages, or about any aspect of compensation, so the judge has the freedom to apply such

compensation in accordance with the principle of propriety, as long as it is indeed requested

by the plaintiff. The justification for the freedom of judges is that the interpretation of the

words loss, cost and interest is very broad and can cover almost everything related to

compensation.

The next guideline can be found in Article 1372 of the Civil Code which states: "... In

assessing each other's matters, the Judge must pay attention to whether or not the insult is

rude as well as the rank, position and ability of both parties and the situation". In article 1372

of the Civil Code, it is emphasized that in deciding the compensation received by the patient

in his lawsuit both to the health worker and to the hospital, the Judge pays attention to the

position, ability and circumstances of the defendant and the plaintiff while still considering

the basis of justice for both.

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2762 Syntax Idea, Vol. 6, No. 06, Juni 2024

Criminal Law Liability

1. Definition of Criminal Liability

In criminal law, a person cannot be held criminally accountable without first

committing a criminal act, because it would be unfair if suddenly someone had to be

responsible for an action, while he himself did not commit the act. In criminal law, the

concept of criminal liability is a central concept known as the doctrine of error. In Latin,

the teaching of error is known as mens rea. In English, the doctrine is formulated as an act

does not make a person guilty, unless the mind is legally blameworthy . Based on this

principle, there are two conditions that must be met to be able to be punished by a person,

namely forbidden external acts/criminal acts (actus reus) and there is an evil inner attitude

(mens rea) (Dan & Pemidanaan, 2005).

Criminal liability can be interpreted as the continuation of objective reproaches that

exist in criminal acts and subjectively qualify to be punished for their actions. The basis for

a criminal act is the principle of legality, while the basis for a person to be punished is the

principle of guilt. The relationship between criminal liability and the offense is emphasized

by Roeslan Saleh in his book entitled Criminal Acts and Criminal Liability: Two Basic

Definitions in Criminal Law, which states that (Saleh, 2011):

"In fact, whether the perpetrator is convicted or not does not depend on whether there

is a criminal act or not, but whether the defendant is reprehensible or not for committing

the criminal act. Therefore, it is also said that the basis of the existence of a criminal act is

the principle of prohibition and is threatened with punishment whoever commits it, while

the basis of the punishment of the maker is the principle of "not being punished if there is

no wrong".

Based on this explanation, it can be concluded that mistakes are a very important

thing to punish someone. Without it, criminal liability would never exist. Therefore, in

criminal law, the principle of "no crime without guilt" is known (geen straf zonder schuld).

2. Elements of Criminal Liability

Elements of criminal acts and mistakes (intentionality) are central elements in

criminal law. The element of criminal act is located in the objective field followed by the

element of unlawfulness, while the element of criminal liability is a subjective element

consisting of the ability to be responsible and the existence of mistakes (intentionality and

forgetfulness). Based on this, Moeljatno concluded that criminal liability or wrongdoing

according to criminal law consists of three conditions as follows.

a. the ability to be responsible that for the ability to be responsible there must be

(Prodjodikoro, 2015):

b. The ability to distinguish between good and bad deeds which is a factor of reason (2)

the ability to determine one's will according to one's awareness of the good and bad of

the deed which is a factor of feeling or will.

c. There is a mistake of the maker, (1) Intentionality (Dolus). There are two theories

related to the meaning of "intentional", namely the theory of the will and the theory of

knowledge or imagination. It is "intentional" when an effect caused by an action is

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2763

imagined as the intention of the action and therefore the action in question is carried out

according to the shadow that was first made. What is meant by forgetfulness is that the

defendant did not intend to violate the prohibition in the law, but he did not heed the

prohibition. In forgetfulness, the defendant did not heed the prohibition so that he was

not careful in doing an act that objectively causal gave rise to the prohibited situation.

According to Moeljatno quoting Van Hamel's statement, forgetfulness contains two

conditions, namely not holding a conjecture as required by law and not holding a

prudence as required by law. Forgetfulness is viewed from the perspective of the

creator's consciousness, so the forgetfulness can be distinguished into two, namely:

Realized forgetfulness and unconscious forgetfulness. There are two reasons for the

abolition of criminal penalties. (1) The reason for the inability to account for a person

lies purely on that person; and (2) the reason for the inability to account for a person

who is located purely outside the person.

In essence, criminal liability is the responsibility of a person for the criminal acts

he commits. It can be said that it is impossible for a person to be held accountable and

sentenced to a crime if he does not commit a criminal act. But even though he has

committed a criminal act, he will not necessarily be sentenced. The perpetrator of a

criminal act will only be punished if he has a mistake in committing the crime.

3. Criminal Liability of Hospitals as a Corporation

In his book entitled "Reviewing the Concept of Corporate Criminal Liability",

Adriano explained that hospitals are legal entities that also have a position as legal subjects

because they are both bearers of rights and obligations. As for the status as a legal subject,

hospitals as corporations can be legally insured with the postulates "Every person who

carries out and carries out legal rights and obligations, then he or she can be held

accountable for the implementation and implementation of these legal rights and

obligations” (Achmad, 2016). However, according to Adriano, RS as a corporation which

is also a legal entity (rechtspersoon) can be equated with a human being (natuurlijke

person) because they both carry legal rights and obligations (Achmad, 2016).

"A corporation, even though according to civil law, can carry out its own legal acts,

but it does not have a physical existence and therefore cannot act in real terms, nor does it

have an inner mind so that the corporation also has no intention to carry out any action or

deed, but by the actions of its managers (Achmad, 2016).”

"A corporation, even though according to civil law, can carry out its own legal acts,

but it does not have a physical existence and therefore cannot act in real terms, nor does it

have an inner mind so that the corporation also has no intention to carry out any action or

deed, but by the actions of its managers (Achmad, 2016).

According to experts, there are two main teachings that are the basis for justification

for being able to impose criminal liability on corporations, namely (1) the Doctrine of

Strict Liability and (2) the Doctrine of Vicarious Liability (Achmad, 2016).

Based on Article 46 of Law Number 44 of 2009 concerning Hospitals, Hospitals as a

corporation are legally responsible for all losses incurred due to negligence committed by

health workers in hospitals. Although the legal responsibility of hospitals to patients in the

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2764 Syntax Idea, Vol. 6, No. 06, Juni 2024

implementation of health services is born from the relationship between civil law and

administrative law, the implementation of health services also has implications for criminal

law. The legal responsibility of hospitals in the implementation of health services for

patients can be seen from the aspects of professional ethics, administrative law, namely

sanctions for removal of positions against authorized officials, civil law with the payment

of compensation as a form of accountability for the hospital to carry out court decisions

and/or criminal law with a sentence.

Criminal liability has a close relationship with the determination of criminal law

subjects. The subject of criminal law in the provisions of the law is the perpetrator of a

criminal act who can be held accountable for all legal acts he commits as a manifestation

of responsibility for his mistakes against others (victims). Hospitals can be the subject of

criminal law, namely corporations in the form of legal entities (Article 7 paragraph 3 of

Law Number 44 of 2009 concerning Hospitals) Hospitals as subjects of special criminal

law (special legal subjects). The specificity of the subject of hospital law in criminal law is

that it cannot commit a criminal act that is personal and delinquent for functional crimes.

Functional crimes are crimes caused because corporations do not carry out certain

functions as required/required by laws and regulations.

In the United States, there is a concept of holding corporations criminally liable,

namely through the doctrine of superior respondent or vicarious liability. As Russel G.

Thornton said in his journal Responsibility for The Act of Others, which states that

(Thornton, 2010):

“Respondeat superior embodies the general rule that an employer is responsible for

the negligent acts or omissions of its employees. Under respondeat superior an employer is

liable for the negligent act or omission of any employee acting within the course and scope

of his employment.”

In its translation, superior respondent embodies the general rule that employers are

liable for the negligent or negligent actions of their employees. Under the responding

employer, the employer is responsible for the acts of negligence or negligence of the

employee acting within the field and scope of his or her job. According to this doctrine, if

an employee of a corporation commits a criminal act within the scope of his work with the

intention of benefiting the corporation, then his criminal liability can be imposed on the

corporation. This principle aims to prevent companies from protecting themselves and

abdicating responsibility, by delegating illegal company activities to their workers. The

doctrine of vicarious liability usually applies in civil law about unlawful acts (the law of

tort), which is then applied to criminal law. The crime caused by corporations is very large,

one of the victims is workers. Corporations, with their financial power and expertise, can

eliminate evidence of crime.

In addition, proven corporate crimes can also be categorized as transnational crimes

that are organized. It is said that this is because corporate crime involves a systematic

system and its elements that are very conducive. It is said to involve a systematic system

because of the existence of a very solid criminal organization (Criminal Group) both

because of ethnic ties, political interests and interests of other interests, with a clear code of

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2765

ethics. Meanwhile, related to the "elements that are very conducive" that in corporate crime

there is always a group (protector) consisting of law enforcement and professional

personnel, among others. and community groups that enjoy the results of the crimes

committed systematically (Harminingtyas, 2014).

However, if it is proven that only individuals commit criminal acts, in Article 2 of

the Criminal Code (KUHP) it is stated, "criminal provisions in Indonesian legislation apply

to every person who commits a crime in Indonesia". The formulation of this Article

stipulates that every person within the jurisdiction of Indonesia, can be held criminally

responsible for the mistakes he makes. For doctors or other health workers, criminally

disclosing medical secrets is threatened with violating Article 322 of the Criminal Code

with a threat of punishment of up to 9 months in prison.

Meanwhile, in the context of a special crime, if it is proven that there is a party who

commits hacking, both inside and outside the members of a hospital, it is also categorized

as a criminal act because it is considered to disturb order in society. It is said to disturb

order in society because it can cause material and moral losses. Material losses in terms of

electronic medical records can be in the form of dismissal from their jobs if it is known

that patients who experience data leaks have certain diseases or medical conditions that are

confidential and known to the public, of course this will be very detrimental. Meanwhile,

moral losses can be in the form of medical photos of patients that are not appropriate to be

seen and then disseminated, so it will be able to have a heavy psychological impact on

patients.

The basis for the application of the Criminal Code to the crime of hacking is listed in

article 167 of the Criminal Code as follows:

Paragraph (1) says that whoever forcibly enters a house, room, or enclosed yard that

is used by another person unlawfully or is unlawfully there, and at his request or order not

to leave immediately, shall be threatened with imprisonment for a maximum of nine

months or a fine of up to four thousand five hundred rupiah.

While paragraph (2) says that whoever enters by damaging or climbing, by using

false keys, false orders or false evil clothes or whoever does not know the right first and

not because of mistake to enter and is caught there at night is considered to have forced

entry.

In terms of threats, paragraph (3) says that if you issue a threat or use a means that

can scare people, you will be threatened with imprisonment for a maximum of one year

and four months.

Paragraph (4) adds that the crime in paragraphs 1 and 3 can be increased by one-third

if the person commits the crime of two or more people by allying.

Meanwhile, in Law Number 19 of 2016 concerning Amendments to Law Number 11

of 2008 concerning Information and Electronic Transactions, hereinafter abbreviated as the

ITE Law, the crime of hacking has been regulated and formulated in articles that can

ensnare the perpetrators of the crime of hacking (hacking). Basically, the crime of hacking

is regulated in general in article 30 of the ITE Law which reads as follows:

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2766 Syntax Idea, Vol. 6, No. 06, Juni 2024

Paragraph (1) says that every person knowingly and without rights or unlawfully

accesses another Person's Computer and/or Electronic System in any way.

Furthermore, paragraph (2) says that every Person intentionally and without rights or

against the law accesses another person's Computer and/or Electronic System in any way

with the aim of obtaining Electronic Information and/or Electronic Documents.

It is also added in paragraph (3), namely every Person intentionally and without

rights or unlawfully accesses another Person's Computer and/or Electronic System in any

way by violating, breaking through, exceeding, or breaking the security system. The

elements of the crime of hacking contained in the article above are: Every person;

intentionally and without rights or against the law; access another person's computer and/or

electronic system; by any means.

The formulation of hacking as a criminal act in the ITE Law article 30 paragraph (1)

above is threatened with criminal sanctions contained in the criminal provisions of article

46 paragraph (1), namely: "Every person who meets the elements as referred to in article

30 paragraph (1), shall be sentenced to a maximum of 6 (six) years in prison and/or a

maximum fine of Rp 600,000,000.00 (six hundred million rupiah)”.

Meanwhile, the formulation of hacking as a criminal act in the ITE Law article 30

paragraph (2) above is threatened with criminal sanctions contained in the criminal

provisions of article 46 paragraph (2), namely: "Every person who meets the elements as

referred to in article 30 paragraph (2), shall be sentenced to a maximum of 7 (seven) years

in prison and/or a maximum fine of Rp 700,000,000.00 (seven hundred million rupiah)".

Also, the formulation of hacking as a criminal act in the ITE Law article 30

paragraph (3) above is threatened with criminal sanctions contained in the criminal

provisions of article 46 paragraph (3), namely: "Every person who meets the elements as

referred to in article 30 paragraph (3), is sentenced to a maximum of 8 (eight) years in

prison and/or a maximum fine of Rp 800,000,000.00 (eight hundred million rupiah)".

Article 67 of Law Number 27 of 2022 concerning Personal Data Protection also

regulates criminal provisions for parties who are proven to be unlawful. It is explained that

in paragraphs (1)-(3):

Paragraph (1) says that any Person who deliberately and unlawfully obtains or

collects Personal Data that does not belong to him or herself or others with the intention of

benefiting himself or others that may result in the loss of the Personal Data Subject as

referred to in Article 65 paragraph (1) shall be sentenced to imprisonment for a maximum

of 5 (five) years and/or a maximum fine of Rp5,000,000,000, 00 (five billion rupiah).

Meanwhile, paragraph (2), every person who deliberately and unlawfully embezzles

Personal Data that does not belong to him as referred to in Article 65 paragraph (2) shall be

sentenced to a maximum of 4 (four) years in prison and/or a maximum fine of

Rp4,000,000,000.00 (four billion rupiah).

Paragraph (3) says that every Person who deliberately and unlawfully uses Personal

Data that does not belong to him as referred to in Article 65 paragraph (3) shall be

sentenced to imprisonment for a maximum of 5 (five) years and/or a maximum fine of

Rp5,000,000,000.00 (five billion rupiah).

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2767

However, in this study, several things are still found that are problems in the

implementation of some of the laws above. Some examples of problems encountered in the

implementation of hospital responsibility in managing electronic medical records today

are:

a. Most of the Health Service Facilities have not been able to change the process of

recording Medical Records Electronically, while the Minister of Health Regulation 269

of 2008 concerning Medical Records has been revoked, so that there is still a legal

vacuum for the creation of conventional and hybrid Medical Records in the form of a

transition from conventional to modern systems, as well as a high possibility for the

unpreparedness of hospitals in protecting patients' electronic data.

b. Electronic Medical Record Documents have not had evidentiary value in court

according to Law No. 8 of 1981 concerning the Criminal Procedure Law which states

that only RM is included as valid evidence as a "letter" in Article 184 paragraph (1) of

the Criminal Procedure Code which states that valid evidence is: witness statements,

expert statements, letters, instructions and statements of the defendant, but not

electronically.

The government has not yet established a special regulation on the technical

implementation of the implementation of Electronic Medical Records by Hospitals and

other Health Service Facilities.

CONCLUSSION

The hospital's legal obligation to the patient's RME is divided into three, namely

administrative legal obligations, civil legal obligations and the obligation not to commit

criminal acts related to the RME data that they physically control. Administrative legal

obligations are based on Articles 46 and 47 of Law Number 44 of 2009 concerning Hospitals,

while civil law obligations are contained in article 1234 of the Civil Code and article 1239 of

the Civil Code. For criminal law obligations contained in Articles 29, 38 and 39 of Law

Number 44 of 2009 concerning Hospitals, articles 46 and 47 of Law Number 29 of 2004

concerning Medical Practice, articles 3, 4, 7, 20, 23, 29, 30 and 32 of the Regulation of the

Minister of Health of the Republic of Indonesia Number 24 of 2022 concerning Medical

Records, as well as article 2, 12, 15, 17 and 25 Regulation of the Minister of Health of the

Republic of Indonesia Number 4 of 2018 concerning Hospital Obligations and Patient

Obligations. Three things that the author can conclude here are: The legal basis of Medical

Records (RM) in the Regulation of the Minister of Health of the Republic of Indonesia

Number 24 of 2022 concerning Medical Records, Electronic Medical Records are only in the

form of documents, so the approval of medical actions cannot be fully valid as legal evidence;

Electronic approval of Medical Actions (electronic signatures) has not been regulated in the

Regulation of the Minister of Health of the Republic of Indonesia Number 24 of 2022

concerning Medical Records; Article 15 of Law Number 27 of 2022 concerning Personal Data

Protection allows the dissemination of data but is not discussed at all in a medical context.

The form of responsibility of the Hospital for the security and confidentiality of patient

electronic medical record data is also divided into administrative law, civil law and criminal

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana

2768 Syntax Idea, Vol. 6, No. 06, Juni 2024

law. Administrative sanctions can be imposed on health workers and health service facilities

that are suspected of violating the provisions, including hospitals in Law no. 36 of 2009

concerning health, especially in article 57 paragraph (1) where everyone has the right to the

confidentiality of their personal health conditions that have been submitted to health service

providers written in article 188 paragraph (3) in the form of written warnings, revocation of

temporary permits and/or permanent permits. For now, administrative sanctions for hospitals

related to violations of the implementation of electronic medical records are specifically

regulated by Articles 42-44 of the Regulation of the Minister of Health of the Republic of

Indonesia Number 24 of 2022 concerning Medical Records. As for civil liability, in principle

it is the same as civil law sanctions for violations of not properly conducting informed

consent, while the articles that regulate this are articles 1234, 1239, 1367, 1601, 1365, and

article 1239 of the Civil Code. The form of criminal liability if it is proven that the hospital,

either as a corporation or an individual, commits a criminal act of disclosure of medical

records is written in Article 46 of Law Number 44 of 2009 concerning Hospitals. As for

doctors or other health workers, criminally those who disclose medical secrets are threatened

with violating Article 322 of the Criminal Code with a threat of punishment of up to 9 months

in prison. In the context of the special crime of hacking, it is currently written in Article 167

of the Criminal Code and Article 30 of Law Number 19 of 2016 concerning Information and

Electronic Transactions. Based on the description of the results of the formulation of the

problem above, there are several that the author can conclude here, namely: Permenkes 269 of

2008 concerning Medical Records has been revoked, so that there is still a legal vacuum for

the creation of conventional and hybrid Medical Records; Electronic Medical Record

documents have not had evidentiary value in court according to Law No. 8 of 1981

concerning the Criminal Procedure Code (KUHAP) which states that only RM is included as

valid evidence as a "letter" in Article 184 paragraph (1) of the Criminal Procedure Code;

seems too hasty in setting the deadline for the implementation of RME, which is the end of

2023, while it has not yet formed special regulations on the technical implementation of the

implementation of Electronic Medical Records by Hospitals and other Health Service

Facilities.

BIBLIOGRAFI

Achmad, Ruben. (2016). Aspek Hukum Pidana Dalam Tindak Pidana Perpajakan. Doctrinal,

1(2), 283–304.

Dali, Muh Amin, Kasim, Warsito, & Ajunu, Rabia. (2019). Aspek Hukum Informed Consent

Dan Perjanjian Terapeutik. Akademika, 8(2), 95–106.

Dan, Memahami Tindak Pidana, & Pemidanaan, Syarat. (2005). Asas-Asas Hukum Pidana.

Gemala, R. Hatta. (2008). Pedoman Manajemen Informasi Kesehatan Di Sarana Pelayanan

Kesehatan. Penerbit Universitas Indonesia. Jakarta.

Hapsari, Cinthia Mutiara. (2014). Kajian Yuridis Pemakaian Rekam Medis Elektronik Di

Rumah Sakit. Universitas Islam Indonesia.

Harminingtyas, Rudika. (2014). Analisis Layanan Website Sebagai Media Promosi, Media

Transaksi Dan Media Informasi Dan Pengaruhnya Terhadap Brand Image Perusahaan

Pada Hotel Ciputra Di Kota Semarang. Jurnal Stie Semarang (Edisi Elektronik), 6(3),

37–57.

Legal Responsibility of Hospitals in Maintaining the Security and Confidentiality of Patients'

Electronic Medical Record Data

Syntax Idea, Vol. 6, No. 06, Juni 2024 2769

Kelsen, Hans. (2019). Teori Hukum Murni: Dasar-Dasar Ilmu Hukum Normatif. Nusamedia.

Nasution, Bahder Johan. (2005). Hukum Kesehatan: Pertanggungjawaban Dokter. Rineka

Cipta.

Prasada, Made Yogi, & Mudana, I. Nyoman. (2014). Tanggung Jawab Rumah Sakit Terhadap

Kerahasiaan Rekam Medis (Medical Record). Kartha Semaya, 2(2), 1–6.

Prodjodikoro, Wirjono. (2015). Asas-Asas Hukum Perjanjian. Cet Ke-10. Jakarta: Bale

Bandung.

Purba, Erlindai, & Yulita, Tania. (2018). Analisis Sistem Pelepasan Informasi Rekam Medis

Dalam Menjamin Aspek Hukum Kerahasiaan Rekam Medis Di Rumah Sakit Imelda

Pekerja Indonesia Medan Tahun 2018. Jurnal Ilmiah Perekam Dan Informasi Kesehatan

Imelda (Jipiki), 3(1), 394–403.

Rifa’i, Iman Jalaludin. (2023). Ruang Lingkup Metode Penelitian Hukum. Metodologi

Penelitian Hukum, 6.

Riyanto, Galuh Putri. (2022). Pengguna Internet Di Indonesia Tembus 210 Juta Pada 2022.

Compas. Com [Internet].

Saleh, Roeslan. (2011). Perbuatan Pidana Dan Pertanggungjawaban Pidana, Dalam Mahrus

Ali. Dasar-Dasar Hukum Pidana.

Thornton, Russell G. (2010). Responsibility For The Acts Of Others. Baylor University

Medical Center Proceedings, 23(3), 313–315. Taylor & Francis.

Wahyudi, Setya. (2011). Tanggung Jawab Rumah Sakit Terhadap Kerugian Akibat Kelalaian

Tenaga Kesehatan Dan Implikasinya. Jurnal Dinamika Hukum, 11(3), 505–521.

Anthony Anugrah Jeshua, Anak Agung Ngurah Gede Anggra Pramana (2024)

First publication right:

Syntax Idea

This article is licensed under: