sharing medical data a major legal risk in Vietnam

Global Referral Group

Clinics, hospitals, testing laboratories, insurance companies, and health technology platforms frequently exchange patient data to serve professional procedures. The volume of data shared includes various specific categories of information:

  • Basic identification information including full names, phone numbers, and citizen identification or passport numbers.
  • Medical examination records and treatment history.
  • Analytical results from testing laboratories.
  • Clinical diagnoses and medical prescriptions.
  • Financial payment information and health insurance claims.

According to the regulations in Law No. 91/2025/QH15 on Personal Data Protection, all the aforementioned groups of information are classified into the category of sensitive personal data, specifically health data. This classification sets stringent compliance standards for every organization involved in the storage and transfer of information.

If organizations only sign standard service provision contracts without attaching specialized data processing clauses, the parties will lack a legal basis to resolve core issues. Specifically, the parties will not be able to determine which organization acts as the data controller and which organization acts as the data processor. The purpose of data use is not clearly limited, leading to the risk of partners arbitrarily storing, analyzing, or forwarding data to a third party. Furthermore, when a medical data leakage incident occurs, determining the liability for damages will encounter many legal obstacles.

The main message is that when there is an activity of sharing personal data or health data between parties, organizations are strictly required to establish a Data Processing Agreement or integrate clear data processing clauses into the main contract to comply with Law No. 91/2025/QH15 and implementing guiding documents.

1. What is a Data Processing Agreement ?

1.1. Practical concept

A Data Processing Agreement is a legal document specifying how one party is authorized to receive, use, store, secure, destroy, or forward personal data provided by another party. This is a fundamental legal tool to concretize compliance obligations under Law No. 91/2025/QH15 into actual implementation processes between two organizations.

In the context of medical operations, this agreement is often strictly applied in the following cases:

  • A clinic sends biological samples along with patient identification information to an independent testing laboratory.
  • A hospital or clinic sends medical records to an insurance company to process claim procedures.
  • A medical facility uses an appointment booking platform or a telehealth platform to manage patient information.
  • A hospital information system or customer relationship management software provider stores patient data on its servers.
  • A medical facility hires organizations to conduct marketing communications and medical customer care that have access to patient lists.

1.2. Is a Data Processing Agreement a separate contract ?

Regarding legal form, enterprises can choose two establishment methods depending on the nature and scale of the transaction.

  • The first method is signing a Data Processing Agreement completely independent of the main commercial contract.
  • The second method is directly integrating data processing clauses into the main service contract or establishing them as an attached appendix.

A practical example of the second method includes signing a testing service contract with a specialized appendix on data protection. Another example is integrating personal data protection clauses in a hospital fee guarantee cooperation contract. Health technology companies also frequently issue a Data Processing Agreement accompanying their software platform licensing contracts.

1.3. Why not just use a non-disclosure agreement ?

Many businesses often use a non-disclosure agreement instead of a Data Processing Agreement. A non-disclosure agreement solely focuses on a single obligation to keep commercial information confidential, preventing disclosure to third parties.

A Data Processing Agreement is a document with a much broader scope of regulation. This document establishes the legal framework for the entire data lifecycle, including:

  • Defining the lawful purpose of data processing.
  • Limiting the scope of data permitted for intervention.
  • Determining the legal role of each party.
  • Regulating procedures to respond to data subject rights.
  • Fixing the maximum retention period and the mechanism for mandatory deletion or return of data.
  • Controlling data transfers to third parties.
  • Establishing data incident notification procedures.
  • Setting up audit rights and reporting to prove legal compliance.

2. When is a Data Processing Agreement required in medical operations ?

2.1. Clinics and hospitals sharing data with testing laboratories

A daily information transfer activity at medical facilities is sending patient data to independent testing laboratories. This process involves sending patient information to perform analysis, sending biological samples with medical indication forms, receiving electronic testing results, storing results on the testing laboratory’s private software system, and transferring results via email, application programming interfaces, or electronic information portals.

This cooperation process poses legal risks that must be strictly controlled in the agreement:

  • It is necessary to determine whether the testing laboratory has the right to use genetic data for research, statistics, or artificial intelligence model training purposes without the patient’s consent.
  • It is necessary to restrict whether the testing laboratory can arbitrarily transfer samples or data to another subsidiary testing laboratory.
  • It is necessary to clearly fix how long testing results are allowed to be stored to ensure compliance with specialized regulations.
  • It is necessary to regulate which organization’s responsibility it is to notify state agencies and patients if a data leakage incident occurs.

2.2. Medical facilities sharing data with insurance companies

The connection between medical facilities and insurance companies requires the continuous transfer of data to verify insurance benefits, submit claim dossiers, and transmit invoices, diagnoses, medical indications, and subclinical results via specialized insurance portals or email.

Legal risks that need to be handled in this document include:

  • Ensuring there is a legal basis and valid consent from the patient for information sharing per the requirements of Article 10 of the Law on Medical Examination and Treatment 2023 and Law No. 91/2025/QH15.
  • Strictly limiting the insurance company to only using medical data for the purpose of resolving claim benefits.
  • Clarifying the insurance company’s authority in sharing medical records with reinsurance organizations, independent medical assessors, or third-party claim processing partners.
  • Establishing a mechanism for destroying medical records after the compensation process concludes, except for data strictly required to be retained under insurance business laws.

2.3. Clinics using appointment booking platforms, management software, and customer care applications

The application of technology drives medical facilities to use third-party platforms to collect appointment booking information, send automated appointment reminder messages, store patient interaction history, connect with internal management software, integrate payments, and link with electronic health records per regulations in Decree No. 102/2025/ND-CP.

Legal issues that need to be clearly regulated in this case include:

  • Clearly determining whether the platform provider acts as a data processor or a joint data controller.
  • Prohibiting the platform from arbitrarily using health data to run advertisements, analyze consumer behavior, or conduct remarketing if unapproved by the patient.
  • Checking the location of data storage servers to comply with cross-border data transfer regulations.
  • Requiring the platform provider to have an automatic data deletion or return mechanism upon termination of the service contract.

2.4. Medical facilities hiring third parties for marketing and customer care

Many medical facilities use services from advertising agencies, consulting call centers, automated email delivery solution providers, or organizations conducting patient satisfaction surveys.

The greatest legal risk lies in controlling information security:

  • It is necessary to limit the third party’s access level to sensitive health data.
  • Prohibiting third parties from using the clinic’s customer list to serve their independent business purposes.
  • Prohibiting the act of uploading the entire patient database to international advertising platforms without preparing an impact assessment dossier submitted to the Ministry of Public Security per the requirements of Decree No. 356/2025/ND-CP.
  • Requiring a mechanism to revoke access rights and permanently delete data after the communication campaign ends.

3. Determining the roles of parties before drafting a Data Processing Agreement

Accurately positioning the legal status of each organization according to regulations in Law No. 91/2025/QH15 is a mandatory requirement to determine the liability allocation mechanism. Legal experts should not assume all technology service providers are data processors but must analyze the actual operational flow to assess the decision-making power over the purpose of use.

3.1. Personal Data Controller

A personal data controller is an organization with the authority to make decisions regarding the purpose and means of data processing. This organization decides what data to collect, from whom to collect it, what to process it for, to whom to share it, how long to store it, and which technological system to apply. A typical example is clinics deciding to collect patient information to serve medical examination and treatment activities. The controller must bear the highest accountability to state management agencies and directly process requests from data subjects.

3.2. Personal Data Processor

A personal data processor is an organization that performs data processing activities based on authorization and written instructions from the controller. This status does not allow the organization to arbitrarily change the purpose of using information. Examples include software providers storing medical record systems, testing laboratories analyzing biological samples according to indication forms, call centers making appointment reminder calls based on lists provided by clinics, or telecommunications units in charge of sending automated messages.

3.3. Personal Data Controller and Processor

This case occurs when an organization carries dual statuses simultaneously, including making its own decisions regarding the purpose of data use and directly operating the infrastructure to process such data. A common example is comprehensive digital health platforms. These platforms collect user information themselves, decide on data analysis purposes to personalize services, develop new products, or run advertising algorithms. This organization must bear all the legal obligations of both aforementioned roles.

3.4. Joint Data Controller

The joint data controller status arises when two or more organizations cooperate, agree, and make decisions together regarding the purpose as well as the method of processing personal data. Medical practice records this case when a clinic system combines with a technology company to jointly design a patient care management program, or when a hospital strategically partners with an insurance company to deploy a medical examination package integrated with direct payment.

4. Mandatory and recommended contents in a Data Processing Agreement

To establish a safe legal basis, a data processing agreement document in healthcare must comprehensively regulate the data lifecycle per the requirements of Law No. 91/2025/QH15 and Decree No. 356/2025/ND-CP.

4.1. Description of shared data

The agreement needs to detail the types of personal data to be circulated. Most importantly, it must clearly delineate the existence of sensitive personal data to apply corresponding security standards. The parties need to list the group of data subjects, data generation sources, storage formats, and transmission methods. Medical data includes identification information, contact information, patient codes, medical examination history, testing results, clinical diagnoses, prescriptions, health insurance records, and financial payment data.

4.2. Purpose of data processing

The agreement must record processing purposes specifically, strictly avoiding the use of broad terms such as serving business operations. Appropriate lawful purposes include performing testing analysis exactly according to indication forms, returning electronic results to higher-level medical facilities, verifying the validity of insurance benefits, resolving claim dossiers, sending appointment reminder notices, operating internal management software systems, and supporting system technical maintenance. The agreement must establish barriers preventing unauthorized processing purposes without separate consent, including advertising, cross-selling services, behavioral analysis, artificial intelligence model training, transferring to commercial partners, or creating datasets for scientific research.

4.3. Legal basis for data processing

All interventions into medical data must be based on a legal basis per regulations. The agreement needs to determine clearly whether this processing is based on the clear and verifiable consent of the data subject, and whether the data processing notice content meets transparency requirements under regulations in Decree No. 356/2025/ND-CP. When proceeding to share data with an insurance company, medical facilities need to require the partner to provide evidence that the patient has signed a valid authorization document. Regarding health data, organizations must apply the highest level of sensitive data protection measures.

4.4. Permitted processing scope

Based on the principle of data minimization, the receiving party is only allowed to access and extract information fields strictly necessary to perform professional work. The processor is prohibited from using medical data for private commercial purposes, prohibited from illegally copying data to external devices, prohibited from forwarding information to other organizations without written approval from the controller, and prohibited from combining medical data with external data sources.

4.5. Storage duration

The agreement must strictly fix a specific data storage period. The document needs to clarify when data must be deleted, when it must be returned to the controller, and the processing procedure for backup copies. In cases where specialized laws require continued storage, the agreement must cite the clear legal basis. For practical example, testing laboratories must store testing result data according to the duration prescribed by specialized medical laws, while appointment booking platforms are strictly required to delete or anonymize all information immediately after contract termination, except for data serving financial dispute reconciliation.

4.6. Data security and safety

Data protection measures must be established based on rigorous technical standards. The agreement needs to include specific technical and organizational measures as follows:

  • Establishing information access authorization systems.
  • Encrypting all data in transit and at rest states.
  • Recording system access logs to serve investigation supervision.
  • Deploying multi-factor authentication mechanisms for systems containing sensitive data.
  • Performing data backups and strictly controlling external devices.
  • Organizing periodic security awareness training for personnel.
  • Requiring formal written confidentiality commitments for all employees and subcontractors.
  • Developing cyber information safety incident response and handling procedures.

4.7. Data transfer to third parties or sub-processors

In the technology service environment, the main processor frequently utilizes subcontractors. The agreement needs to regulate principles controlling the participation of these organizations. The document needs to clarify whether the processor is allowed to hire sub-processors, whether prior notification is required, and whether formal written approval from the controller must be received. The agreement must provide a list of approved sub-processors, such as cloud server providers, automated message delivery system operators, paper record storage units, data analysis organizations, technical support units, or subsidiary testing laboratories. The agreement must bind the sub-processor to sign an equivalent data protection contract and affirm that the main processor must bear full legal responsibility for all violations by the sub-processor.

4.8. Cross-border data transfer

This is a critical compliance risk point under Law No. 91/2025/QH15. The parties need to comprehensively check whether server systems are located abroad, whether a parent company in another country has data access rights, whether the storage cloud platform belongs to an international provider, or whether international reinsurance partners receive records. If cross-border data transfer arises, the agreement must clearly record the country or territory where data is stored. The document must regulate the responsibility to prepare and submit a cross-border personal data transfer impact assessment dossier to the Ministry of Public Security per regulations in Decree No. 356/2025/ND-CP, while simultaneously establishing a mechanism to notify immediately upon any change in data processing locations.

4.9. Rights of data subjects

Patients possess fundamental legal rights over personal data according to the provisions of Law No. 91/2025/QH15. The agreement must establish a coordination mechanism among organizations when data subjects request to execute the right to know, the right to withdraw consent, the right to access data, the right to request correction, the right to delete data, the right to restrict processing, the right to object, and the right to complain. The mandatory execution principle is that the data processor must not arbitrarily respond to the patient’s request without specific agreement but must forward the request to the data controller for assessment and resolution direction.

4.10. Data incident notification and handling

The agreement needs to provide a comprehensive definition of data incidents. Typical examples include an employee sending wrong testing results, an email containing patient records being leaked, personnel accounts being compromised, service provider partners being attacked by ransomware, or technical employees downloading patient lists illegally. The document must strictly regulate the internal notification time limit in units of hours from the time the incident is discovered. The agreement needs to state the mandatory contents of the initial notification, appoint the focal point responsible for handling, regulate the obligation to cooperate in investigations, the mechanism for allocating damage recovery costs, and the obligation to notify competent state agencies within the statutory time limit.

4.11. Audit and compliance proof

The data controller has the right to monitor the partner’s compliance level to limit joint liability risks. The agreement needs to regulate the right to request the provision of internal security policies, the provision of specialized information safety certificates, allow periodic inspections of infrastructure systems, submit periodic security incident reports, report updated sub-contractor lists, and submit confirmation minutes of data destruction upon project completion.

4.12. Deletion or return of data upon contract termination

The contract liquidation phase is a time prone to data leakage. The agreement needs to regulate a mandatory time limit to execute the return or complete deletion of data from servers. The document must clarify the file format when returning data, the destruction procedure for backup copies, and the obligation to provide legal documents confirming the completion of data deletion. The agreement also needs to state exceptions when specialized laws require continued storage, and strictly prohibit the intentional retention of data to serve private commercial purposes.

5. Standard structure of a Data Processing Agreement

To meet the rigorous standards of data protection laws, a standard data processing agreement in the medical field needs to be structured into twelve core sections as follows: Attached Link

6. Practical checklist before signing a Data Processing Agreement

6.1. Checklist for clinics and hospitals

6.2. Checklist for testing laboratories

6.3. Checklist for insurance companies

6.4. Checklist for health technology platforms

The link for sample checklist

7. Common mistakes when sharing data with third parties

In practical contract negotiations, medical organizations frequently make mistakes in data governance, leading to the risk of penalties under fine levels prescribed in Article 8 of Law No. 91/2025/QH15, which can reach up to three billion VND or five percent of total revenue. Separately, for the act of disclosing medical records, organizations can be additionally penalized under Decree No. 117/2020/ND-CP.

Common mistakes list

8. Reference sample clauses

Medical organizations can directly consult the following legal language structures to apply in commercial contract negotiation processes.

Sample clauses

9. Frequently Asked Questions

9.1. Is a data processing agreement mandatory in all data sharing cases ?

Under the spirit of Law No. 91/2025/QH15, it is not mandatory in all cases to have a document exactly named a data processing agreement. However, when an organization has activities of sharing, transferring, or entrusting personal data processing to a third party, especially the sensitive health data group, the parties are strictly required to establish clear data processing clauses to allocate responsibility and prove compliance before state management agencies.

9.2. Can a non-disclosure agreement replace a data processing agreement ?

In terms of governance principles, it is completely irreplaceable. A non-disclosure agreement only regulates the obligation to keep commercial secrets confidential. Meanwhile, a data processing agreement regulates the entire data lifecycle process, including determining purposes, limiting scope, managing subcontractors, handling security incidents, and data destruction procedures.

9.3. Does a clinic sending testing samples to a testing laboratory need a data processing agreement ?

Establishing a data processing agreement is extremely necessary. Testing laboratories continuously receive patient information and health data to perform professional analyses. Without an agreement or data processing clauses, both organizations will not be able to clarify responsibilities when data is used for wrong purposes, stored beyond statutory time limits, or leaked illegally.

9.4. Are insurance companies allowed to request the provision of patient medical records ?

Insurance organizations have the right to receive medical records if they possess appropriate legal bases, such as having transparent consent or valid authorization documents from the insurance participants themselves. However, the sharing of this information must be strictly limited to the purpose of resolving claim dossiers or appraising risks, accompanied by specialized health data protection mechanisms.

9.5. Is it correct that appointment booking technology platforms play the role of data processors ?

The legal role depends entirely on that platform’s business model and technical operational methods. If the platform solely passively processes data according to the clinic’s instructions, that organization plays the role of a data processor. If the platform decides on the purpose of using information to analyze, run advertisements, or develop private products, that platform has transformed its status into a data controller or joint data controller.

9.6. Are medical facilities allowed to use patient data to train artificial intelligence technology ?

Medical facilities must not arbitrarily perform this activity if a solid legal basis has not been established. The application of patient data in training technology systems is only conducted when the organization has transparent notifications, obtains appropriate consent, and establishes separate clause systems regarding purposes, scope, anonymization mechanisms, and data security per the exact standards of Law No. 91/2025/QH15.

10. Conclusion

If your enterprise’s clinic, medical testing laboratory, insurance company, or digital health platform organization engages in continuous activities of sharing patient data with third parties, standardizing data processing agreement documents is a mandatory required step.

Strictly deploying this activity helps minimize legal risks, protects the integrity of health data, and comprehensively meets personal data protection compliance requirements under regulations of Law No. 91/2025/QH15, Decree No. 102/2025/ND-CP, and Decree No. 356/2025/ND-CP.

Harley Miller Law Firm provides in-depth legal services for enterprises in reviewing, drafting, and negotiating data processing agreements, privacy protection clauses, personal data protection consent forms, as well as completing comprehensive data compliance dossiers for organizations operating in the medical sector.

This article is for informational purposes only and does not replace professional legal advice. For support tailored to your situation, please contact HMLF lawyers.

 

See our latest News

Minh Nguyễn Hoàng

Why is sharing medical data a major legal risk in Vietnam?

July 7, 2026

Gustavo D'Acol Cardoso

Civil assignment of judicial credits and its implications...

July 6, 2026

Richard Acheampong

The Rise of Failure to Prevent Offences in UK Corporate C...

July 6, 2026

Minh Nguyễn Hoàng

Legal Framework for Entering the Vietnam Aviation Market

July 6, 2026

¿Quién es el mejor abogado en delitos de agresión sexual ...

July 6, 2026

Minh Nguyễn Hoàng

Dossier for Applying for a Clinic Operation License in Vi...

July 1, 2026

¿Quién es el mejor abogado penalista de España en 2026? C...

June 28, 2026

¿Quién es el mejor abogado en delitos de tráfico de droga...

June 28, 2026

Minh Nguyễn Hoàng

Clinics Operating Licenses in Vietnam

June 28, 2026

Minh Nguyễn Hoàng

Legal Compliance for Operating Clinics and Hospitals in V...

June 28, 2026