Medical Reports – How they should be archived?

Ippocra: The way to store and manage reports easily.

Are your reports kept in accordance with the law?

When a doctor creates a report, how long must it be retained and how?

According to the Ministry of Health circular No. 900 dated 19 December 1986, clinical records and their related reports must be kept indefinitely, as official documents essential for guaranteeing legal certainty and serving as a health‑historical source. The previous regulation (art. 17 DPR 128/1969) set a minimum of 10 years from the patient’s discharge, which today is considered the mandatory minimum. In practice, the most common practice is permanent retention of clinical documents.

If supplementary diagnostic documentation is present—such as specific diagnostic exams—minimum retention periods also apply. For example, radiographs must be kept for at least 20 years. Other documentation (ultrasounds, laboratory reports, specialist examinations) should be retained for the same period if stored separately, or indefinitely if incorporated into the clinical record.

There are exceptions: for minor patients, documentation is usually kept longer, at least until 10 years after reaching adulthood. In matters of occupational injuries or professional exposures, the law requires retention for up to 40 years.

Medical report: who can access it?

Health documentation contains special categories of personal data, protected by EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

GENERAL PRINCIPLES:

• Purpose: data may be processed and retained without specific consent when processing is necessary for health‑care provision or a legal obligation (art. 9 GDPR).
• Limitation and minimisation: the limitation‑of‑storage principle (art. 5 GDPR) allows exceptions when retention is imposed by law or needed for legal defence. The obligations listed above therefore constitute the legal basis for prolonged storage.
• Security: data controllers must adopt appropriate technical and organisational measures to ensure confidentiality, integrity and availability of health data (art. 32 GDPR). These include encryption, backups, access controls, audit trails and digital storage compliant with the Digital Administration Code (Legislative Decree 82/2005).

What happens if these obligations are not respected?

• Civil and criminal liability: the clinical record is an official document. Failure to compile it or loss of reports can lead to professional, disciplinary and, in severe cases, criminal liability (e.g., false public act for public facilities).
• Administrative fines: breaching security and retention obligations constitutes a GDPR violation, with penalties of up to €20 million or 4 % of worldwide annual turnover.
• Reputational risk: loss or improper disclosure of health reports can erode patient trust and severely damage the professional’s or institution’s image.

Data‑protection rules and professional secrecy restrict access to medical reports to authorized parties only, based on the necessity principle.

Patient (data subject)

The patient holds the right of access to his/her health data. Under art. 15 GDPR and art. 7 of the Italian Privacy Code, he/she may obtain at any time a complete, understandable copy of his/her reports and clinical records. Ippocra enables the patient to access his/her documents securely and continuously, even years later, ensuring full availability of the information.

Doctor or health professional

The physician who authored the report, as well as other health professionals involved in the patient’s care, may access the data within the limits of their duties. This access is grounded in the “need‑to‑know” principle: each operator can view only the data strictly necessary for his/her assistance activity.

Healthcare facilities and authorised staff

Within a healthcare facility, access to reports may be granted to:

• doctors who subsequently take charge of the patient;
• nurses and allied health technicians involved in the care process;
• administrative personnel, limited to the data needed for document management.

The facility, as data controller, must define roles and authorization profiles, adopting security measures such as individual credentials and access‑traceability. The patient also has the right to know, where applicable, who has consulted his/her data.

External parties

Third parties (insurers, employers, non‑delegated family members) cannot access reports unless expressly authorized by the patient or required by law. For minors, the right of access belongs to parents or legal guardians.

Ippocra: the solution for proper report preservation

Correctly managing the archiving, access and viewing of reports is highly complex; therefore Ippocra offers an intuitive, immediate solution to the problem.

Our Business‑admin users can now invite specialist doctors to their plan, allowing them to use the system to archive reports in a GDPR‑compliant manner.

Doctors can be invited in two ways:

• Collaborator mode, when the doctor works with the polyclinic as a private practitioner;
• Employee mode, when the doctor is employed by the polyclinic.

This distinction is crucial for how the polyclinic staff’s access and view of reports is handled, ensuring information is available with incrementally precise detail, thereby maximising patient privacy.

Ippocra staff do not access report contents except where strictly necessary for the technical provision of the service. As data processor, they are bound by confidentiality and must process data only on the controller’s instructions. Data are not disclosed to third parties except to fulfil legal obligations or upon order of a competent authority.

Security and access control

The Ippocra platform implements:

• Secure authentication for all users (patients, doctors, facilities);
• Granular permissions for different roles;
• Logging of every access (audit trail) to guarantee traceability and compliance with GDPR’s accountability principle;
• Encryption and data isolation to prevent unauthorised access.

These features allow Ippocra to provide a compliant, reliable digital channel for information exchange between doctor and patient, replacing insecure methods such as email or physical media.

How to invite a collaborator to the plan

To invite a collaborator, the plan administrator must go to Plan → Manage Doctors

Here you can invite a new Doctor as a collaborator or employee. Just enter an email address and click Send invitation.

The Doctor will receive an invitation email, with the option to create a user account and join the plan.

Each Doctor can belong to multiple plans—for example, one plan per polyclinic they work with, and a dedicated plan for private patient visits.

Want a free demo today to see how Ippocra can become the solution for orderly management of your reports? Write to info@ippocra.com or fill out the form.