May my health insurer access my medical record?

Medical data = special category personal data (GDPR Art. 9). Health insurers have specific limits (Dutch Healthcare Market Act + UAVG + GDPR): What is ALLOWED? (1) Claim data — codes, days, reimbursement claim. Not the file content itself. (2) During claims investigation: insurer's medical advisor may request relevant parts — but only via care provider + with your consent. (3) On suspicion of fraud: separate specific rules via Wmg Art. 35. (4) For material checks: limited check whether delivered care was actually delivered. What is NOT allowed? (a) Insurer employees without medical professional secrecy — no access. (b) Full record copy without concrete claim. (c) Sharing data with third parties (re-insurer, marketing partner) without legal basis. (d) For determining premium or coverage (Wmg anti-discrimination principle). Important detail: insurer must explicitly ask consent for every claim investigation going deeper than declaration data. Consent can be withdrawn — then investigation stops. On unauthorised access: complaint to Kifid (financial sector) + AP (GDPR aspect) + IGJ if care provider also shared. Example: AP fine 2024 insurer for systematic unauthorised file reading — €500k.