The Swiss Federal Office of Public Health (SFOPH) has Circular 7.1 – Supervision by the FOPH of areas relevant to data protection in accordance with the KVAG, KVAV, KVG and KVV reissued. The current version of the KS addressed to health insurers has been in effect since Jan. 1, 2022, and replaces the old version dated Dec. 17, 2015. The old version can be found at here, a delta view here.
Direction of thrust
The new version only wants to health insurance Data protection standards more concretely. Other data protection requirements are therefore no longer addressed, unlike in the previous version. This concerns, for example, requirements for processing regulations, but also outsourcing. However, the FOPH states that this does not imply any Loosening associated. In the area of general data protection, the FOPH continues to expect conduct in compliance with the law and, as part of corporate governance, appropriate Compliance management system and an effective ICSwhich helps to prevent or detect violations of the law in the area of data protection at an early stage and ensures appropriate risk management.
This is also the focus of the FOPH. Risk management must be appropriately At least the following risks capture
- Misuse of personal data
- IT assignment roles and access authorizations that do not comply with data protection requirements
- Non-qualified data protection officer
- Organization of the trust medical service not in compliance with the law
- Absence of processing regulations
- Missing or wrong processes of the DRG inspection body, loss of the certificate
- Insufficient safety specifications in the digitization process
- Failure to comply with legal reporting requirements
- Lack of monitoring of outsourcing partners who process (particularly sensitive) personal data.
Here, the BAG reviews the Documentation of risk management and the ICSHowever, the FDPIC is responsible for overseeing compliance with the content of data protection.
Adjustments and innovations
Besides the Deletions the current KS also contains new and adapted sections. New is the short section on Supervision of the BAG and on the delimitation of competences vis-à-vis the FDPIC (and on coordination between the two).
Also new is a separate Section on data processing pursuant to Art. 84 KVG and on the disclosure of personal data pursuant to Art. 84a KVG:
The FOPH first recalls the role of the DPA as framework legislation, which applies insofar as it is not overridden by the special norms of health insurance law. It also emphasizes the importance of the principles of legality, purpose limitation and recognizability:
“… personal data may also be used only for the performance of tasks specified in the same purpose frame as those tasks for the fulfillment of which they were collected. The purpose of the data processing must be recognizable to the data subject. Based on these principles, the FOPH calls upon insurers, Strictly comply with the principles of proportionality and earmarking and to process personal data only within the scope of a task assigned to them by the KVG or the KVAG and not for other purposes.”
From this, the BAG derives the following:
For example, the processing of health data and personality profiles of insured persons for the identification of special Target groups for a letter of recommendation for health-promoting measures or for medications is not compatible with the aforementioned legal foundations. A targeted health- or disease-specific recommendation to selected insured persons is not covered by Art. 84 KVGbecause it is not an implementation task of the insurer assigned under the KVG or KVAG.
In the matter, the BAG thus prohibits a Profiling in the area of OKP, insofar as this serves recommendations, already under the current law and thus before the entry into force of the revDSG, which requires an (explicit) basis in a formal law for profiling by federal bodies. The following subsequent statement by the FOPH also goes in this direction – in connection with the prohibition of disclosure in Art. 84a KVG:
Equally incompatible with the principle of earmarking is a Categorization or a scoring of the insured on the basis of an evaluation of their individual KVG-data (e.g., premium and benefit data), so that insured persons can be targeted for Marketing measures, especially in the VVG area or for offers from partner companies of the insurer, can be contacted.
Also for the Prohibition of disclosure of Art. 84a KVG (in conjunction with Art. 33 ATSG and in conjunction with Art. 54 Para. 1 lit. d KVAG), statements by the FOPH can be found:
- Data exchange with the coordinating entity (telemedicine center, primary care provider) is permitted as part of a special form of insurance (Art. 41 Para. 4 and Art. 62 KVG; AVM), insofar as it is necessary for enforcement and insofar as the insured person is informed prior to the conclusion of the AVM which type of personal data will be disclosed to which recipients and for what purpose.
- With a Disclosure in accordance with Art. 84a Para. 5 lit. b KVG (consent) The BAG – following the Helsana ruling of the BVGerbut correcting – states that
- a consent to the “Individual case“This would apply if the disclosure is made “for a single purpose”, which may also cover several disclosures, as long as the subject of the consent is “sufficiently specific and clear”, i.e. as long as “the circumstances under which the disclosure may take place” are “clearly established” for the data subject. On the other hand, a “regular and systematic disclosure of data in automated procedures (e.g. in the form of lists)” would be excluded;
- That the “Writing” the consent not requires a handwritten signature (!), but “must at least be given in a form that allows proof by text”. This only requires that the declaration of consent must be arrives at the recipient “in a visually perceptible, physically reproducible form”.. This can also be implemented “in the context of online registration or ordering processes”. Here, it will be required that not only the fact of consent (e.g., selecting a checkbox or button) is physically reproducible, but also the identity of the person giving consent and the date and time of consent.
Adjustments can also be found
- in the section on the Confidential medical service (VAD). There is hardly anything new to be found here, but the FOPH is recognizably trying to remind people with some emphasis that the requirements must be met;
- in the section on Substantiation in invoicing;
- in the section on Health status questionnaire.
Deletions
Accordingly, the new version contains Deletions of executionswhich the BAG assigns to general data protection and not to data protection under health insurance law. This applies, for example:
- the explanations on the Editing regulations (Art. 21 VDSG; in the new law Art. 12 revFDPA – Processing directories and Art. 5 draft FDPO, processing regulations of federal bodies);
- the section on the waiver of the Registration of the data collections and to report a person responsible for data protection (Art. 11a para. 5 FADP and Art. 12a FADP; in the new law, the notification of data collections is omitted, but under Art. 12 revDSG federal bodies must provide the FDPIC with the processing directories and under the e‑FADP also with their processing regulations upon request, and Art. 27 et seq. E‑VDSG require the appointment of a data protection advisor by federal bodies, who must also be notified to the FDPIC);
- the section on the Outsourcing (Art. 6 KVAG; 84 para. 1 KVG; Art. 10a DSG [insofar as the outsourcing is to a commissioned processor, which is not mandatory, it can also be to an auxiliary person who is a controller]; under the new law for commissioned processors Art. 9 and Art. 61 lit. b revDSG and Art. 6 f. E‑VDSG).