- The tier-payant system allows service providers to transmit medical data directly to insurers in accordance with the law.
- Insurers are legally authorized to review the obligation to pay benefits and must take technical and organizational data protection measures.
- Patients may request that medical information be disclosed only to the insurer’s medical service, which is subject to a duty of confidentiality.
- In view of existing legal regulations and clarifications, the Federal Council sees no need for action to change the system.
Submitted text
An insured person may choose – for very different reasons – to pay a medical bill without submitting it to his or her health insurer for reimbursement. If the Service provider sends the invoice directly to the health insurer, this receives due to the detailed listing of the services detailed information about the state of health of the insured person – without any data protection, without the requirement of a confidential report to the medical examiner.
Although the Federal Health Insurance Act (KVG) provides that an agreement can be signed between a tiers payant, i.e. the insurer, and the service provider, the insured person has nothing to say about the use of his or her personal data, which, it should be noted, is particularly sensitive personal data.
I therefore put the following questions to the Federal Council:
1. is the Disclosure of particularly sensitive data to third partieswithout the data subject having to give consent, not a serious breach of data protection?
2. isn’t the tiers payant system a serious violation of medical data protection? Shouldn’t the data protection commissioner intervene?
3. if so, what does the Federal Council intend to do to solve this problem?
4. if the Federal Council wants to retain the tiers payant system, what can insured persons do to protect their data?
Statement of the Federal Council of 5.9.18
1./4. According to data protection legislation, a healthcare provider may disclose personal data (medical data) requiring special protection if he or she has the Consent of the patient, or if the disclosure of the data is not permitted by provided for in a law is.
The Health Insurance Act requires the Insurer to monitor the obligation to provide services and the efficiency of services (Art. 42 and Art. 56 KVG; SR 832.10). They are thereby authorized to process personal data within the scope of Article 84 KVG authorized. The flow of information between service providers and insurers is also clearly regulated by law: Service providers are obliged to issue a detailed and comprehensible invoice and to pass on all administrative and medical information required to To check the calculation of the remuneration and the economic efficiency of the service. The information on the invoice includes in particular the date of treatment, the service provided in accordance with the applicable tariff, and diagnoses and procedures in coded form. In the Inpatient acute somatic area the service providers forward the data records with the administrative and medical information to the certified data collection point of the respective insurer at the same time as the invoice. The forwarding of the medical data to the insurer is coded according to the classifications for the medical statistics of the hospitals. At outpatient area The development of a nationwide classification for diagnoses and procedures is underway. Until this is available, the modalities and coding agreed in the tariff agreements will apply. For medical invoices, the following is therefore currently coded a very general diagnosis transmitted (e.g. A2: coronary artery disease).
In particular, insurers are obligated to use the following data for processing the medical data they receive in the context of invoicing take the necessary technical and organizational data security measures (Art. 59ater of the Health Insurance Ordinance, KVV; SR 832.102). In addition, the insured person may in any case demand that the service provider disclose the medical information only to the medical examiner of the insurer (Art. 42 Para. 5 KVG). This regulation serves to protect the personality of the insured person and to safeguard patient confidentiality. The medical examiner is subject to the duty of confidentiality. Accordingly, under current law, the health insurer may not obtain health data directly in every case.
At Circular letter of the Federal Office of Public Health (FOPH) number 7.1“Data protection-compliant organization and processes of health insurers”, further specifies what is provided for in Article 42 KVG and how data protection must be taken into account (www.bag.admin.ch > Search: Kreisschreiben > Krankenversicherung: Kreisschreiben-Schweiz > 7.1). This also details the requirements for the independence of the medical examiner.
2./3. In the KVG, the reimbursement principle is characteristic for invoicing. According to Article 42(1) KVG, the tiers garant system applies unless the insurer and service provider have agreed otherwise. According to paragraph 2, insurers and service providers can agree that the insurer owes the remuneration (tiers payant). For inpatient treatment, the tiers payant system always applies. The regulations on data and privacy protection and the principle of proportionality also apply in the tiers payant. Also, in the report of December 18, 2013, in fulfillment of the postulate Heim 08.3493, “Protection of patient data and protection of the insured”, the Federal Council provided information on the situation of patient data protection at health insurers (see www.bag.admin.ch > Service > Publications > Federal Council reports > Federal Council reports 2006 – 2015 > 2013). In view of the legal framework and the clarifications that have been made, the Federal Council sees no need for action.