Interpellation Dormond (03.3613): Health insurance and data protection
Written off (16.12.2005)
Submitted text
Recently, we learned from the press that certain health insurance companies are transferring the processing of invoices for services under the Federal Health Insurance Act (KVG) to private companies. This work is thus being subcontracted, so to speak.
The Federal Council is requested to answer the following questions:
1. has he been informed about this new practice of the insurers carrying out social health insurance and has he approved it in advance?
2. has it been consulted on the legality of this new practice and has it received assurances that the provisions of the KVG will be followed?
3. has it granted these subcontractors authorization to provide basic health insurance, as it does with health insurers?
4. does it supervise the companies that process invoices for KVG services rendered on its behalf and decide on reimbursements in the same way as it supervises the health insurance funds?
5. invoices can only be processed reliably if the data of the insured persons is known (including deductible, retention, personal data). Does the Federal Council not think that the health insurance companies should have informed the members concerned about this outsourcing practice?
6. the insured persons had no opportunity to consent to the health insurers’ action, especially since they were not informed about the outsourcing. To what extent is the Federal Data Protection Act (DPA) still being followed under these circumstances?
7. what controls has the Federal Council introduced to ensure compliance with the DPA?
8. what controls has the Federal Council introduced to ensure compliance with the provisions of the KVG?
<
h1>Reason
<
h1>
In the past two weeks, the press has reported that health insurance companies are subcontracting the processing of bills relating to basic insurance to private companies. This is the case, for example, with the insurance company KPT/CPT. According to press reports, it has cut 45 full-time positions in this area. It gave as a pretext the entry into force of the uniform physician tariff (TarMed) and the transfer of invoice processing to a private company. However, the approach of the federally recognized health insurance companies, which transfer part of their activities to private companies, which – it should be noted – are not subject to the same requirements, is not without problems. Once apart from the definitive loss of the jobs of people who exercised control over the paid KVG services and had an important role in cost control in the healthcare sector, it is questionable whether the legal provisions of the KVG and the DPA are still being observed. As far as the KVG is concerned, subcontracted companies can circumvent the professional secrecy enshrined in the KVG without the knowledge of the legislator. In the area of the DPA, the question of transparency arises, all the more so because the insured persons did not learn about the facts at hand from their insurance companies, but from the press.
<
h1>Statement of the Federal Council
<
h1>
1 It is true that various health insurers have increasingly outsourced parts of their benefit processing in recent years, namely in order to reduce costs. Some insurers, which are structured as holding companies, have outsourced parts of the benefit processing to one of their companies; smaller health insurers have them partially processed by their reinsurers, others by IT providers. As a rule, the supervisory authority is informed of this.
2. health insurers may in principle commission third parties with auxiliary activities in the area of benefit processing, because the Federal Health Insurance Act (KVG) grants them a certain degree of organizational autonomy: they can shape their organization according to purpose. This autonomy finds its limits where the intended objectives of the KVG (principle of solidarity, principle of equal treatment, principle of reciprocity, earmarking of funds, etc.) are questioned or undermined; then the supervisory authority must intervene.
3. health insurers do not require authorization from the Confederation to commission third parties with auxiliary activities. Third parties themselves also do not require authorization for the execution of the orders.
4 The Federal Council delegated the supervision of health insurance to the Federal Social Insurance Office when the KVG came into force and to the Federal Office of Public Health (FOPH) since 1 January 2004. The supervisory authority requires that it be given the same control over third parties that perform tasks for the health insurers as it has over the health insurers. The health insurers must contractually regulate this control option with third parties.
5/6 It is not unproblematic if third parties obtain considerable knowledge of the personal data of insured persons through the processing of invoices, etc. The data protection of the insured persons must be ensured. With the onward delegation of social health insurance tasks, the health insurers must contractually agree with third parties that they can guarantee an equivalent level of data protection. They must monitor the third parties’ compliance with data protection. In addition, the health insurers must inform the insured persons if they have tasks processed by third parties. Specifically, they have been instructed by the supervisory authority to list outsourced business areas as well as the commissioned companies in the annual report and also to list those companies with which they cooperate in an area that is fundamental to the implementation of social health insurance, such as service provision, service control, cost management, premium collection and marketing, regardless of whether they are social health insurance companies, private insurance companies or other companies. These annual reports are to be sent upon request; this ensures that interested parties can obtain information about outsourced business areas. If an insurer has not made outsourcing transparent, it must be examined in each individual case whether there has been a violation of the statutory provisions.
7. the FOPH shall supervise the implementation of social health insurance, which shall also include the safeguarding of data protection by the health insurer. If an insurer has personal data processed by a third party, it remains responsible for the protection of this data and must ensure that it is processed in accordance with the order. In its supervisory activities, the FOPH may also issue instructions to insurers in the area of data protection to ensure the uniform application of federal law (Art. 21 KVG). In the event of non-compliance with the statutory provisions, the supervisory authority will take the appropriate measures in accordance with Art. 21(5) and (5bis) KVG, depending on the nature and severity of the case.
8. the supervisory authority shall monitor the insurers as early as at the time of recognition and approval for the provision of social health insurance and thereafter by means of ongoing checks. In the event of deficiencies, the supervisory authority may take appropriate measures; it may issue binding directives, impose administrative fines and, as a last resort, withdraw the license.