- The Federal Office of Public Health (FOPH) can issue binding instructions to insurers and impose fines up to and including withdrawal of recognition in the event of data protection violations.
- Medical officers as well as technical and organizational measures are central to the protection of highly sensitive patient data; economic interests do not justify any violation.
Interpellation Heim (06.3040): Protection of patients’ rights
Transcript (03÷20÷2008).
Submitted text
The Federal Council is invited to answer the following questions:
1. whether and to what extent data protection provisions, in particular the protection of highly sensitive medical data, are violated at individual health insurers in the KVG area and the data collected in the KVG area are misused (e.g. for private insurance);
2. how the supervisory authority performs its supervisory and control duties in this area and ensures that the rights and claims of insured persons are not violated;
3. which measures, if any, are necessary or are actually taken to demonstrably and effectively guarantee the rights and entitlements of the insured persons.
Justification
According to media reports (“Beobachter” of January 19 and February 2, 2006; “Tagesanzeiger” of February 20, 2006), the second-largest health insurance company in Switzerland, which is primarily active in the area of compulsory health insurance (OKP) and insures around 970,000 people, is to maintain an electronic database with highly sensitive medical data and, according to the reports, is in part grossly violating data protection regulations. For example, a large group of around 400 non-medical employees are said to have access to insured persons’ files, which only the medical officers provided for in Article 57 of the KVG are allowed to view. Should it actually be the case that employees of the service center, i.e. pure administration, also have access to such data, this would be problematic: on the one hand, for reasons of data protection and personal rights, and on the other hand, the data collected by this health insurance company in the OKP are apparently also available for its private insurance sector (application department, external inquiries, etc.).
According to the report in the “Beobachter”, the system of this fund, which is designed for data management in compliance with the law, seems to be deliberately undermined by the fund managers for economic reasons (“exaggerated data protection ideas must not lead to avoidable additional administrative work”). Under such circumstances, it is incomprehensible how the Federal Office of Public Health wants to fulfill its duty of supervision and control by apparently being content with asking this health insurance fund for a statement.
Measures must be taken, and if necessary binding guidelines issued, so that supervision and control of compliance with the legal order can actually be exercised. The fund concerned must immediately ensure that access to highly sensitive data is restricted according to data protection criteria, i.e. limited in terms of personnel to a maximum number of six to seven persons and in terms of time to the duration during which a specific question about the case is being processed, i.e. approximately one day to two weeks.
It is encouraging that, according to the press reports mentioned above, the majority of health insurers appear to be complying with the rules. Nevertheless, the behavior of a single health insurer also has an effect on the competitive situation among health insurers that has been required in the health insurance sector up to now, in that such a health insurer thus gains market advantages and causes a distortion of competition. This puts pressure on the other insurers to move in the same direction. This must be stopped in the interests of patients, legal equality and fair competition.
<
h1>Statement of the Federal Council
<
h1>
1 Health insurers are themselves responsible for compliance with data protection in mandatory health care insurance (OKP) in accordance with the KVG. They may only process personal data if they can rely on a legal basis. Insurers must also take all legal and organizational measures to protect personal data. Internally, ensuring the protection of medical data is the responsibility of the medical officers (Art. 57 Para. 7 KVG).
In the area of supplementary insurance, the insurers are not subject to the strict data protection requirements for the processing of personal data by federal bodies, but to the other provisions of the Federal Data Protection Act (SR 235.1). Accordingly, supplementary insurers may process data on insured persons to the extent necessary to carry out proper administration.
In the implementation of the OKP and supplementary insurance, data is often not processed completely separately within the company. This can have unsatisfactory consequences for the privacy of the insured. However, the law has provided protection. In justified cases and at the request of the insured persons, the service providers are in any case obliged to disclose medical data only to the medical officers. The latter may then pass on only those data to the insurers’ administration that are necessary to decide on the obligation to pay benefits, to determine the remuneration or to justify an order. In doing so, they must respect the personal rights of the insured, otherwise they will be liable to prosecution.
2 The Federal Office of Public Health (FOPH), as the competent supervisory authority, may also issue instructions to insurers in the area of data protection for the uniform application of federal law (Art. 21 KVG). In the event of non-compliance with the legal provisions, the supervisory authority takes the appropriate measures depending on the type and severity (binding directives, administrative fines and, as a last resort, withdrawal of recognition and authorization).
The FOPH has already dealt with data protection issues on various occasions. The main focus was on membership forms, which asked unlawful questions about the state of health of interested persons. On March 9, 2005, the FOPH therefore issued the circular letter “Data and Personality Protection”, which regulates data and personality protection when taking out OKP insurance. The amendment to the ordinance adopted by the Federal Council on April 26, 2006 (Art. 6a of the Ordinance on Health Insurance; SR 832.102) goes in the same direction, prohibiting insurers from using the same form for joining the OKP and at the same time for applying for voluntary insurance. This separation is intended to reduce the risk of unlawful data processing.
The FOPH is currently investigating the allegations made in public at the insurer mentioned in the interpellation. Depending on the outcome of this investigation, the FOPH will, if necessary, take supervisory measures. Furthermore, within the framework of its resources, the FOPH will in future increasingly examine the insurers’ data collections with the Federal Office of Private Insurance and will also invite the Federal Data Protection Commissioner to participate in this.
3 Medical examiners play a key role in the implementation of privacy protection in the OKP. They sometimes have to disclose sensitive medical or personal data if the benefits or legal department of a health insurer needs them to make a decision. Insurers must protect personal data against unauthorized access, even internally, by taking appropriate technical and organizational measures. According to the case law of the Federal Supreme Court, high standards are to be set for this (cf. BGE 131 II 413). Economic arguments of the insurer do not justify the violation of personal rights.
Against this background, the measures available to the FOPH fulfill their purpose. The Federal Council does not consider further measures to be necessary.