- The data protection officer of the Canton of Zurich draws attention to unlawful access to patient data by case managers.
- Health insurers require valid, informed consent; information obligations towards insured persons are insufficiently fulfilled.
- BAG/EDÖB recommend data protection concepts, data collection directories, data controllers and external audits of insurers.
- Federal law (DSG, KVG, ATSG) applies; supervisory authorities examine insurers individually, amendment of law not currently considered necessary.
Interpellation Prelicz-Huber (09.3515): Case management. Unlawful interference with patient confidentiality and violation of data protection.
Done (25.09.2009)
Submitted text
In his 14th activity report of March 3, 2009, the data protection commissioner of the Canton of Zurich unequivocally pointed out that so-called case managers of health insurers can comprehensively access health data in hospitals and thereby in some cases massively violate data protection and patient confidentiality. The existing agreements between the insurers and the hospitals only regulate the coordination activities of the case managers and contain insufficient provisions regarding the preservation of physician and patient confidentiality or references to a duty to inform on the part of the insurers. A legal regulation in the Health Insurance Act is missing.
Health insurers obtain sensitive health data even without patients’ consent and, for example, already have information such as diagnosis, treatment measures or expected length of hospital stay before they do. Even if a declaration of consent is obtained, there is apparently a lack of the necessary patient education. This untenable state of affairs goes so far that hospitals are even asked by insurance companies to report people who do not sign the declaration to the insurer. This state of affairs cannot be tolerated any longer.
Various questions arise for the Federal Council in this regard:
1 Although the federal supervisory authority was informed by several parties as early as 2007 about the illegal actions of the insurers, no action has been taken in this regard. Why not?
2. how does he assess the handling of physician and patient confidentiality when case managers often learn much more than what is necessary, through their involvement in rapports or treatment planning?
3. how does he see the further procedure in this action of the health insurances violating the data protection law?
4. what measures are taken to guarantee patient protection and ensure data protection compliance in the long term?
5. does it intend to take data protection seriously in the case of existing contracts and to review them for their legality, respect for the duty to inform and data protection?
6 Is it considering amending the law? If so, with what thrust?
<
h1>Statement of the Federal Council
<
h1>
1 The Federal Council has already stated on the occasion of two earlier parliamentary initiatives (Postulate Heim 08.3493, Question Schenker Silvia 09.5060) that there is a need for action with regard to the data protection situation in the area of mandatory health insurance (OKP). A study just published by the Federal Data Protection and Information Commissioner (Edöb) and the Federal Office of Public Health (FOPH) now states in a more differentiated manner that data protection is largely guaranteed at the health insurers that provide mandatory health care insurance and voluntary daily allowance insurance in accordance with the Federal Health Insurance Act (KVG; SR 832.10), but that there is a need for action in some areas. With the publication of the report, the following recommendations have been issued to the health insurers, the implementation of which will be reviewed in the coming months as part of the supervision of the health insurers:
Each health insurer should develop a data protection concept (strategy). A directory of data collections must be maintained at each health insurer. For each data collection with personal data requiring special protection, processing regulations must be maintained (description of processes including responsibilities, authorizations, data flow and technical measures for data security). A data protection officer should be designated at each health insurer and a data controller for each data collection. The tasks of these roles are described in a specification. Data protection owners must have the necessary expertise. Data protection audits outside the administration should be carried out regularly and the results submitted to the supervisory authorities.
2 Although case management is not explicitly regulated in the KVG, the data protection provisions are equally applicable. Insured persons whose examinations and treatments are accompanied by a case manager must give their voluntary and express consent to this accompaniment and to the associated insight into their health data on the basis of the KVG principles (e.g. choice of service provider or treatment method) and the relevant data protection provisions. Their valid consent requires that they are adequately informed by their health insurer beforehand and that they are able to recognize the scope of their consent. In addition, they must be informed by the service provider or the health insurer that in justified cases the service provider is entitled and, at the request of the insured person, in any case obliged to disclose medical information only to the medical examiner of the health insurer.
Health insurers are authorized to process the personal data, including data requiring special protection and personality profiles, that they need to fulfill the tasks assigned to them under the Act, namely to assess claims for benefits and to calculate benefits. In doing so, they must strictly comply with the principle of proportionality and may not enter into agreements with service providers that give them access to health data of insured persons that they do not need to fulfill the tasks assigned to them under the law.
The data protection situation in the area of case management varies among the health insurers. The supervisory authorities will therefore approach the health insurers concerned individually in order to improve the data protection situation.
5 The issue raised by the Data Protection Commissioner of the Canton of Zurich concerns contracts between hospitals and health insurers at the cantonal level. The review and approval of such (tariff) contracts is the responsibility of cantonal authorities. This also applies to compliance with data protection. With regard to regulations in the tariff agreements, it should be noted that the Federal Administrative Court recently stated in its decision of May 29, 2009, “that the transfer of the diagnosis and the intervention code with the admission notification or with the invoicing – within the framework in particular of the principle of proportionality and the other provisions relevant to data protection – is only permissible if their precise form is regulated in accordance with the principle of the least possible intrusion …”.
6 The Federal Act on Data Protection (FADP; SR 235.1) and the Ordinance to the Federal Act on Data Protection (FADP; SR 235.11) apply in full to health insurers as federal bodies. Article 33 of the Federal Act on the General Part of Social Insurance Law (ATSG; SR 830.1) provides for a general duty of confidentiality for the implementing bodies of social insurance schemes. Articles 84 and 84a of the KVG and Articles 59 and 120 of the Ordinance on Health Insurance (KVV; SR 832.102) contain additional special provisions on the processing of personal data, the disclosure of data, the guarantee of data protection and the provision of information to insured persons by health insurers. Due to these data protection standards in the health insurance sector, there is consequently no need for a further data protection provision for case management.