- Introduction of ICD-10 codes on doctors’ and hospital invoices jeopardizes the constitutional protection of privacy and patient confidentiality.
- The study on data protection-compliant codes commissioned by the FSIO Commission is not yet available; decisions should take its results into account.
- Federal law (KVG) only permits necessary, proportionate information; systematic, detailed codes would be disproportionate.
- Data protection authorities and interest groups are consulted; authorities can intervene and issue directives.
Interpellation Sommaruga (01.3594): Data protection and diagnosis codes on doctors’ and hospital bills
Done (17.04.2002)
Submitted text
In connection with the introduction of ICD diagnosis codes on physician and hospital bills, I would ask the Federal Council to answer the following questions:
1. how does he justify that in the future precise diagnosis codes are to be indicated on all doctor’s and hospital bills, although such a regulation restricts or even threatens the constitutionally guaranteed protection of privacy?
2. is it prepared to wait for the study on the possibilities of a suitable code commissioned by the expert committee (Geiser Commission) set up by the Federal Social Insurance Office (FSIO) before putting the relevant regulations and agreements into force?
3. is it prepared to wait with the introduction of the agreement on diagnosis/diagnosis codes until the tension between the constitutional protection of privacy, patient confidentiality protected by criminal law, the provisions of the Data Protection Act and the Federal Health Insurance Act (KVG) has been neatly clarified?
4. is it prepared to intervene if, after further clarification of the legal provisions, it becomes apparent that there is no sufficient legal basis for the use of ICD-10 or ICPC diagnosis codes as provided for in the relevant regulations and agreements?
5. is it prepared to hear the opinion of the Federal Data Protection Commissioner and of the insured persons’ and consumers’ organizations and to include their reservations in further deliberations?
Justification
The framework agreements on the uniform tariff system (TarMed) stipulate that in the future precise diagnosis codes must be indicated on all medical invoices. The so-called ICD-10 codes provide detailed information about the existing disorders and diseases. This regulation is to be introduced for the entire medical and hospital sector and applied to all insurance companies (health, accident, disability and military insurance). This will enable health insurers to collect comprehensive and highly sensitive information on patients over a period of years via medical invoices, as this diagnostic information allows them to gain a comprehensive picture of the state of health or illness of individual insured persons, even with modest medical knowledge.
In view of the enormous interconnectedness of the various insurance companies (health insurance companies, accident insurance companies, supplementary insurance companies, daily allowance insurance companies, life insurance companies, liability insurance companies, pension funds, etc.), the creation of such data collections entails the risk of serious encroachments on the personal rights of insured persons.
During the TarMed negotiations, the Federal Data Protection Commissioner stated unequivocally that although the KVG gives insurers the right to request detailed information in individual cases, the law does not provide for the automatic communication of such information.
Furthermore, the FSIO has had the relevant questions clarified by a commission of experts (Geiser Commission) made up of representatives of interested organizations (Persönlichkeitsschutz in der sozialen und privaten Kranken- und Unfallversicherung, Bern 2001). With reference to the opinion of the Federal Data Protection Commissioner that the ICD-10 code was not a suitable instrument for cost control, this commission instructed the Federal Statistical Office to prepare a study on the possibilities of a suitable code. This study is not yet available.
Furthermore, the Commission majority proposes that only a generally formulated indication/diagnosis note be included on the patient bill. The Commission minority, in particular patient and insured persons’ organizations as well as the Federal Data Protection Commissioner, expressed strong reservations about the storage of highly sensitive health data “in advance”.
Despite these objections, insurers want to use ICD-10 in the future. The “Agreement Concerning the Indication of Diagnosis and Diagnosis Codes,” which was established between the insurers, the Federal Office of Military Insurance, the Disability Insurance and the Swiss Medical Association (FMH), is to be introduced in 2002. Santésuisse and the central board of the FMH have approved the “Regulation on Diagnosis/Diagnosis Code”. This regulation is to come into force in 2003. According to both agreements, physicians and hospitals are to use the ICD-10 code for patient invoices in the future.
Accordingly, this agreement or regulation is to be introduced without first clarifying the resulting tension between the constitutional protection of privacy, patient confidentiality protected by criminal law, the provisions of the Data Protection Act and the KVG.
Statement of the Federal Council
By way of introduction, it must be pointed out that the indication of the diagnosis codes on the medical invoices objected to by the interpellant is provided for in the supplementary agreements concluded by the tariff partners with a view to the introduction of the new TarMed tariff structure. The Federal Council itself is not involved in the conclusion of these agreements; it neither puts them into force nor introduces them.
1. in social health insurance, service providers are obliged under Article 42(3) of the Federal Health Insurance Act (KVG) to issue a detailed and comprehensible invoice (also for the insured person) and to pass on all information required to check the calculation of the remuneration and the cost-effectiveness of the service. Paragraph 4 adds that “the insurer may request an accurate diagnosis or additional information of a medical nature.” As health care costs continue to rise, cost control by insurers takes on increased importance. In general, health insurers only require an “exact” diagnosis in cases of doubt or for the purpose of spot checks. In addition, anonymized statistical data can also be used to check whether service providers are working economically. However, the principle of proportionality enshrined in the Data Protection Act (Art. 4 para. 2 FADP) prohibits the collection of more personal data than is actually necessary, especially in the case of data that is particularly worthy of protection. Thus, Article 42 KVG means that an insurer can only require that a general diagnosis necessary for processing ordinary cases be indicated on medical invoices. If this is not sufficient, it can subsequently demand a more precise diagnosis – if necessary via a medical examiner. It would be disproportionate to oblige service providers to systematically list a diagnosis code on medical invoices that provides detailed information on the insured person’s state of health. This would lead to an accumulation of particularly sensitive data, most of which would presumably neither be used nor needed by insurers. There would also be a risk of data linkage.
Compulsory accident insurance and military insurance require certain information from the outset in order to determine the extent to which a condition is directly attributable to the insured event. Should a diagnosis code be introduced for this purpose, however, it must not contain any data other than that actually needed by the insurance company.
As a rule, disability insurance bases its decisions on a medical report written in plain text. If a code were to be introduced in this area, care would also have to be taken here to ensure that it does not contain any information that is fundamentally not needed by the insurance company.
2 The aforementioned study commissioned by the Federal Statistical Office aims to identify transmission procedures that best meet the needs of insurers and are in line with data protection requirements. The study should bring improvements at a later date. However, it should not delay the introduction of other measures that meet data protection requirements.
3./4. As already mentioned, the regulations to be made in the context of the introduction of TarMed regarding the diagnosis information will be negotiated between the insurers and the service providers. If such agreements are not part of a tariff agreement in health insurance, they do not require approval by the Confederation or the cantons. However, the Federal Data Protection Commissioner has already made representations to the parties involved, so they are aware of the problems related to the level of detail of the full ICD-10 diagnosis code. In addition, the data protection commissioner and, within his area of competence, the Federal Social Insurance Office (FSIO) can ex officio request the social insurance bodies to produce the documents that can be used to check whether the principles of data protection are guaranteed. This also applies to regulations that are not yet in force. Should the FSIO come to the conclusion that the data protection principles are not being strictly observed in the future by bodies within its sphere of responsibility, it would issue directives that would also affect these arrangements. In addition, the data protection commissioner may address recommendations to the relevant bodies and, if these are not followed, submit the matter to the competent federal department for a decision (Art. 27(4) and (5) FADP).
At present, it is not yet foreseeable which solution variants the parties will ultimately opt for. Consequently, these cannot be assessed either. In particular, it is not yet clear whether the parties will opt for a reduced form of the ICD-10 code, i.e., a code that does not contain more items than insurers actually normally require. The Privacy Officer and the Administration are monitoring the matter and will ensure that the chosen solution provides privacy protections. The use of a diagnosis code in itself is undisputed in connection with TarMed because it is the best way to implement the cost transparency achieved by the uniform rate structure. Finally, it goes without saying that there is nothing to prevent the transmission of anonymized data by means of a detailed diagnosis code for statistical purposes (this is already practiced in the hospital sector).
5. the opinions and reservations of the Federal Data Protection Commissioner and of patients’ and consumers’ organizations are taken into account when considering the transfer of medical data to insurers. The data protection commissioner is regularly consulted, and the interested organizations are also consulted in the event of any amendments to the law or ordinances.