Interpellation Stahl (15.3850): Data requested by the FOPH from health insurers
Not yet discussed in the Council
The bodies entrusted with the implementation, control or supervision of the implementation of the Health Insurance Act (HIA) are authorized under Article 84 HIA to process or have processed personal data, including data requiring special protection and personality profiles, for the purposes provided for in liters a to i of the same provision, which they require in order to be able to perform the tasks assigned to them under the Act.
The level of detail and the scope of the data to be provided have recently been continuously expanded by the Federal Office of Public Health (FOPH). Since 2014, for example, insurers have been required to provide the FOPH with individual data in addition to financial data (e.g. certain individual tariff items for certain tariffs).
In this context, I would ask the Federal Council to answer the following questions:
1. what data is processed and for what purposes?
2. are these data necessary and appropriate for the exercise of the supervisory activity over health insurers?
3. are the legal bases for the collection of this data sufficient?
4. to what extent is compliance with the constitutional principles of proportionality and public interest reconciled with the processing of particularly sensitive data and personality profiles?
5) How does the FOPH ensure compliance with data protection regulations in detail?
(6) Are the administrative costs incurred by insurers in collecting this data proportionate to the objective pursued?
7 According to Article 82 (2) of the Health Insurance Supervision Ordinance (E‑KVAV), the supervisory authority shall ensure that the insurer incurs as little expense as possible in providing the data. How is this circumstance taken into account?
8. based on Article 82 E‑KVAV, the scope of the data to be provided is to be expanded even further. How is this even more far-reaching intrusion into the privacy of each individual justified?
9. in its activity report published on June 29, 2015, the Federal Data Protection and Information Commissioner demands that the data required by health insurers for invoice control be limited. On the other hand, the supervisory authority is demanding more and more data from health insurers. How does the Federal Council view this contradiction?
Statement of the Federal Council of 4.12.2015
Health insurers are obliged to provide the Federal Office of Public Health (FOPH) annually with information on the data generated in the course of billing for services and insurance activities as part of the supervision of the implementation of the KVG (Art. 21 Para. 4 KVG; SR 832.10). They are authorized by law to disclose data in particular to the bodies entrusted with the implementation as well as the control or supervision of the implementation of the KVG, if the data are necessary for the fulfillment of the tasks of the bodies (Art. 84a para. 1 let. a KVG). The purpose and scope of data provision are set out in Article 28 of the Health Insurance Ordinance (KVV; SR 832.102). In particular, this also obliges insurers to provide data per insured person (Art. 28 Para. 3 KVV). In doing so, the delivery must be made while preserving the anonymity of the insured person (Art. 28 Para. 5 KVV). The data serve not only to supervise the activities of the insurers, but also to supervise the enforcement of the KVG, as stated in the law. Among other things, the FOPH uses the data to monitor the effect and uniform application of the law, and it ensures the equal treatment of insured persons. It also uses the data to monitor the efficiency of the services provided. A further purpose results from Article 32 KVV (impact analysis). The newly collected individual data are needed for reviews that cannot be carried out with aggregated data. Only these data enable, for example, the determination of premium corrections, the calculation of premiums paid too much or too little, or simulations of the tariff structure.
Article 28 KVV has existed in essential parts since the ordinance came into force on January 1, 1996. With the amendment of February 23, 2000, the article was supplemented and specified to the effect that data per insured person are explicitly collected down to the level of the tariff item, invoice with details of the service provider. However, for technical reasons and following the implementation of a pilot project, the FOPH is only now requiring their delivery; the first anonymized individual data have been collected by the FOPH since 2014.
4/5 The FOPH collects administrative data that do not allow any conclusions to be drawn about individuals and that are documented in the context of the invoicing of services or insurance activities. In the case of the newly collected individual data on benefits, no detailed information on a tariff item was previously collected, but only total costs per coverage period. Furthermore, the data collection is limited to the KVG invoices that the insurers receive and bill. They do not contain any additional health data such as diagnoses.
The individual data are transmitted to the FOPH pseudonymized (i.e. supplemented with an encrypted connection code per insured person to calculate the costs by treatment episode). After processing and in the evaluations, no conclusions can be drawn about the individual insured persons or service providers. The reprocessing process is documented, and reference is made to it in the processing regulations. The FOPH implements the guidelines of the guide on the minimum requirements for the data management system, which apply to data collections. The principle of proportionality of the Data Protection Act (Art. 4 para. 2 FADP; SR 235.1) is also observed.
6/9 Because the data for the performance of the insurance activity or for other surveys are already largely available in the systems of the insurers and the modalities of the data delivery are also discussed with the insurers, the delivery of the first individual data only leads to a minor additional effort for the insurers.
The workload for data suppliers is further reduced because numerous evaluations no longer have to be prepared according to a wide variety of dimensions for the processing of individual questions, but can be prepared by the FOPH itself on the basis of the individual data supplied.
Based on the results of the consultation on the draft of the Health Insurance Supervision Ordinance (KVAV), the articles concerning data remain largely unchanged in the KVV. Only the supervisory authority may now link the insurers’ data with other data sources in order to reduce the workload. An extension to other data is not planned.
For the 2013 survey year, the details of the technical data processing of the individual data were agreed jointly with the insurers. The FOPH continues to grant them the opportunity to join an accompanying group and to participate in pilot surveys, so that optimization possibilities can be identified and implemented from the insurers’ point of view with a view to improving quality and reducing the effort involved.