Moti­on Heim (07.3114): Pro­tec­tion of pati­ent data
Writ­ten off (20.3.2009)

Sub­mit­ted text

The Fede­ral Coun­cil is ins­truc­ted to take mea­su­res and to crea­te the neces­sa­ry basis for effec­ti­ve and veri­fia­ble pro­tec­tion of pati­ent data at the health insu­r­ers in the sen­se that the health insu­r­ers are obli­ged to cer­ti­fy their data pro­tec­tion con­cepts and their implementation.

Justi­fi­ca­ti­on

06.3040 of March 9, 2006. At that time, the Fede­ral Coun­cil was of the opi­ni­on that the mea­su­res available to the FOPH ful­fil­led their pur­po­se. Obvious­ly, this is not the case. The juris­pru­dence of the Fede­ral Supre­me Court sets high stan­dards for data pro­tec­tion; thus, inspec­tions must also be pro­tec­ted intern­al­ly. It seems that the FOPH, as the respon­si­ble super­vi­so­ry aut­ho­ri­ty, is not suf­fi­ci­ent­ly able to pro­vi­de the enorm­ous super­vi­so­ry effort with regard to checking com­pli­ance with data pro­tec­tion. For this rea­son, the Fede­ral Coun­cil is asked to intro­du­ce a gene­ral obli­ga­ti­on for health insu­rance com­pa­nies to obtain cer­ti­fi­ca­ti­on regar­ding data pro­tec­tion con­cepts and their imple­men­ta­ti­on, and to find an exter­nal solu­ti­on for this. The health insu­rance com­pa­nies must dis­play cer­ti­fi­ca­ti­on as a seal of approval. 

<

h1>Statement of the Fede­ral Council

<

h1>

The revi­si­on of the Data Pro­tec­tion Act pas­sed by Par­lia­ment, which is to come into force in the second half of 2007, will favor self-regu­la­ti­on in the area of data pro­tec­tion. In par­ti­cu­lar, a new pro­vi­si­on of the law is inten­ded to pro­mo­te the dis­se­mi­na­ti­on of data pro­tec­tion cer­ti­fi­ca­ti­ons and qua­li­ty marks. The Fede­ral Coun­cil is aut­ho­ri­zed to regu­la­te the cer­ti­fi­ca­ti­on pro­ce­du­res and the reco­gni­ti­on of cer­ti­fy­ing bodies. The imple­men­ting pro­vi­si­ons for this revi­si­on are curr­ent­ly being pre­pared. A new ordi­nan­ce on data pro­tec­tion cer­ti­fi­ca­ti­ons will regu­la­te the accre­di­ta­ti­on of cer­ti­fi­ca­ti­on bodies and the mini­mum requi­re­ments that data pro­tec­tion cer­ti­fi­ca­ti­ons must meet.

In order to ensu­re the pro­tec­tion of pati­ent data, the mover of the moti­on calls for an obli­ga­ti­on on the part of health insu­r­ers to cer­ti­fy their data pro­tec­tion con­cepts and to imple­ment them. The Fede­ral Coun­cil rejects such an obli­ga­ti­on at the pre­sent time becau­se it is not neces­sa­ry and runs coun­ter to the thrust of the afo­re­men­tio­ned legis­la­ti­ve revi­si­on. In the view of the Fede­ral Coun­cil, it is now neces­sa­ry to wait for the imple­men­ta­ti­on of this legis­la­ti­ve revi­si­on and to gain expe­ri­ence with the pos­si­bi­li­ty of vol­un­t­a­ry cer­ti­fi­ca­ti­on befo­re imme­dia­te­ly impo­sing a legal obli­ga­ti­on. Sin­ce the­re are cer­tain gaps in the area of data pro­tec­tion among health insu­r­ers, the Fede­ral Coun­cil expects health insu­r­ers to vol­un­t­a­ri­ly under­go cer­ti­fi­ca­ti­on of their systems and pro­ce­du­res for pro­tec­ting pati­ent data once the new data pro­tec­tion stan­dards come into force.

Health insu­r­ers are alre­a­dy obli­ged to com­ply with data pro­tec­tion. In par­ti­cu­lar, they must com­ply with the data pro­tec­tion pro­vi­si­ons of the Health Insu­rance Act and the Data Pro­tec­tion Act. If the­re is any sus­pi­ci­on of non-com­pli­ance with the sta­tu­to­ry pro­vi­si­ons, the Fede­ral Office of Public Health will take action as befo­re using the super­vi­so­ry instru­ments available. The rejec­tion of the moti­on does not chan­ge the high prio­ri­ty that the Fede­ral Coun­cil atta­ches to data protection.