Motion Heim (07.3114): Protection of patient data
Written off (20.3.2009)
Submitted text
The Federal Council is instructed to take measures and to create the necessary basis for effective and verifiable protection of patient data at the health insurers in the sense that the health insurers are obliged to certify their data protection concepts and their implementation.
Justification
06.3040 of March 9, 2006. At that time, the Federal Council was of the opinion that the measures available to the FOPH fulfilled their purpose. Obviously, this is not the case. The jurisprudence of the Federal Supreme Court sets high standards for data protection; thus, inspections must also be protected internally. It seems that the FOPH, as the responsible supervisory authority, is not sufficiently able to provide the enormous supervisory effort with regard to checking compliance with data protection. For this reason, the Federal Council is asked to introduce a general obligation for health insurance companies to obtain certification regarding data protection concepts and their implementation, and to find an external solution for this. The health insurance companies must display certification as a seal of approval.
<
h1>Statement of the Federal Council
<
h1>
The revision of the Data Protection Act passed by Parliament, which is to come into force in the second half of 2007, will favor self-regulation in the area of data protection. In particular, a new provision of the law is intended to promote the dissemination of data protection certifications and quality marks. The Federal Council is authorized to regulate the certification procedures and the recognition of certifying bodies. The implementing provisions for this revision are currently being prepared. A new ordinance on data protection certifications will regulate the accreditation of certification bodies and the minimum requirements that data protection certifications must meet.
In order to ensure the protection of patient data, the mover of the motion calls for an obligation on the part of health insurers to certify their data protection concepts and to implement them. The Federal Council rejects such an obligation at the present time because it is not necessary and runs counter to the thrust of the aforementioned legislative revision. In the view of the Federal Council, it is now necessary to wait for the implementation of this legislative revision and to gain experience with the possibility of voluntary certification before immediately imposing a legal obligation. Since there are certain gaps in the area of data protection among health insurers, the Federal Council expects health insurers to voluntarily undergo certification of their systems and procedures for protecting patient data once the new data protection standards come into force.
Health insurers are already obliged to comply with data protection. In particular, they must comply with the data protection provisions of the Health Insurance Act and the Data Protection Act. If there is any suspicion of non-compliance with the statutory provisions, the Federal Office of Public Health will take action as before using the supervisory instruments available. The rejection of the motion does not change the high priority that the Federal Council attaches to data protection.