- Federal Council to present legal basis for comprehensive protection of patient data in e‑health, electronic dossiers, insurance cards, genetic data and new technologies.
- Data protection review demands increased transparency: Data collectors must actively inform data subjects about the collection, purpose and possible data recipients.
- Special regulations already exist: eHealth strategy, insurance card regulation, GUMG for genetic data and data protection obligations for RFID systems.
Motion Vreni Hubmann (07.3468): Data protection in the healthcare sector (written off)
Written on 12.6.2009
Submitted text:
Rapid technological progress and the digitization of patient data are increasingly threatening patient confidentiality. We instruct the Federal Council to present the legal basis for comprehensive protection of patient data. In particular, the following areas are to be considered:
– E‑health;
– electronic patient records;
– Insurance card;
– genetic data;
– new technologies (RFID chip).In particular, it should be specified who is responsible for this data, who has access to it (especially to sensitive patient data) and how patients can check the data relating to them. The principle set out in the Data Protection Act (Art. 4 FADP, Principles) that data processing must be “proportionate” must also be specified with regard to patient data.
Justification
At an event on patient protection, the data protection officer of the Canton of Zurich issued an urgent warning against a “creeping dismantling of patient confidentiality” as a result of the growing volume of patient data and the increase in data exchange. According to him, there is an urgent need for legislative action.
Statement of the Federal Council
The revision of the Data Protection Act, which has already been adopted by Parliament, provides for increased transparency in the collection of personal data. In particular, it provides that the owners of data collections are obliged to actively inform the data subject about the acquisition of personal data requiring special protection. This also includes the health data of patients. Thus, at a minimum, it must be communicated who the owner of the data collection is, what purpose is being pursued with the processing and who any data recipients may be. The Federal Council already stated on June 15, 2007 in its statement on the Heim motion “Protection of patient data” (07.3114) that the implementation of this legislative revision should first be awaited and initial experience gathered before further legal foundations are considered.
According to the Data Protection Act, the processing of data requiring special protection, which also includes patient data, requires a basis in a formal law. This requirement is met in the areas mentioned in the motion. The following should be noted in detail:
Patient dossier and “eHealth”: The Federal Council adopted the “eHealth Switzerland Strategy” on June 27, 2007. The electronic patient dossier is a component of this strategy. The Federal Council is aware of the sensitivity of this development and has therefore given the highest priority to information security and data protection in “eHealth”. For this reason, the first phase of implementation will involve an in-depth analysis of how these areas need to be regulated by law.
Insurance card: The introduction of an insurance card planned for 2009 is governed by Article 42a of the Health Insurance Act (KVG). In addition, the Ordinance on the Insurance Card for Mandatory Health Care Insurance (VVK) specifies data processing in detail. Thus, the insured persons themselves decide whether and, if so, which medical information they want to have stored in a standardized data record on the insurance card. Insured persons can also decide on read access at the doctor’s office or hospital on a case-by-case basis.
Genetic data: The Federal Law on Human Genetic Testing (GUMG; SR 810.12), which entered into force on April 1, 2007, subjects the processing of genetic data to professional secrecy in accordance with Articles 321 and 321bis of the Criminal Code and the data protection provisions of the Confederation and the cantons in Article 7. Article 19 and other provisions regulate the communication of genetic data by the physician, the communication to the employer, which is only permissible in exceptional cases, and the handling in the area of insurance and liability. With regard to the performance of genetic examinations abroad, Article 6 of the Federal Act on Data Protection (FADP; SR 235.1) applies.
RFID technology: On May 18, 2005, the Federal Council responded to the Hollenstein interpellation “Does the use of Radio Frequency Identification RFID threaten data protection?” (05.3067), the Federal Council expressed the opinion that there is no need for action in terms of data protection legislation. Operators of RFID systems must comply with the legal requirements of the Data Protection Act. If personal data is processed, the data subjects must be informed transparently and comprehensively, in particular about the data processing, the purpose of the processing and the right to information and rectification.