pri­va­tim: Pro­po­sed solu­ti­ons for the out­sour­cing of pati­ent data

As repor­ted an expert opi­ni­on by Prof. Wolf­gang Woh­lers on the dis­clo­sure of data sub­ject to pro­fes­sio­nal sec­re­cy (e.g., pati­ent data) to out­sour­cing pro­vi­ders has cau­sed a stir. Woh­lers con­siders such dis­clo­sure wit­hout the con­sent of the owner of the secret to be unlawful, unless the dis­clo­sure of the secret is indis­pensable and fore­seeable for the owner of the secret, and this despi­te the legal inclu­si­on of auxi­lia­ry per­sons in the cir­cle of secret owners who are threa­ten­ed with punish­ment in case of vio­la­ti­on. In prac­ti­ce, the opi­ni­on is met with gre­at skep­ti­cism, at least in its results.

pri­va­tim, the asso­cia­ti­on of Swiss data pro­tec­tion offi­cers, has now pre­sen­ted a pro­po­sed solu­ti­on for this rea­son:

pri­va­tim, the asso­cia­ti­on of Swiss data pro­tec­tion com­mis­sio­ners, is stron­gly com­mit­ted to strong pro­tec­tion of health data in the inte­rest of pati­ents. At the same time, pri­va­tim is awa­re that the trend toward out­sour­cing health data can­not be stop­ped. The data pro­tec­tion com­mis­sio­ners the­r­e­fo­re advo­ca­te a prag­ma­tic midd­le way, which enables the out­sour­cing of health data while gua­ran­te­e­ing pati­ent con­fi­den­tia­li­ty, the third par­ty, i.e. the out­sour­cer, does not obtain know­ledge of the data. Spe­ci­fi­cal­ly, this would mean that per­so­nal health data would be Out­sour­ced only in encrypt­ed form be allo­wed and that Key manage­ment in any case with the cli­ent, that is, remains with the doc­tor or the hos­pi­tal. In indi­vi­du­al cases, a con­trac­tual­ly secu­red devia­ting solu­ti­on would be pos­si­ble. With an adjust­ment of the law, cloud ser­vices and IT com­pa­nies could also be held accoun­ta­ble and cer­ti­fi­ed for com­pli­ance with medi­cal pro­fes­sio­nal sec­re­cy, for example.

The first part of the solu­ti­on, the dis­clo­sure of encrypt­ed data wit­hout acce­s­si­bi­li­ty of the key, does not lead to a dis­clo­sure of the secret and is alre­a­dy per­mis­si­ble today wit­hout fur­ther ado. The second part, howe­ver, would be a reli­ef com­pared to the Woh­lers opi­ni­on. Howe­ver, the pro­po­sal lea­ves que­sti­ons unanswered:

• The fact that key manage­ment remains with the cli­ent does not neces­s­a­ri­ly mean that the key its­elf is not acce­s­si­ble to the con­trac­tor under any cir­cum­stances. Nor does it mean that the cli­ent may not decrypt data in indi­vi­du­al cases.
• If devia­ti­ons are pos­si­ble “in indi­vi­du­al cases” – does “indi­vi­du­al case” mean as much as “in each indi­vi­du­al case” or rather “in cases descri­bed in detail”? Accor­ding to the second inter­pre­ta­ti­on, out­sour­cing in typi­cal cases could gene­ral­ly be con­trac­tual­ly secured.
• Is the pro­po­sed solu­ti­on to be under­s­tood de lege lata or de lege feren­da? From the fol­lo­wing refe­rence to a chan­ge in the law on the cer­ti­fi­ca­ti­on of pro­vi­ders, it fol­lows that the pro­po­sed solu­ti­on is alre­a­dy inten­ded to be appli­ca­ble under cur­rent law.

As a result privatim’s pro­po­sal should pro­ba­b­ly be under­s­tood to mean that the out­sour­cing of pati­ent data (but pro­ba­b­ly also other data sub­ject to pro­fes­sio­nal sec­re­cy) is de lege lata per­mis­si­ble wit­hout con­sent, despi­te the Woh­lers expert opi­ni­on, pro­vi­ded that the out­sour­cing is con­trac­tual­ly secu­red for spe­ci­fi­cal­ly defi­ned cases, wher­eby par­ti­cu­lar weight is to be atta­ched to data security.