Outsourcing medical billing: a matter of transparency

image_pdfimage_print

What is required when outsourcing medical invoices to a third party?

_______________________________________________

In healthcare, it is frequent for medical professionals and health institutions to outsource medical billing to a third party. There are many financial and practical advantages to subcontract such service. First, outsourcing can increase efficiency, by reducing the cost of performing these kinds of tasks by the employees. Therefore, it saves work spaces and it is cost-effective, as the service is provided by experts within a company specialized in this area. Second, the responsibility and the costs for investing in this service, the employees’ management, staff training and keeping these skills up to date, are borne by the third party. Finally, one can expect regular reporting services and cooperation from the third party as part of the deal.

Where outsourcing contains many advantages, medical billing must comply with legal obligations, in particular with medical secrecy and data protection regulations, especially if the third party wishes to use the data for another purpose than medical billing. This would be the case if the personal health-related data are used for the supplier’s benefit (such as creating its own creditors and debtors database), or for the benefit of third parties (e.g.: selling the data to insurance companies).

Transferring health data of patients to a third party can infringe medical secrecy and data protection regulations. If the data are not used for the same purpose as for medical invoicing, the Swiss Criminal code (art. 321), the Swiss Federal Data Protection Act (DPA), and cantonal laws protect the medical secrecy by prohibiting undue disclosure without express consent of the patient.

Infringements observed by the Swiss Federal Commissioner

_______________________________________________

The Federal Data Protection and Information Commissioner (FDPIC) recently osbserved that third parties specialized in medical billing are using health data of patients to:

  • create their own database with individual’s solvency to categorize them; and
  • sell the data to third parties (such as health insurances).

According the FDPIC, healthcare professionals must reinforce their obligation to comply with transparency, which he states as follows:

Where healthcare professionals outsource medical billing services to third parties, they shall remain precise and draw attention of the individuals in a clear manner to where and to whom the data would be transferred, and for what purpose the supplier may process such data. This includes in particular using such health-related data to create unrelated databases and potential sales to third parties. In order to comply with this obligation, the healthcare professionals must get the individuals’ express consent“.

Medical secrecy and explicit consent

From a legal perspective, medical personal data – meaning health-related data from an identified or an identifiable individual – are sensitive data. This special category of personal data requires to get the patient’s explicit consent before the processing (art. 4 § 5 DPA), in writing , and before a transfer to a third party for another purpose than for medical invoicing. Therefore, it would be illegal to transfer and use of such data for another purpose without a valid written consent.

This practice complies with both art. 321 of the Swiss Criminal code and art. 10a § 1 let. b of the DPA to the extent the owner of the secret has released the health professional from the medical secrecy.

How do I draft my privacy clause in an outsourcing contract?

_______________________________________________

Among the other contract clauses which are specific to the outsourcing agreement, the contract should at least contain the following:

For outsourcing in Switzerland:

  • a reference to the relevant DPA provisions;
  • a warranty from the billing company to comply with the DPA provisions;
  • a warranty of fulfilment of data protection claims of data subjects;
  • the prior consent of the data controller (health professionals) if the data processor decides to subcontract the service;
  • describe the purpose for the processing of the data;
  • an obligation for the employees, auxiliary personnel, freelancers etc. of the processor to comply with the DPA provisions;
  • an obligation for the data processor to comply with data security obligations;

For cross-border transfers to the third party:

  • If permitted by national law to transfer to a third party based in another country, include a provision to regulate cross-border transfers. If personal data are processed (accessed or transferred) in a country without a sufficient protection level for the processing, the data protection clause shall at least include:
    • an obligation to enter into standard contractual clauses, such as the C2P EU model clauses (or privacy shield, or Swiss transborder data flow agreement);
    • an obligation for the data processor to enter into such standard model clauses with its affiliates located in countries without an adequate protection level;
    • an obligation or the data processor to inform the data controller prior the transfer if the data are being subcontracted, including a right to object, and provide information to the controller about the subprocessors (identity, location) and engage the subprocessor with a contract containing the same level of contractual obligations.
  • For the Swiss Federal commissioner, Swiss Doctor should not allow a third party outside Switzerland to access medical records. If so, the Doctor may infringe medical secrecy which is protected by the Swiss Criminal code and by the DPA.

Practical recommendations

_______________________________________________

According to the FDPIC, it is not sufficient to inform the patient of such processing somewhere in the medical office, or a waiting room. Nor would it be sufficient to add a clause in small letters in a medical consent form. To comply with transparency, the patient shall receive a proper information to allow – or not – the processing on the basis of a written consent. The patient shall do this without any pressure of any kind.

This short note of the FDPIC reinforces the principle of transparency of the processing.

For the patients

This memo is a call for reinforcement of transparency in the healthcare sector. It explains that more supervision will occur in the future in that particular area to protect the individuals’ right to privacy, and from an undue processing when third parties wish to use the data for their own benefit.

As consent is required, the patient may withdraw its consent at any time. In such event, healthcare professionals and any third party using the data will have to stop using them and potentially delete them to comply with the patient’s request.

For healthcare professionals and hospitals

The principle of transparency, which comes from privacy regulations is not new. It is protected by the non-disclosure obligation for healthcare professionals relating to medical secrecy. But even with the consent to disclose medical information, privacy regulations do not allow anyone to use any personal data for whatever purpose. It would be a breach of the DPA and the processing would become illegal.

In practice, doctors and hospitals shall duly inform the patient to allow him/her to validly consent to sharing medical information for other purposes than for medical billing.

The service provider being a data processor, it has to comply with all the data controller (doctors and healthcare professionals) instructions and requirements, and is responsible for the processing, and to comply with the DPA.

To remain cautious, heathcare professionals should ensure that:

with regard to the service provider:

  • it does not use the data for other purposes than for medical billing;
  • it will comply with privacy regulations, as well as medical secrecy, as the service provider is not bound by medical secrecy;
  • include a paragraph for get the data back at any time, at no costs;
  • for cloud computing purposes, use only service providers based in Switzerland, and draft a contractual clause to prohibit any transfer of such data to a subcontractor or a third party outside Switzerland

with regard to the patient:

  • update the consent forms and add a clear clause – separated from medical related acts – to draw the patient’s attention that the processing may be done for other purposes than medical being (and explain which ones);
  • if the data may be used for other purposes than for medical billing:
    • get the consent after having duly informed the patient and before to process the data; or
    • inform the patient of such transfer in order for the patient to give or withdraw its consent on the processing.

For service providers

The Commissioner has not given its opinion on the supplier’s civil responsibility towards the patient for undue processing, or medical secrecy infringement, or both.

In order to protect the service provider for using the data for other purposes than medical billing, it may perform the following:

  • anonymize the data, whichever it will use the data for its own use or to sell the data to third parties. In this case, medical secrecy and privacy laws will not apply;
  • clarify with healthcare professionals for what other purposes it wishes to use the data;
  • request healthcare professionals to ensure, in the outsourcing agreement, that the patient has been informed of the processing validly given its consent to the processing;
  • include a specific exclusion of liability in case of a third party claim (for medical secrecy of privacy infringement);
  • add an indemnification clause for losses it may incur as a result of the breach of privacy laws or medical secrecy.

To go further, see the following notes on the website of the Swiss Federal Commissioner:

  • This note in French, German or Italian on outsourcing in the context of healthcare
  • This note in French, German or Italian on the use of service providers for keeping medical records in the cloud
  • This note in French, German or Italian on security in medical offices
  • Guide on processing of personal data in the context of healthcare

Gabriel Avigdor | NTIC.ch