Revision of the Swiss Data Protection Act: Conference for HCPs

image_pdfimage_print

This Thursday 24 October 2019, I will have the pleasure to present the current state of the revision of the Swiss Federal Data Protection Act (DPA), as currently discussed at the Federal Parliament. I will be discussing the consequences for doctors in private practice in a conference organised by FMH Services, at the Hotel Aquatis in Lausanne.

Since the GDPR become enforceable on May 25, 2018, data protection has become a hot topic and an area concern for many sectors, particularly in the healthcare sector. The various actors, whether healthcare institutions or organizations (HCOs), hospitals, clinics or doctors (HCPs), are particularly sensitive to the changes of the legal framework given the sensitivity of the data processed on a daily basis.

The objective of this conference is to review the updates that will likely pass and be introduced by the total revision of the Swiss Data Protection Act. We will discuss the challenges that doctors will face and the recommendations they will need to receive for preparing to the changes. This will be the opportunity to discuss how the GDPR applies to physicians and HCPs, as well as best practices for the use of technologies by doctors as data controllers of health-related personal data.

The revision of the Swiss DPA aims at strengthening the rights of the individuals, in this case patients, and at aligning on the European data privacy standards. We will examine to what extent the revision fulfils this objective.

________________________________

CONSEQUENCES ON THE DAILY PRACTICE OF HCPS

Generally, the daily practice of HCPs will not change drastically with the new Swiss Data Protection Act and the guidance will remain similar for a physician’s practice to the ones already issued by the Commissioner in the past.

In my previous article on outsourcing medical billing, I mentioned what guidance the Federal Commissioner issued in the context of healthcare, which contains exhaustive recommandations, examples and cases studies on security measures at the medical office, outsourcing, guidance on the use of cloud computing and how to respond to patients exercising their access right to medical records. The Federal Commissioner also issued a guidance on how to deal with data privacy generally at the office.

This being said, the major changes for processing of medical information is relating to the use of new technologies, where the risk for medical secrecy and data protection is the highest. This is also true because a very low number of HCPs are prepared to face digital transformation and have little measures in place or best practices for the use of ICTs. This requires an increased vigilance and diligence from health professionals and physicians to avoid being held liable from a civil or a criminal perspective.

Therefore, security and the application of data privacy principles of patient data at the medical office remains essential because of the increased risks associated with the use of information systems, social media, cloud computing, telemedicine and other similar technologies. In this context, all previous recommendations of the Federal Commissioner remain valid (see below) and must be followed, as must those issued by the Code of Ethics of the Swiss Federation of Physicians.

It should be noted that risks increase with the use of telemedicine systems and unsecured means of communication, as well as in the case of outsourcing (subcontracting) of services, such as invoicing or secretarial services.

________________________________

FINES IMPOSED ON HOSPITALS AND DOCTORS UNDER THE GDPR

In Europe, we have already seen hospitals sentenced by data protection authorities to administrative penalties of several hundred thousand euros.

Since the implementation of the GDPR, most breaches have consisted of deficiencies in appropriate security measures to protect patient data. Similarly, the violation of the duty to set up controls for the rights of access to the same data in patient files has often been the cause of sanctions and breaches by health institutions.

In this respect, the following European decisions are worth mentioning:

  • Portugal: my previous article and comments on the € 400,000.- fine imposed to a Portuguese hospital. Note that in this article, I also discuss other major fines under the GDPR (equifax, Cambridge Analytica) and the very first fine (ICANN) under the GDPR, as well the situation of Swiss hospitals with regard to privacy and data protection and some elements of the current revision of the Swiss Data Protection Act;
  • Pays-Bas: € 460,000 fine imposed to Haga Hospital (Netherlands) for allowing non-authorized access to employees and third parties to the medical record of a local celebrity. The fine was imposed as a result of inapropriate security measures, especially a weak access control mechanisms (art. 32 GDPR) with no double-factor authentication, which was considered the “ABC” of security;
  • Cyprus: € 14,000 imposed to a doctor for publishing health-related information of a patient on Instagram, mentioning the name of the patient without her consent. After investigations, the Data Protection Commissioner of Cyprus also imposed a €5,000 fine to the hospital for not being able to recover the medical record of the patient following an access request.

These examples demonstrate the importance of privacy and security compliance and data protection principles. Those basic principles have to be applied in medical offices and hospitals. Also to guarantee a good control over personal data, it is crucial to apply the principle of privacy-by-design, implement a complete data protection and management program for all types of health actors.

This should include training, rules of conduct for employees and managers, access controls, as well as appropriate organizational and technical measures to avoid data breaches, unauthorized access to personal data, data losses, alteration, and other violations protection. It also remains key, even for micro enterprise and medical offices to have an action plan in the event of a data breach in order to notify the authorities or the patient if necessary. Given those challenges, a light version of an data protection officer (external) would be welcome.

Even if the legal regime of the Swiss DPA will differ from the European sanctions under the GDPR (2% – 4% of the global turnover or €10 – €20 million), these basic rules and principles are essential and must be respected in order. This is key to avoid civil or criminal liability for violation of the Data Protection Act. Also, where applicable, such behavior may infringe the Criminal Code (Art. 321) for violation of medical secrecy.

Now, the Swiss sanctions system only offers the possibility for individuals to initiate a civiel or a criminal proceedings for violation of the Federal Data Protection Act. The maximum penalties amount to CHF 10k. However, the plan with the revision is to increase the level of criminal fine up to CHF 250,000 maximum. This still remains a criminal fine, based on a criminal trial initiated by a plaintiff or a data subject, where the individual will be held liable, excepting the data controller that cannot receive any direct administrative sanction from the Swiss authority.

Find my other articles relating to healthcare:

  • Article on the outsourcing of medical data
  • Non-economic physicians and the consequences of overbilling (in French: “polypragmasie”, in German “Überarztung”)
  • Videoconference: software and medical devices regulation
  • Conference on telemedicine