Data protection in healthcare - an overview for medical practices

The FDPIC (Federal Data Protection and Information Commissioner) recently published a report: “Hacker attacks on medical practices in Romandy”. According to several media reports, the data was published by the attackers on the dark web - a damage  difficult to quantify. The protection of sensitive medical data is a central topic that medical practices have to deal with - especially in view of the above-mentioned incident.

In the following, we would like to provide an overview of which data is considered particularly sensitive, which data protection regulations must be complied with and which factors minimize the risk of falling victim to such crimes, so that you can protect yourself and your patients as best as possible.

Why data protection is essential in healthcare?

It seems almost self-evident that we are discussing the protection of data, but from whom and why does it need to be protected? Health data may contain information of interest to different parties for different reasons. Be it because they can draw conclusions unfavourable to the person concerned, or simply to make a profit from this data. The following scenarios outline the value of data for different healthcare stakeholders:

• Insurance companies use medical data to calculate bonuses for insurance services in an even more personalised way, or even to reject people as customers altogether.
• Hackers gain access to patient data due to security breaches in medical institutions in order to extort money from them by threatening to publish the data. 
• Potential employers draw conclusions from potential candidates' doctor visits and refuse to hire them considering that the employee "may well be on frequent sick leave in the future".  

The interests are diverse and often very lucrative from a financial point of view for the interested parties, but they always carry disadvantages for the individual. In view of this, sensitive data - and this includes medical data in particular - are considered particularly worthy of protection.

Sensitive medical data - what are they?

Privacy also applies in the digital sphere

In data protection, a fundamental distinction is made between simple personal data on the one hand, and sensitive personal data requiring special protection on the other. Although there is no clear distinction for the different types of data, there is a classification that should be used as a basis for categorization. Here, it must be determined separately for each data set how it is to be qualified. In this context, particularly sensitive data according to Article 3 of the FADP (Federal Act on Data Protection) is information concerning:

1. religious, ideological, political or trade union views or activities,
2. health, privacy or race,
3. social assistance measures,
4. administrative or criminal prosecutions and sanctions.

Health-related data includes all data from which the past, present or future state of health of a data subject can be derived. This also includes data on the registration for medical treatment and the doctor-patient relationship as such is already considered worthy of protection. 

The following example illustrates that the qualification of information as sensitive data often depends on the context. 

Example: If the name is stored by a medical practice in the course of registration for a health examination, the patient's name in the context of the planned medical examination is a sensitive data record requiring special protection with regard to the health status of the person concerned. It is important to note that the name alone would not constitute sensitive medical information - it is the context that creates this requirement. ¹

If an external provider takes over the management of registrations for medical examinations, this provider is also subject to the strict regulations of data protection. This is one of the reasons why we at medicosearch also carry out an ongoing assessment of our compliance with data protection.

nFADP - how data protection in Switzerland is changing

With the revision of the Federal Act on Data Protection passed in parliament in 2020, new laws will come into force from 01 September 2023. These also create a change in the qualification of medical data with regard to their status of sensitivity. 

In general, the nFADP is very similar to the EU's GDPR (General Data Protection Regulation). This attempt at standardization naturally affects a large number of points, but the qualification of genetic data as medical information requiring special protection, which can now be found in both texts, is particularly relevant.

Thus, a challenge arises for all stakeholders involved in the collection, processing and storage of personal, medical data. 

The challenge for medical practices in terms of data protection

For medical practices, the situation is somewhat controversial at first glance. On the one hand, their core competence lies in the medical field, but on the other hand, the data they handle on a daily basis is considered extremely sensitive and needs to be protected. While the resources to deal with this issue are limited, ongoing assessment in this area is essential. Building digital literacy within the practice and encouraging staff to take on this challenge can go a long way to alleviating the burden. 

How do you approach these specific topics as a healthcare institution?

The GDPR contains 5 key "principles" that are useful for an initial assessment of your situation: 

• Principle of transparency: Process data of data subjects in a way that is comprehensible to them.

• Principle of purpose limitation: Only collect data for specified, clear and justifiable purposes.

• Principle of data minimization: Data must be adequate and kept to a minimum with regard to the purpose of their processing.

• Principle of storage limitation: Data should only be stored for as long as is necessary for the purpose of their processing.

• Principle of accuracy: Personal data must be stored correctly and be kept up to date. Measures must be taken to immediately delete data that are incorrectly processed.

Keep a separate directory documenting which data you process and in which system - from your patients' e-mails to the prescriptions you issue. Make it clear in your privacy policy what data you collect, why and in what form it is processed. 

Outsourcing certain processes can also be advantageous if third parties guarantee the protection of the data collected and take responsability for its confidentiality. This is an advantage for healthcare facilities that use patient appointment bookings via medicosearch.

In case of need or doubt, consult external experts who will assess your situation with regard to the standards of data protection and provide advice, as violations of applicable law can cost those affected a great deal.

Together with the Swiss nFADP for more security and confidentiality  

Together for more protection in the healthcare sector

The above measures and approaches will help you gain an overview of the situation within your practice without underestimating the complexity of the topic. Keep in mind that handling your patients' data transparently and securely creates a high sense of trust, which is also one of the ways to increase patient loyalty. Make sure your medical practice is compliant with the latest requirements as of September 2023, so you can devote your valuable resources back to the health of your patients.

Cover photo by Philipp Katzenberger. More images by Jason Dent and Cytonn Photography