Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

Digitisation in healthcare has different speeds depending on the sector. While diagnostic and data processing and data presentation equipment and software are developing very fast and are leading-edge technology, projects like the electronic patient file or recognised electronic signature are slowly moving. In Switzerland, there are rather few legal developments specifically in this field.

The revision of the Data Protection Act of 25 September 2020, which is expected to come into force in 2022 or 2023, will have a major impact also in the healthcare sector. The revision brings the content of the Swiss Data Protection Act closer to that of the General Data Protection Regulation. Important impacts will be the obligation to establish a record of data processing activities and the requirement to complete a data protection impact assessment for high-risk activities, which will often be relevant when personal data requiring special protection is processed on a large scale, such as health data.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

There are no specific laws governing digital health services such as telemedicine. Instead, digital health services need to be assessed based on various different laws. One main principle is that physicians based on their mandate contract with the patient have to apply the diligence that can be expected from them based on their education and experience. This rule is also laid down in article 40 letter a of the Act on Academic Medicinal Professions. Some cantonal health laws require that the treatment of patients be done personally and in principle through immediate contact (eg, section 12 paragraph 3 of the Health Act of the Canton of Zurich). The professional rules of the Swiss Association of Physicians merely prohibit the regular treatment solely based on a digital contact.

Furthermore, the provisions on patient–doctor confidentiality have to be respected.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The authorities responsible for compliance with data protection and privacy are mainly the federal and cantonal data protection officers. Their tasks are laid down in the federal or cantonal data protection acts. The federal data protection officer has published several guidance documents on data protection in the healthcare sector (eg, a guidance for the processing of personal data in the medical field in 2006 or explanations on the processing of personal data in medical cabinets).

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

Health data is personal data that is particularly worthy of protection. Therefore, there are elevated requirements regarding the information of the data subjects on the collection and processing of this data. An explicit consent of the data subjects is as a rule required. Patient–doctor confidentiality also requires that patient data is safely stored and protected against access by non-authorised third parties. There is no regular need for a qualified data protection officer.

The revision of the Data Protection Act of 25 September 2020, which is expected to come into force in 2022 or 2023, establishes the requirement of a data protection impact assessment for likely high risk activities, which will often be relevant when personal data requiring special protection is processed on a large scale, such as health data.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

The most common data protection and privacy infringements committed by healthcare providers are a lack of up-to-date protection of electronic patient data against unauthorised access and a lack of sufficient informed consent for further use of patient data.