Since 1 January 2022, all service providers as defined in Article 35 paragraph 2 of the Health Insurance Act (HIA) (doctors, pharmacists, chiropractors, nursing homes, hospitals, laboratories, etc.) have been required to provide insured persons with a copy of their invoices in all cases and without the insured persons having to requested. It may be sent electronically, but only with the express consent of the insured. This reporting obligation was introduced in Article 42 paragraph 3 HIA as part of measures to curb health care costs. It aims is to give policyholders the opportunity to check their invoices and report any errors to the insurer. This obligation is not in itself new, as it already existed in the third-party (tiers payant) payment system, but was previously regulated only in secondary legislation. Parliament decided to enshrine this obligation in primary legislation, with penalties for non-compliance (warning, repayment of all or part of the fee, fine, exclusion from all activities that may be charged for under the health insurance system).
The Federal Council's draft and the parliamentary debates both paid particular attention to the form of transmission (paper, electronic or other) and to compliance with data protection regulations. The dispatch states that any transmission of the copy of the invoice by electronic means must comply with current data security standards and is only possible if the insured person has been informed in advance and has expressly given their consent. In addition, the insured person may request a paper copy at no additional cost.
Health-related data are sensitive data as defined in the Federal Data Protection Act (FADP), and require special measures for processing. This requires service providers wishing to transmit copies of their invoices electronically to take appropriate technical and organisational measures as defined in Article 8 FADP and Article 3 of the Data Protection Ordinance to ensure secure communication.
The quality and security of the various procedures in place are the responsibility of the service providers. In particular, as the party responsible for the security of the sensitive data that they will be sending electronically, they should check the encryption measures for preventing unauthorised access and the multi-factor authentication procedures they intend to put in place.
In brief, service providers who choose to send copies of their invoices electronically:
- must have informed the insured in advance of the risks associated with this mode of transmission
- must have ascertained that the insured has expressly and freely given their consent to such transmission in electronic form, and
- are responsible for taking appropriate technical and organisational measures in accordance with data protection legislation, including the use of encryption measures and multi-factor authentication procedures.
Failure by service providers to ensure that data protection and security measures are in place can have serious civil and criminal consequences, including:
- a civil claim by the person concerned based on Article 32 FADP and Article 28 of the Swiss Civil Code (Any person whose personality rights are unlawfully infringed may petition the court for protection against all those causing the infringement.),
- claims for damages and satisfaction by the person concerned based on Article 28a of the Swiss Civil Code, for example in the case of the malicious interception of unencrypted e-mails and the disclosure of health data to third parties, or
- criminal prosecution for breach of medical confidentiality under Article 321 of the Swiss Criminal Code and Article 62 FADP, for example in the event of the disclosure of medical data to unauthorised recipients.
If the patient does not wish to be sent an electronic copy of the invoice, the service provider must respect this choice and send the copy in paper form by post at no extra cost to the patient.
In view of the difficulties that service providers may face in implementing the appropriate technical and organisational measures, it should be remembered that legislators have also provided the option for the insurer and the service provider to agree that the insurer should send the copy of the invoice to the insured person.