Navigation

Copies of medical invoices

 
HEALTH

Sending a copy of a medical invoice electronically

Since 1 January 2022, all service providers (doctors, pharmacists, hospitals, laboratories, etc) are required to provide a copy of their invoice to the insured. It may be sent electronically, but only with the express consent of the insured

Since 1 January 2022, all service providers as defined in Article 35 paragraph 2 of the Health Insurance Act (HIA) (doctors, pharmacists, chiropractors, nursing homes, hospitals, laboratories, etc.) have been required to provide insured persons with a copy of their invoices in all cases and without the insured persons having to requested. It may be sent electronically, but only with the express consent of the insured. This reporting obligation was introduced in Article 42 paragraph 3 HIA as part of measures to curb health care costs. It aims is to give policyholders the opportunity to check their invoices and report any errors to the insurer. This obligation is not in itself new, as it already existed in the third-party (tiers payant) payment system, but was previously regulated only in secondary legislation. Parliament decided to enshrine this obligation in primary legislation, with penalties for non-compliance (warning, repayment of all or part of the fee, fine, exclusion from all activities that may be charged for under the health insurance system).

The Federal Council's draft and the parliamentary debates both paid particular attention to the form of transmission (paper, electronic or other) and to compliance with data protection regulations. The dispatch states that any transmission of the copy of the invoice by electronic means must comply with current data security standards and is only possible if the insured person has been informed in advance and has expressly given their consent. In addition, the insured person may request a paper copy at no additional cost.

Health-related data are sensitive data as defined in the Federal Data Protection Act (FADP), and require special measures for processing. This requires service providers wishing to transmit copies of their invoices electronically to take appropriate technical and organisational measures as defined in Article 8 FADP and Article 3 of the Data Protection Ordinance to ensure secure communication.

The quality and security of the various procedures in place are the responsibility of the service providers. In particular, as the party responsible for the security of the sensitive data that they will be sending electronically, they should check the encryption measures for preventing unauthorised access and the multi-factor authentication procedures they intend to put in place.
In brief, service providers who choose to send copies of their invoices electronically:

  • must have informed the insured in advance of the risks associated with this mode of transmission
  • must have ascertained that the insured has expressly and freely given their consent to such transmission in electronic form, and
  • are responsible for taking appropriate technical and organisational measures in accordance with data protection legislation, including the use of encryption measures and multi-factor authentication procedures.

Failure by service providers to ensure that data protection and security measures are in place can have serious civil and criminal consequences, including:

  • a civil claim by the person concerned based on Article 32 FADP and Article 28 of the Swiss Civil Code (Any person whose personality rights are unlawfully infringed may petition the court for protection against all those causing the infringement.),
  • claims for damages and satisfaction by the person concerned based on Article 28a of the Swiss Civil Code, for example in the case of the malicious interception of unencrypted e-mails and the disclosure of health data to third parties, or
  • criminal prosecution for breach of medical confidentiality under Article 321 of the Swiss Criminal Code and Article 62 FADP, for example in the event of the disclosure of medical data to unauthorised recipients.

If the patient does not wish to be sent an electronic copy of the invoice, the service provider must respect this choice and send the copy in paper form by post at no extra cost to the patient.

In view of the difficulties that service providers may face in implementing the appropriate technical and organisational measures, it should be remembered that legislators have also provided the option for the insurer and the service provider to agree that the insurer should send the copy of the invoice to the insured person.

Recommendations of the Swiss Medical Association on encryption measures

Federal Office of Public Health (FOPH)

FOPH. Amendment of the HIA: 1st set of measures to control costs (website available in German, French and Italian)

Patient data disclosure

Medical and paramedical data is often highly sensitive. The disclosure of these data is subject to several rules.

Authorisation to release records for insurance purposes

Authorisations to release records for insurance purposes – particularly when drafted in a very non-specific way – raise questions around compatibility with data protection legislation.

Inspection, storage and deletion of patient data

Patients' rights with regard to their medical history

Invoicing of hospitalisation costs

Reconciling two conflicting interests: Cost-effectiveness of hospital care and protection of patients’ data

Questions on data protection

Take a look at our FAQ or call our hotline.

Infocenter

Here you can download all documents sorted by topics.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Webmaster
Last modification 11.05.2023

Top of page