Inspection, storage and deletion of patient data
Patient records - inspection, storage and deletion of patient data
In connection with patient records, the question regularly arises as to whether and when patients can request access to their medical records or ask for the records to be destroyed or deleted, and how long doctors must - and are allowed to - keep the records.
Patient records comprise documents and records produced in connection with medical treatment, such as reports, X-rays, laboratory results and correspondence with other medical service providers. They can be kept electronically or on paper. Medical records kept by a health professional in electronic form should not be confused with the electronic patient record under the EPRA (for more information on this, see: www.patientrecord.ch).
Right to information
Patients can inspect their medical records on the basis of their right to information under data protection law ('Right to information'). With the patient's consent, the personal data may also be passed on by a health professional (e.g. a family doctor) to other persons.
Restrictions on the right to have one's data deleted
The right to have data about yourself deleted, which is also provided for in the Data Protection Act, is regularly contradicted by the obligations to keep records to which medical professionals are subject, for example under cantonal health laws. A doctor is often unable to comply with a request to delete all data or to hand over all original documents to the patient, since doing so would breach the doctor's legal obligations to retain data.
Accordingly, health professionals may also have their own professional reasons for refusing a request for deletion of data. In this respect, the question of whether there is a right to have the records deleted rather depends on the question of how long the records must be retained.
Retention period for medical records
The Data Protection Act only indirectly answers the question of how long doctors must and may keep the medical records of their patients. Based on the principle of proportionality, a health professional may keep patient files for as long as these documents are still needed.
Once treatment is completed, for example, certain data are necessary for invoicing. A doctor may also need to be able to access the data as evidence in proceedings to defend liability claims. This means that certain documents may be kept even if the patient requests their deletion, namely until the statute of limitations for asserting any claims arising from the treatment in question has expired or until it is absolutely clear that no legal proceedings will ensue. The general limitation periods set out in the Swiss Code of Obligations are regularly used as a rule of thumb. The limitation period for personal injury is 20 years (since 1 January 2020).
Some cantonal health laws that regulate the documentation obligations of doctors have already been adapted and now also provide for a longer general retention period, which has an influence on the retention period for patient records. A retention period of 20 years can therefore be assumed as a rule. In individual cases, longer retention periods are also conceivable, for example in the treatment of long-term or chronic illnesses. In certain situations based on specific legislation, data is also stored in specialised medical registers (for example, cancer or organ transplant registers). However, data protection-compliant management of patient records also requires that documents that are no longer needed are regularly deleted. A doctor's practice must design its records management workflows accordingly.
Authorisations to release records for insurance purposes – particularly when drafted in a very non-specific way – raise questions around compatibility with data protection legislation.
Medical service providers must provide a copy of their invoice to the insured. It may be sent electronically.
Medical and paramedical data is often highly sensitive. The disclosure of these data is subject to several rules.
Reconciling two conflicting interests: Cost-effectiveness of hospital care and protection of patients’ data
Here you can find out everything about the mains provisions of the Data Protection Act, which comes into force on 1.9.2023.
Take a look at our FAQ or call our hotline.
Here you can download all documents sorted by topics.
Last modification 19.06.2023