Patient data disclosure

Patient data disclosure

Medical and paramedical records contain a lot of sensitive data. The disclosure of these data is subject to several rules, in particular professional secrecy. 

Data protection plays an important role in the patient-doctor relationship. The data concerned, which are health-related and often also involve matters that are private to the patient, are sensitive data as defined in Article 5 letter c number 2 of the Data Protection Act (FADP). However, the exchange of information among the various health professions and also with third parties, such as laboratories, computer specialists, payment services or other health professionals is becoming increasingly important. This exchange of information is subject to several rules. Below, we raise some of the most common issues.

The professions - including health professions - listed in Article 321 of the Criminal Code (SCC) are subject to professional secrecy. This means that doctors are not permitted to disclose information obtained in the course of their professional activities without the patient's consent. Under certain conditions, information may be disclosed without consent with the authorisation from a higher or supervisory authority (Art. 321(2) SCC), or for research purposes (Art. 321bis SCC).

The lifting of medical confidentiality hinges on the following forms of consent:

  • Consent may be express: the patient agrees to the intended disclosure of information or signs a document to that effect.
  • Consent can also be tacit: the doctor informs the patient that the information will be sent to a specific specialist and the patient does not object.
  • Finally, consent can be given by behaviour implying consent, which plays an important role in practice. Today, it is normal for doctors to disclose information about their patients to a certain number of people. When a person undergoes hospital treatment, some information at least has to be shared with people in the healthcare team and with administrative staff. The simple fact that the patient goes to the hospital - the patient’s behaviour - implies that he or she agrees to share the information on hospital treatment. Behaviour implying consent therefore allows the disclosure of information that the average patient might reasonably expect to be disclosed, given the situation.

    Another example of behaviour implying consent occurs when doctors have to send samples to a laboratory for analysis. By providing the samples, patients show that they expect the samples to be sent to the laboratory.

    However, if doctors use a third party for billing (a medical fees collection agency (Caisse des Médecins), SwisscomHealth, etc.), this does not seem to be covered by behaviour implying consent. Even if this practice is becoming quite common, it cannot (yet) be assumed that patients are necessarily familiar with it and therefore that their consent is implied by the mere fact that they have visited the doctor. Therefore, the doctor should in principle ask for the patient's express consent to using such services.

    The issue of consent also arises increasingly in connection with the use of a cloud service by the therapist. As a precaution, doctors should ask their patients for consent. However, the use of a cloud provider abroad should be avoided in all cases: foreign law does not always offer the protection required by Article 321 SCC.
  • Any consent, whatever its form, must be based on sufficient and comprehensible information so that the patient can make an informed decision.  

Who is subject to medical confidentiality?n

  • In addition to the doctors mentioned in Article 321 of the Criminal Code, their assistants are also subject to professional confidentiality. Examples of assistants are the practice receptionists and other administrative staff, medical assistants, IT providers, laboratory technicians, etc.
  • Medical confidentiality also applies between persons subject to confidentiality: doctors are not permitted to pass on information about their patient to a colleague simply because the latter is also subject to confidentiality. This even applies to doctors who work in the same practice. The patient management system should be set up in such a way that each doctor only has access to the data relating to their own patients.

Data Protection Act: 

In addition to medical confidentiality, data processing by doctors is also subject to the rules and principles of the Data Protection Act (FADP), which have numerous implications, such as:

  • The principle of proportionality, which requires doctors their assistants to disclose only the data necessary for the recipient to carry out his task.
  • Doctors are also required to ensure the security of the data, including their security when being disclosed. If doctors wish to disclose information by email, the information must be secured, for example by encryption. It is permitted to send information by unsecured email, but only if the patient has given their consent, after having been fully informed of the risks (interception of the email by a third party, hacking of the inbox, email sent to the wrong address, etc.).
  • Health professions not covered by Article 321 of the Criminal Code (naturopaths, acupuncturists, etc.) are nevertheless subject to the duty of confidentiality under Article 62 of the FADP. The definitions of ‘assistants’ and ‘confidentiality’ correspond to those in Article 321 SCC.

Copies of medical invoices

Medical service providers must provide a copy of their invoice to the insured. It may be sent electronically.

Authorisation to release records for insurance purposes

Authorisations to release records for insurance purposes – particularly when drafted in a very non-specific way – raise questions around compatibility with data protection legislation.

Inspection, storage and deletion of patient data

Patients' rights with regard to their medical history

Invoicing of hospitalisation costs

Reconciling two conflicting interests: Cost-effectiveness of hospital care and protection of patients’ data

Questions on data protection

Take a look at our FAQ or call our hotline.


Here you can download all documents sorted by topics.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Last modification 29.12.2023

Top of page