Authorisations to release records for insurance purposes are often a concern for insured persons, particularly when they relate to health data, and insured persons often ask us whether they are excessive and to what extent they are compatible with data protection legislation.
An authorisation to release records is necessary when the data collection required by the insurance company is not regulated by law. Since many individuals and institutions that hold the required information are bound by a statutory or contractual duty of confidentiality, the insurer has to request an authorisation to release records in order to obtain the information it needs. The scope of this authorisation is often unclear to the people concerned, who don't understand why they have to authorise doctors, hospitals, other insurers, their employer, social services or the tax administration to release data about them. In addition, they are not always aware that they are required to grant this authorisation under their duties to cooperate and to mitigate damage.
Authorisations are often worded in a very general way, mentioning a whole list of individuals and institutions who may potentially be requested to release information. They also give insurers the right to pass information on to these individuals and institutions, which is due to the fact that the insurer cannot know at that point who it may have to request information from, and if another insurer, e.g. an accident insurance institution, will have to be involved in the case.
From a data protection perspective, it is key that the authorisation to release records is limited to a specific event or claim and to information that is relevant in assessing it. Under no circumstances should the authorisation be ‘a blank cheque’. Insurance companies have to request a new authorisation to release records for each new insured incident; an authorisation to release cannot refer to all future incidents. It should refer to the specific case, for example 'claim of xx.xx.20xx', and it should limit processing to the data that is necessary in the context. Insurers generally use standard authorisation forms which they give to insured persons when they sign the contract or when an insured incident occurs. Given that the same authorisation is often used for different incidents, a variety of potential parties may be mentioned (doctors, hospitals, employers, other insurers, etc.) that may be required to provide information. However, that doesn't mean that the insurance company is permitted to obtain information from all the individuals or institutions listed. In fact, only the processing of the data required for the specific case is covered by the authorisation granted by the data subject. At the same time, the individuals or institutions contacted should check – despite presentation of an authorisation to release records – that the data requested is actually required for the intended purpose (proportionality principle) and that data subject does not have an overriding interest in preventing the data from being disclosed. They should only provide the insurer with information that is specifically related to the case in question. The authorisation does not authorise a doctor or another insurer (e.g. health insurance) to disclose the subject's entire medical records or insurance file. In particular, records that cover several years may only be passed on if the information they contain is really relevant to the specific case.
The insured person has a duty to cooperate and to help clarify the facts (Art. 28 GSSLA). This means that they either have pass on the required information to the insurer themselves or must arrange for the information to be passed on; this will involve discharging the party holding the information from its statutory or contractual duties of confidentiality, as described above (Art. 28 para. 3 GSSLA). If the insured person fails to fully comply with these requirements, the insurer is entitled to refuse to pay benefits, either in part or in full. In practice, insurers do not usually agree to insured persons modifying the authorisation to release and immediately threaten to reduce benefits due to non-compliance with the duty to cooperate. In effect, insured persons have no alternative but to sign the authorisation to release records.
Despite the very extensive powers that insurers have regarding the required data, they still have to comply with data protection requirements. Those who wish to know what health data has been collected about them can submit a subject access request to the institution concerned. Authorisation to release information may be withdrawn at any time; however, this may have an impact on insurance benefits.
Employers generally take out a collective daily sickness allowance insurance for their employees, which is governed by the Insurance Policies Act (IPA). Daily sickness allowance insurance allows employers to cover the risk of having to pay the salaries of employees on long-term sick leave. When an employee gets sick, the insurer has to determine whether it is obliged to pay benefits and the amount of such benefits. If an insured person is unable to work, the insurer can request information from the person's attending doctor or from institutions to clarify what it is obliged to cover. To do so, it needs authorisation from the insured person to obtain records related to the claim in question. By signing an authorisation to release records, the insured person releases all individuals or institutions that hold information that could be useful in assessing the claim from their statutory or contractual obligations (lifting of doctor-patient confidentiality in particular). The information can then be shared with the insurer in compliance with the law.
Insurers that operate in the area of daily allowances have a great deal of leeway in how they formulate the authorisation to release records. According to the case law, it is up to the insurer to decide what information they need in a specific case to determine what it is obliged to cover and to calculate the level of benefits. However, the insurer is also bound by the principle of proportionality. In other words, the authorisation must relate to the specific case and be limited to information that is essential: a blanket authorisation that would allow any data to be shared is not acceptable.
The invalidity insurance (IV) scheme generally requires insured persons to fill out a form containing an authorisation to release records. This authorises the IV to obtain data on the insured person from employers, doctors or insurers. In particular, it allows it to verify whether the insured person is entitled to invalidity insurance benefits.However, authorisations to release records are often formulated in a very general way, or do not clearly state what data the invalidity insurance wishes to collect, from whom, and for what purpose (principles of transparency and proportionality).
These sorts of 'blank authorisations' are not only contrary to data protection legislation, but also to the Federal Act on General Aspects of Social Security Law. Under this Act, insured persons are required to authorise every actor involved in the process in a specific case (employers, doctors, insurers and public services) to provide the information necessary to examine entitlement to payment of benefits. These individuals and institutions have an obligation to provide information.
There may be a need to provide medical data, for example during the process of joining a new employer's occupation pension plan and when an insured incident occurs. As long as an employee fulfils the conditions of compulsory insurance in accordance with the Occupational Pensions Act, the pension fund is obliged to accept them. As a result, health data cannot be requested in order to be accepted onto a compulsory insurance scheme.
However, if the insurance benefits offered go beyond what is offered under compulsory insurance, requests for health records are generally allowed. In this case, the pension fund is not acting as a social insurer but as a private insurer. The pension fund can then add conditions, depending on the insured person's state of health, to cover the risks of death and invalidity. The insured person is required to cooperate and to provide all the required information to the pension fund. If they refuse, the benefits may be reduced or declined. Nevertheless, the pension fund must comply with the principle of proportionality, according to which it may only demand the personal data that is necessary and specific to achieving the desired objective. Also, in accordance with this principle, the data may only be handled by the pension fund's medical officer or medical department.
Pension institutions can request health data about employees from third parties if there are grounds for justification as set out under the Federal Act on Data Protection. The consent of the employee concerned can be invoked as grounds for justification. Consent is essential if the pension institution wishes to obtain information from a doctor, as doctors are bound by professional secrecy under the Swiss Criminal Code. In addition, by law written consent is required in order for an insurer to collect information.
However, the consent clause is only valid if the employee is aware of the scope and extent of the consent. This means that the consent document must clearly and unequivocally state what information can be obtained and from whom (principles of transparency and proportionality). The transparency principle particularly applies to sensitive personal data, such as health data. A 'blank authorisation' is incompatible with data protection legislation.
Employers who offer pension plan with benefits that go beyond what is compulsory are not allowed to see an employee's health data when the employee applies to join the plan. The health data should be sent to the pension institution, or to its medical department or medical officer. It is solely up to the institution to decide whether a person can be covered by this type of pension plan and it is the institution's responsibility to organise the acceptance procedure so that the employer does not gain access to the employee's health data.
Last modification 12.07.2023
.png)
.png)
