General information about authorisation to release records:
An authorisation to release records is necessary when the data collection required by the insurance company is not regulated by law. Since many individuals and institutions that hold the required information are bound by a statutory or contractual duty of confidentiality, the insurer has to request an authorisation to release records in order to obtain the information it needs. The scope of this authorisation is often unclear to the people concerned, who don't understand why they have to authorise doctors, hospitals, other insurers, their employer, social services or the tax administration to release data about them. In addition, they are not always aware that they are required to grant this authorisation under their duties to cooperate and to mitigate damage.
Authorisations are often worded in a very general way, mentioning a whole list of individuals and institutions who may potentially be requested to release information. They also give insurers the right to pass information on to these individuals and institutions, which is due to the fact that the insurer cannot know at that point who it may have to request information from, and if another insurer, e.g. an accident insurance institution, will have to be involved in the case.
From a data protection perspective, it is key that the authorisation to release records is limited to a specific event or claim and to information that is relevant in assessing it. Under no circumstances should the authorisation be ‘a blank cheque’. Insurance companies have to request a new authorisation to release records for each new insured incident; an authorisation to release cannot refer to all future incidents. It should refer to the specific case, for example 'claim of xx.xx.20xx', and it should limit processing to the data that is necessary in the context. Insurers generally use standard authorisation forms which they give to insured persons when they sign the contract or when an insured incident occurs. Given that the same authorisation is often used for different incidents, a variety of potential parties may be mentioned (doctors, hospitals, employers, other insurers, etc.) that may be required to provide information. However, that doesn't mean that the insurance company is permitted to obtain information from all the individuals or institutions listed. In fact, only the processing of the data required for the specific case is covered by the authorisation granted by the data subject. At the same time, the individuals or institutions contacted should check – despite presentation of an authorisation to release records – that the data requested is actually required for the intended purpose (proportionality principle) and that data subject does not have an overriding interest in preventing the data from being disclosed. They should only provide the insurer with information that is specifically related to the case in question. The authorisation does not authorise a doctor or another insurer (e.g. health insurance) to disclose the subject's entire medical records or insurance file. In particular, records that cover several years may only be passed on if the information they contain is really relevant to the specific case.
The insured person has a duty to cooperate and to help clarify the facts (Art. 28 GSSLA). This means that they either have pass on the required information to the insurer themselves or must arrange for the information to be passed on; this will involve discharging the party holding the information from its statutory or contractual duties of confidentiality, as described above (Art. 28 para. 3 GSSLA). If the insured person fails to fully comply with these requirements, the insurer is entitled to refuse to pay benefits, either in part or in full. In practice, insurers do not usually agree to insured persons modifying the authorisation to release and immediately threaten to reduce benefits due to non-compliance with the duty to cooperate. In effect, insured persons have no alternative but to sign the authorisation to release records.
Despite the very extensive powers that insurers have regarding the required data, they still have to comply with data protection requirements. Those who wish to know what health data has been collected about them can submit a subject access request to the institution concerned. Authorisation to release information may be withdrawn at any time; however, this may have an impact on insurance benefits.