Implementing provisions on the Federal Act on the Electronic Patient Record

The Federal Act on the Electronic Patient Record (EPRA) was passed by Parliament on 19 June 2015. The deadline for requesting a referendum expired on 8 October 2015. With this, the sectoral identifier for the electronic patient record is now in place. A range of contentious issues still have to be addressed.

The EPRA is due to come into effect mid-2017. This law establishes a range of principles; for example, patients should be identified by means of a sectoral eHealth-identifier rather than by their social insurance number. We have lobbied for several years to achieve this important point. Many further important details will be included in the related ordinances. In the reporting year we provided extensive feedback on the drafts presented in the consultation procedure. Some of the most important issues we raised involved data protection law in relation to eHealth and communities of health professionals, certification requirements and access rights.

Regarding the current data protection law relating to health professional communities and reference communities, we are of the view that the Federal Data Protection Act (DPA) applies to the processing of personal data and that we are the competent supervisory authority. This should be stated in the explanatory notes on the ordinance. Irrespective of their members, communities of health professionals must be constituted as private law entities, and the relationship between patients and these communities must also be governed by private law. The DPA is therefore applicable in these circumstances.  

Irrespective of this formal legal rationale, there are also practical reasons for applying the DPA. In order to create legal certainty for patients and other participants in the Swiss eHealth system, it important that the same data protection law provisions should apply throughout the country for the electronic patient record and that a supervisory authority should ensure their uniform application. Application of the DPA and oversight by the FDPIC therefore also provides investment protection to both the health professional communities and their operating bodies. The Federal Office of Public Health (FOPH) will act as the certification scheme owner and must ensure, in conjunction with accredited certifiers, that the certification requirements are met. However, we remain responsible for data protection oversight.

In relation to the technical and organisational certification requirements for health professional communities, we raised the objection that there is too great a focus on data security and too little attention is paid to data protection aspects. Firstly, this contradicts the relevant article in the EPRA, which provides for certification that takes account of both data protection and data security. Furthermore, ensuring data protection is a key requirement for the electronic patient record. This should be addressed in sufficient measure by the certification requirements.

We also addressed the issue of allowing groups of health professionals access to the electronic patient record, pointing out that the ordinance provisions do not detail restrictions on access by such groups, as we had requested. Instead, the provisions allow for global group rights. In our view, issuing authorisation represents a declaration of intent that can only have legal effect if the authorisation is issued to a person or body that is a legal entity. Making a declaration of intent to a group of persons, e.g. the employees of a particular section in a hospital, does not, in our view, constitute a legally binding granting of authorisation, as the group per se is not a legal entity.

We therefore expected that the ordinance would address the issue of granting authorisation to groups by establishing that authorisation can in principle only be granted to individual persons. These persons would then be listed in the health professional community directories. However, the draft ordinance goes in the exact opposite direction. It expressly states that patients may grant authorisation to groups of health professionals. The only stipulation is that the composition of the groups must be clear at all times.

The FOPH appears to be aware of the fact that this may lead to problems. On the one hand, the communities must ensure that the groups are not unreasonably large. Furthermore, the commentary on the technical and organisational certification requirements states that unreasonably large numbers of health professionals should not be granted authorisation without good reason (treatment context). We consider the requirement that groups should not be too large to be of little use. No-one will be able to define a way of establishing whether a group is unreasonably large or not. Instead, the treatment context could, in principle, be given as a requirement, but this requirement is in fact totally watered down by the ordinance and the commentary mentioned above. It should not be possible for health professionals who are not part of the treatment context to be granted authorisation without the explicit consent of the patient.

According to one principle defined for eHealth Switzerland, the only persons who should have access to the patient's electronic record are health professionals in the treatment context. The FOPH's statement that the number of health professionals not involved in the treatment context yet entitled to access should not be too large is therefore incomprehensible. This problem is accentuated by the fact that such groups may be dynamic; it is assumed that a health professional entering the group for the first time will automatically be granted access rights. In such circumstances, it can no longer be said that the patients themselves are able to grant access.

Attention should also be paid to the role of the health professionals' auxiliary staff. Although they are not mentioned in either the federal act or in the draft ordinance, these persons will also obtain access to the electronic patient record, increasing the number of people with access rights even further. It must therefore be clear to patients from their records which auxiliary staff have access to the electronic patient record and for which health professionals they work, as ultimately it is the health professionals who are responsible for their auxiliary staff.

Overall, in our analysis of the implementing provisions on EPRA we gained the impression that there is no longer any effort made to clearly separate primary systems (e.g. a hospital's or doctor's surgery's patient information system) from secondary systems (e.g. community information service). This may possibly already be an indication that the electronic patient record will develop into a kind of primary system.