In this ruling, the court discusses the difference between the provision of health data of insured persons to a health insurer by a contracted health care provider and a non-contracted health care provider. It also discusses the provision of personal data of indication providers and health care providers.
On May 12, 2021, the Gelderland District Court issued a ruling rendered in a case of Zusterindebuurt c.s.(ZIDB c.s.) against Menzis Zorgverkeraar N.V.(Menzis) regarding the (un)lawfulness of the retrieval of (medical) personal data for a detailed check by Menzis. The judgment sets out the legal framework for requesting and providing (special) personal data for a detailed check. In doing so, the court distinguishes between the provision of the personal data of insured persons and the personal data of indication providers and care providers. The verdict is that Menzis' request to ZIDB et al. to provide health data of insured persons is unlawful. The request to ZIDB et al. to provide personal data of the indications adjusters and care providers is not unlawful.
In 2017, research was conducted by the Talma Institute on non-contracted care in mental health care and district nursing. The study followed that there is strong volume growth in non-contracted care and, specifically for district nursing, showed that the cost per client of non-contracted care is higher than for contracted care. A study by Arteria Consulting (January 2018) also found that since the introduction of district nursing care into the Health Insurance Act(Zvw), the costs with respect to non-contracted district nursing care have increased dramatically.
As part of the implementation of the Health Insurance Act, health insurers are authorized to conduct formal and substantive audits in accordance with the applicable laws and regulations. A formal audit checks whether the costs of care are eligible for reimbursement. This involves, for example, checking whether the patient was insured with the insurer, whether the care is insured care within the meaning of the Zvw and whether the correct rate has been declared. A material audit checks whether the care that has been declared has in fact been provided (legitimacy) and whether the care provided is appropriate to the patient's state of health (efficiency). When performing the checks, which also involve requesting and processing personal data, healthcare insurers and healthcare providers must comply with the General Data Protection Regulation (AVG), the Zvw, the Healthcare Insurance Regulations(Rzv) and the Code of Conduct for Healthcare Insurers (the Code of Conduct), including the associated Protocol for Material Checks (the Protocol).
The present ruling concerns an audit conducted by Menzis at the non-contracted care provider ZIDB c.s., which offers district nursing care. As part of the investigation, Menzis asked ZIDB c.s. to provide two different types of personal data, namely: health data of insured persons and the personal data of the indication providers and caregivers.
Among other things, ZIDB c.s. claimed a declaratory judgment that Menzis had acted and was acting unlawfully by attempting to induce ZIDB c.s. to provide (medical) personal data. ZIDB c.s. contends that Menzis' investigation is unlawful because Menzis did not comply with the rules that follow from the Rzv and the further elaboration of those rules in the Code of Conduct and the Protocol as drawn up by the Health Insurers' Association.
According to ZIDB c.s., the monitoring data requested by Menzis concern personal data of insured persons and health care providers and the research concerns a detailed check, so that, without the consent of the insured persons, there is no legal basis for providing personal data of insured persons directly to Menzis. As a result, ZIDB c.s., it argues, is not allowed to cooperate in the investigation, nor is it allowed to provide the data it would be allowed to provide directly to Menzis based on the law.
To assess the claims of ZIDB et al. and its contention that Menzis acted unlawfully towards it, it is first of all important to determine whether (and if so, to what extent) Menzis was entitled to request the requested personal data and whether (and if so, to what extent) ZIDB et al. had to provide those personal data. For this assessment, the court distinguishes between (i) personal data on the health of the insured and (ii) personal data of the indication providers and caregivers.
Personal data on the health of the insured.
In principle, the processing of health data of insured persons is subject to the processing prohibition in Article 9 of the AVG. It is only permitted to process personal data concerning health if an exception applies.
Pursuant to article 30, third paragraph of the General Data Protection Implementation Act (UAVG), a health insurer may process health data if this is necessary for the implementation of the insurance. Menzis may, pursuant to Article 30, third paragraph UAVG, process health data necessary to verify the services charged.
For ZIDB c.s., the medical secrecy from article 7:457 of the Civil Code (BW) is relevant in assessing whether it may also provide the requested health data to Menzis. Section 7:457 BW stipulates that the care provider may not provide health data to third parties unless the patient gives permission or if laws or regulations require the care provider to do so. This means that ZISB c.s. (unless consent is obtained) must have a legal obligation before it may provide health data to Menzis.
Such a legal obligation is contained in article 87 Zvw. However, article 87 Zvw distinguishes between 'contracted' and 'non-contracted' healthcare providers. Article 87 paragraph 1 of the Zvw stipulates that the contracted healthcare provider must provide personal data of the insured (including health data) directly to the healthcare insurer. In the case of a non-contracted care provider, the situation is different. In fact, Article 87 paragraph 2 of the Zvw stipulates that the non-contracted care provider must provide the personal data to the insured upon request, so that the insured can provide the data to his healthcare insurer. Only with the explicit consent of the insured can the personal data of the insured be provided directly by the healthcare provider to the healthcare insurer. The court is of the opinion that if the health care insurer (in this case Menzis), in order to perform its monitoring task, deems it necessary to request personal data from a non-contracted health care provider, it is up to the health care insurer itself to ask its insured for permission to obtain the personal data directly from the health care provider.
Thus, Menzis was not entitled to request the health data of its insureds directly from ZISB et al. and was not entitled to expect ZISB et al. to seek permission from the relevant insureds to provide their personal data to Menzis.
Name, BIG number and diploma of indication and caregivers
A different regime applies to the processing of the personal data of indications and care providers. This does not involve the processing of health data or other special personal data so that only a basis under Article 6 AVG is required. The Court considered that the processing of the personal data of the assessors and the care providers (including the BIG number and copies of the diplomas) was necessary for the exercise of Menzis' supervisory task as health insurer. In doing so, the privacy of the assessors and care providers must be protected. This means that the processing must be necessary for the purpose served by the control, the purpose cannot be achieved in any other way (subsidiarity) and the purpose cannot be achieved in a way that places less of a burden on the privacy of the care provider (proportionality).
The court ruled that the health care provider (ZIDB et al.) - and not the insured person - is the appropriate party to provide the personal data of the indications and care providers for the control examination, because the health care provider has these data at its disposal and knows exactly which (sub)care provider it has used. Pursuant to article 7.4 Rzv, this obligatory cooperation of the healthcare provider is linked to the condition that the healthcare insurer conducts the examination as stipulated in Rzv, whereby the requirements of the Rzv are specified by the healthcare insurers in the Protocol. In short: if the health insurer acts in accordance with the AVG, the Rzv and the Protocol when conducting a control examination, the health care provider will be obliged to provide the personal data of indicants and care providers for the purpose of that examination.
This ruling again underlines the importance for both health insurers and care providers to assess per situation whether or not they may (or should) process personal data in the context of a material or formal audit. Of course, the distinction between ordinary and special personal data is of great importance in this regard, but the relationship (contracted or non-contracted) between healthcare providers and healthcare insurers also plays an important role.
Health insurers must also determine for each audit whether the requirements of subsidiarity and proportionality are met. What is important here is what the purpose of the check is and whether the purpose can also be achieved in other ways or with less personal data. This was also recently reaffirmed by the Personal Data Authority(AP) in the context of authorization requests. An authorization request does not involve a check after the fact, but rather an insured person requests prior approval from the health insurer for reimbursement of certain care. Last year, the AP ruled that insurer CZ's method for authorization requests violated the AVG and imposed an order under penalty on CZ. The AP found that in some cases CZ processed more health data than necessary to process the authorization request. CZ has since changed its methods in consultation with the AP.
