On April 20, 2018, the patient underwent surgery at ASZ. The patient subsequently held the hospital liable for culpable medical conduct.
ASZ then requested the patient to complete and sign a medical authorization form. This authorization entails two things:
ASZ is authorized to provide the medical data to the medical advisor of its liability insurer (MediRisk).
The medical advisor is authorized to provide medical information to employees working for MediRisk. This includes, for example, advisors, claims adjusters, and occupational experts.
The patient's lawyer then sends a selection of medical documents to ASZ. The lawyer emphasizes that permission has only been given to make the medical information available to the medical advisor, and to no one else.
The starting point under the General Data Protection Regulation (GDPR) is that the processing of special categories of personal data, including medical data, is prohibited in principle. The prohibition can only be waived if a legal exception applies.
In this case, ASZ chose to have the claim assessed by its professional liability insurer. However, according to the court, this does not mean that the prohibition on processing medical data no longer applies. The fact that this could make it difficult for the insurer to assess the claim in practice is not sufficient grounds to infringe on a fundamental right.
ASZ therefore invokes the exception in the GDPR, which states that the prohibition does not apply when processing is necessary for the establishment, exercise, or defense of legal claims. ASZ argues that this exception also applies to the extrajudicial phase in which the parties find themselves and to the defense against a liability claim.
The court disagrees with this. According to the judge, the exception referred to by ASZ only applies to legal proceedings. It does not apply to situations in which the parties are engaged in negotiations.
This procedure only concerns the question of whether ASZ may disclose the patient's medical data and not whether ASZ can actually be held liable. The latter question is a matter that the parties are still discussing outside the proceedings. ASZ cannot therefore invoke the exception to the prohibition at this stage of the dispute.
The court's ruling would mean that ASZ would have to escalate the negotiations with the patient to legal proceedings. Only then would the exception to the prohibition on processing medical data apply. However, the GDPR seems to have made it possible to invoke this exception even outside of legal proceedings. This follows from the recital to the relevant article in the GDPR:
“A derogation must also provide for the possibility of processing such personal data if necessary for the establishment, exercise, or defense of legal claims, in court proceedings or in administrative or out-of-court proceedings.”
However, the provision of information must be necessary. According to the court, this was not the case in this matter. ASZ itself has access to the medical data on the basis of which it can defend itself.
During the hearing, the patient (or her lawyer) indicated that the medical advisor's opinion could be shared with a lawyer. It is not necessary for this lawyer to have access to the medical file. The patient was also willing to grant authorizations (in stages) if ASZ requested her to do so. However, the patient wishes to retain control over who has access to her medical data.
This leads to the conclusion that there is no need for ASZ to provide medical data for the assessment of the liability claim.
More articles by SOLV Lawyers
This case law can also be found in the GDPR and Privacy in Healthcare files.
