The CNIL puts its nose in the business of mutuals, following hundreds of complaints received. The competent authority for the protection of personal data calls for clarification and security of the legal framework for the use of health data by complementary health insurance organizations (OCAM) without consent, outside the medical circle authorized to access it .
Health data is doubly protected – by the GDPR on the one hand, and medical secrecy on the other. The CNIL reminds that any collection and use of this very personal data is “in principle prohibited”. However, mutuals need access to certain data in order to reimburse their policyholders.
In its legal analysis published on November 14, the CNIL is sounding the alarm about the lack of clarity in the regulatory texts governing these transfers of data between health personnel and insurers, and is pushing for “a framework and appropriate guarantees, given the sensitivity of these data.
What about data transfers without consent?
Since “the information transmitted to the OCAMs is covered by medical secrecy”, the CNIL notes that when this information is transmitted directly by health professionals to the OCAMs, they require a waiver of medical secrecy. However, this derogation is “either very implicit, or non-existent”, observes the Commission.
Until then, exchanges are authorized only for so-called “responsible” contracts, which give rise to certain tax advantages as part of the 100% health reform, and which represent 95% of contracts, recalls the CNIL. Indeed, so-called “responsible” contracts include a third-party payment mechanism which “exempts the patient from the advance of costs and necessarily leads the practitioner to request and justify payment himself to the competent OCAM, the data generally transiting by compulsory health insurance organizations (AMO)” says the CNIL.
Conversely, for the other so-called “non-responsible” contracts – i.e. the remaining 5% – “the patient must either transmit the information himself to his OCAM, or authorize his healthcare professional to do so on a case-by-case basis”.
Therefore, “non-responsible” contracts are more complex to interpret in the absence of consent. This consent, according to the CNIL, can be done on the basis of a law, which until now is missing. “In this case, the Commission has not identified any general provision creating such a derogation from medical secrecy in the profile of OCAMs. »
Strengthen protection mechanisms by law
In the meantime, the Commission recognizes that the patient must “effectively be offered the two alternative routes, namely the sending by him or the sending through his healthcare professional” of the documents to his OCAM. And if “the patient decides to mandate his professional, the Commission considers that this mandate should be given act by act and cannot have a general scope leading to release the professional from his obligation”.
In response to the CNIL’s analysis, the Fédération nationale de la Mutualité Française indicates that “the complementary health insurance organizations are ready to strengthen the legal framework in which these health data are organized today in a constructive spirit. and always to improve the service provided to policyholders”.
Far from inaction on this aspect, the federation explains that “complementaries, well aware of their responsibility and in accordance with the law, have implemented processes to guarantee the confidentiality, security and traceability of this data which, even although they formally belong to the category of health data, they do not make it possible to know the medical situation of the insured. The system for transmitting this data respects the GDPR and medical secrecy”.
What is more, “a collection of the consent of the insured is carried out before each sending of his data to the complementary organization which supports his health expenses”, notes the federation.