Sharing of personal data between a healthcare centre and a mutual insurance company affiliated with the Social Security

This report is based on the legal ruling published by the APDCAT (Ref. CNS-15/2017), Ruling on the consultation made by a healthcare centre regarding the transfer of patient data to Mutual Insurance Companies affiliated with the Social Security, hereinafter the Ruling [1].

The consultation to which the Ruling refers is the following:

The Hospital receives patients from mutual health insurance companies that work in conjunction with the Social Security and, one of these has requested information relating to the diagnosis of a patient treated at the Hospital, by virtue of the provisions of article 82 of the Revised text of the General Law on Social Security, approved by Royal Legislative Decree 8/2015, dated 30 October. According to the consultation, the mutual insurance company argues that, given its functions, it requires access to certain patient care reports, and that this access is legitimised by the Revised text of the General Law on Social Security (LGSS).
As a result, the Hospital enquired “whether we can send the data relating to the diagnosis of the patients to the collaborating mutual insurance companies, whether there is any limitation to the sending of this data, and also the legal basis for the transfer of this information”.

From the standpoint of data protection, the main distinction to be taken into account is the role of the parties. According to data protection regulations, as well as in accordance with the current Ruling, we may encounter two situations when it comes to the sharing data between a healthcare centre, henceforth the Healthcare Centre, and a Mutual Insurance Company collaborating with the Social Security, henceforth the Mutual Insurance Company:

(i) Provision of services/agreement

The first case is when both parties, the Mutual Insurance Company and the Healthcare Centre, enter into an agreement in which the Mutual Insurance Company undertakes to provide healthcare services to the Healthcare Centre. In this case, we find that the Mutual Insurance Company has outsourced the provision of health care to a third party, the Healthcare Centre and therefore, from the standpoint of data protection, it would be advisable for both parties to sign a Treatment Transfer Agreement, in accordance with art. 28 RGPD, linked to the corresponding agreement.

(ii) Special case – An agreement is not regulated

The second case is when there is no existing agreement between the parties regulating the service provided, but the Mutual Insurance Company has referred an employee to be treated at the Healthcare Centre. In this case, the sharing of the Mutual Insurance Company’s personal data (for example, of employees and/or patients) would be considered data communication. In order for the communication to be legitimate, the corresponding legal authorisation must be in place which will allow this communication of data to be carried out.

Bearing in mind the two situations that we may encounter, in general terms, from the standpoint of data protection, the two specific cases that are regulated in the Ruling in relation to the consultation referred to at the beginning are set out below:

(i) Communication of data as part of the processing of the occupational contingencies by the collaborating Mutual Insurance Companies:

In this case, it is necessary to comply with article 80.2 of the LGSS, which regulates that the collaborating Mutual Insurance Companies are in charge of assessing the right to certain economic compensations and health care. Likewise, article 82.2 of the LGSS stipulates that the provision of healthcare services resulting from occupational contingencies can be provided through the Mutual Insurance Companies’ own means as well as through other agreements with the public healthcare administrations, among others.

Moreover, the Report also quotes Article 5 a) of Law 15/1990, dated 9 July, regarding healthcare regulation in Catalonia, which establishes that the Catalan Health Service (hereinafter, CatSalut) is made up of all the centres, services and establishments which provide health protection and healthcare and social assistance on behalf of the Generalitat, including those transferred from the Social Security and the institutional administration of the national healthcare system, which are integrated into it for all purposes.

Therefore, if, taking this into account, the corresponding Healthcare Centre constitutes one of the establishments under the Catalan healthcare system, the Mutual Insurance Company can, by means of an agreement, articulate the provision of healthcare assistance deriving from the occupational contingencies to certain healthcare centres.

If this were the case, and the data processing derives from an agreement established under the terms of article 82.2 of the LGSS, from the standpoint of data protection regulations it would have to be regulated by means of an agreement for the processing of personal data, in which the Mutual Insurance Company would act as the data controller and the Healthcare Centre as the data processor.

In the event that it was deemed unnecessary to establish an agreement between the Mutual Insurance Company and the Healthcare Centre and the corresponding treatment agreement was not drawn up, the sharing of data relating to the diagnosis of the patient/worker in question referred by the Mutual Insurance Company to the Healthcare Centre would be treated as a communication of personal data.

If this were the case, then the lawful regulation that would enable this communication of the worker’s data to be made so that the Mutual Insurance Company can determine, with justification, the occupational nature of the worker’s contingency and provide healthcare through the Healthcare Centre, would be article 6 c) of the RGPD together with exemption 9.2 b) of the RGPD in relation to the aforementioned article 82.2 of the LGSS.

(ii) Communication of data as part of the processing of cases involving temporary incapacity derived from common contingencies:

Section b) of article 82.4 of the LGSS, establishes that Mutual Insurance Companies, for the purposes of processing the economic compensation derived from a worker’s temporary incapacity due to common contingencies, must have access to the medical statements and reports issued in the process, together with other information regulated by the article.

In this sense, in the same way as in the aforementioned case, the regulations stipulate that diagnostic tests can be carried out in associated centres. Thus, if the Mutual Insurance Company establishes this system for the carrying out of diagnostic tests related to temporary incapacity of workers due to common contingencies, it would be necessary to sign a processing agreement: the Mutual Insurance Company would be the controller of the worker’s data while the Healthcare Centre would be in charge of the processing.

In the event that this system has not been established, a communication of the data would have to be made, which, in accordance with the provisions of the Ruling, has sufficient legal authorisation (article 6 c) together with article 9.2 b) and the regulation of article 82. 4 b) i d) of the LGSS to ensure that the Hospital that provides healthcare assistance to a patient referred by the Mutual Insurance Company collaborating with the Social Security in relation to a temporary incapacity due to common contingencies, notify the latter regarding the diagnosis of a worker who is temporarily incapacitated, in order to comply with the monitoring and control functions that the law assigns to the Mutual Insurance Company.

____

[1] Although the Ruling is regulated in accordance with data protection legislation prior to that in force, the factual assumption and reasoning that is made can be taken into consideration by applying the data protection legislation that is currently in force, until such time as there are no new pronouncements in this regard.