Skip to content

Patients have rights. What sounds so obvious is legally complex. We will give you an initial overview of the basic rights of patients. We then delve deeper into the areas of data protection and professional secrecy for everyday practice.

Dr Peter Burkhalter, lawyer, Central Secretary SVA from 2021

Overview of the various rights

What basic rights do patients have?

Based on the Swiss Federal Constitution (BV), there is a right to medical treatment and care, which must be fulfilled primarily by the cantons and additionally by the federal government (above all through the corresponding organisation of health and accident insurance). Institutions with a public service contract are always obliged to provide treatment. On the other hand, a healthcare professional also has the right to refuse a patient, provided there is no emergency situation.

Central principles of patients’ rights are derived from the constitutional right to personal freedom (Art. 10 para. 2 BV). In the medical field, it is the essential basis of the right to self-determination, from which healthcare providers derive the duty to respect and preserve the dignity and personality as well as the will of the patient. On the one hand, this is reflected in the fact that dependency relationships resulting from medical treatment may not be exploited and abuses and violations of physical and sexual self-determination are prohibited.

On the other hand, the right to self-determination also gives rise to the very central duties of the healthcare professionals providing treatment to inform and inform their patients. Comprehensive information must always be provided prior to medical treatment, on which the patient’s consent must then be based (so-called “informed consent”). Treatment that takes place without informed consent constitutes a violation of the patient’s personal freedom and, in the case of an intervention, is also relevant under criminal law (e.g. as bodily harm).

Medical treatments also require the processing and documentation of particularly intimate and sensitive health data. Accordingly, the protection of data protection rights and the duty of confidentiality under criminal law are of particular practical importance.

Patient documentation (“medical history”)

What is meant by patient documentation?

Doctors are obliged to keep patient documentation (medical history), which records the relevant examinations, treatments and related considerations. This documentation must be thorough, informative and complete and include all additional documents (e.g. X-rays, operation reports, information from third parties).

What needs to be considered when managing dossiers electronically?

Electronic dossier management is permitted and is increasingly becoming the standard. It is important here that it is always possible to trace who has made which entries. The FMH therefore recommends login functions and not accounts that are used by several employees. Changes should also be traceable, which is why different versions should be saved at different times (provisional and definitive reports) and the overwriting of previous versions should be avoided.

What applies with regard to the storage of documentation?

Both paper and digital documentation must be kept for at least 10 years after the last entry. However, especially for the clarification of insurance cases (e.g. occupational diseases), it is helpful if this period is extended by the medical practice on a voluntary basis. Storage must be organised in such a way that the data is secure: Ideally, the documentation should be stored in a lockable, fireproof cabinet that is protected from moisture. In the case of electronic dossiers, backup copies must be made regularly, stored in a safe place and protected from unauthorised access. In the case of portable media (notebooks, tablet PCs), care must be taken to ensure that the data is protected by encryption even in the event of theft/loss. When storing data in clouds, it is also important to ensure that the data is encrypted locally before it is stored in the cloud.

Data protection

What needs to be considered when processing health data?

According to the Swiss Data Protection Act (DSG), data and records relating to health – including, in particular, patient documentation – are considered to be particularly sensitive data. This data must be treated confidentially and may only be processed with the express consent of the person concerned or with the (implied) consent that can be inferred from the circumstances, e.g. recorded in writing in patient documentation. This consent can be assumed upon commencement of medical treatment.

In the event of false information and incorrect data, the patient concerned can demand that this data be corrected or destroyed. If the principles of the Data Protection Act are violated in the processing of health data, data subjects can bring a civil action. In this respect, secure data management also serves to minimise a practice’s risks – and you as a medical assistant can play an active role in this.

What applies with regard to the right to inspect medical records?

The persons concerned as well as persons authorised to represent them (e.g. in the case of young children) have a right to information and access to the patient documentation. Access may only be denied if the healthcare professional has overriding interests of their own or overriding third-party interests, e.g. if the dossier also contains information about third parties that is protected by professional secrecy. The manner in which the file can be inspected (on site or by delivery) depends primarily on the agreement of the parties concerned. A contribution to the costs may be demanded if excessive costs are incurred.

Professional secrecy or duty of confidentiality

Where is the duty of confidentiality stipulated?

The basis for the duty of confidentiality is Art. 321 of the Swiss Criminal Code (SCC), which prohibits doctors and their assistants – including medical assistants in particular – from disclosing a secret that has been entrusted to them by virtue of their profession or which they have learnt in the course of their work. The violation of professional secrecy is also punishable after the end of professional practice. Offences are punishable by imprisonment for up to three years or a fine. In order for the criminal justice system to initiate proceedings, however, a criminal complaint must be filed by the injured party.

In which cases does the duty of confidentiality apply?

As professional secrecy also applies to medical assistants, they are not permitted to pass on information about the state of health and current and past treatments of patients. It is therefore forbidden to pass on information to uninvolved third parties, family members (including life partners) and friends. Anonymised stories from everyday professional life should be permitted – as long as they do not allow any conclusions to be drawn about the persons concerned.

The duty of confidentiality also applies to doctors (also when a second opinion is obtained) and to health insurance companies. The latter may only be provided with information to the extent that it is relevant for the assessment of their benefit obligations. Within a medical team, it can be assumed that the team members are each released from their duty of confidentiality. The MPA’s duty of confidentiality is also integrated as standard in the MPA’s standard contract.

When is the disclosure of information permitted?

Patients can release healthcare providers from their duty of confidentiality with their consent, which means that data and information may also be disclosed to relatives, parents of a child capable of judgement, but also to employers and authorities (Art. 321 para. 2 StGB). Without this consent, the data may not be disclosed, not even to superiors of an employee who is ill. In certain cases, release from professional secrecy can be requested from the supervisory authority (Art. 321 para. 2 StGB).

Who can consent to the disclosure of information?

Legally valid consent can be given by all persons who are deemed capable of judgement in accordance with Art. 16 of the Swiss Civil Code (ZGB). Accordingly, all persons who are able to grasp the scope and significance of an action or decision and who are able to act according to their free will on the basis of this intellectual assessment are deemed to have capacity. In unclear cases, the capacity of judgement must be determined by medical professionals.

What is the situation with children and adolescents?

In contrast to the capacity to act (Art. 17 ZGB), the capacity to make judgements is not linked to a specific age. Adolescents are considered to have capacity from the age of 15. From this age, they can therefore also independently determine who has access to their medical data on the basis of their right to self-determination. They can therefore also prohibit the provision of information to their parents (e.g. about the prescription of the contraceptive pill). In contrast, children under the age of 10 are not considered to have capacity of judgement, which means that their legal representatives (parents) are entitled to make medically relevant decisions. For children and adolescents between the ages of 10 and 15, however, judgement must be exercised based on the circumstances (maturity, scope of the decision, etc.).

What is the situation for adults who lack capacity?

The capacity of judgement may also be impaired due to mental illness or age (dementia, Alzheimer’s). In this case too, authorised persons must be consulted when making decisions on representation, and information may also be passed on to them. As a rule, these are also authorised representatives appointed by the child and adult protection authority (KESB). We will be happy to discuss this topic in more detail in a future issue of PraxisArena.

Safeguarding and implementing data protection and professional secrecy are of great importance in a doctor’s practice. Providing patients with comprehensive and transparent information and education is key to ensuring that they feel that they are being taken seriously and are in good hands, but also that they can give informed consent on this basis. Ultimately, this also has a releasing effect. Nevertheless, care must be taken to ensure comprehensive protection of this sensitive data – which will become increasingly important as digitalisation increases.