The FDPIC has published a leaflet that sheds light on the often unclear handling of patient forms in terms of data protection law – from the duty to provide information and secure data communication to proportionate data collection. We show what doctors, therapists and associations should now specifically check and implement.
With the recent publication of a leaflet on patient forms, the Federal Data Protection and Information Commissioner (FDPIC) is bringing a breath of fresh air to an issue that is latent in many practices: to what extent may data be collected, processed and passed on – and how must patients be informed in writing? The information sheet specifies key requirements of the Data Protection Act (DPA) in the healthcare sector and is aimed equally at patients, service providers and associations.
This article highlights the legal principles that must be observed, the difference between the duty to inform and consent, the technical requirements for secure data communication and what the principle of proportionality means in concrete terms – with a view to the practical implications for practices and therapists.
Legal framework and basic premises
The DSG enshrines principles such as transparency, purpose limitation and data minimisation, and extends the duty to provide information to all categories of personal data. The requirements are particularly high in the healthcare sector, where data is naturally sensitive, often intimate and particularly worthy of protection. Any disclosure of patient data is subject to both data protection and confidentiality restrictions.
The new information sheet emphasises that some data may be processed without the need for separate consent – for example, data that is collected within the framework of the treatment contract or is required by law (e.g. keeping patient records). However, if the intention is to transfer data to third parties beyond this scope, consent may be required.
Duty to inform versus consent – a clear distinction
A key focus of the information sheet is the distinction between the duty to inform and consent. The duty to inform arises from the requirement for transparency: When data is collected, the patient must know who is collecting the data, for what purpose, to whom it will be disclosed (including any third parties or recipients abroad), how long the data will be stored and what rights they have (e.g. access, revocation). Important: The information must be provided actively – it must not only be provided upon request.
However, the duty to provide information is not an act of consent. A signature from the patient acknowledging receipt of the information is not mandatory and must not be misleadingly misunderstood as ‘consent’. Whether the duty to provide information has been fulfilled is not linked to a signature, but to whether the information has actually been communicated in a comprehensible and accessible manner.
Consent comes into play when data is to be disclosed beyond the scope of the treatment contract – in particular to third parties outside the treatment constellation – unless there is a legal basis for doing so. This consent must be voluntary, based on information and refer specifically to certain processing operations. Blanket or general clause-type consents covering a multitude of hypothetical scenarios (‘for everything’) are considered invalid. Consent can be revoked at any time and without restriction, as long as there is no other legal obligation to the contrary.
Secure electronic data exchange – a question of responsibility
A particularly sensitive point in the information sheet is the secure transmission of patient data. Although many practice forms contain a clause whereby patients consent to unsecured communication (e.g. by email in plain text), the FDPIC considers this to be permissible only under strict conditions. In the case of particularly sensitive data (health data is classified as such per se), secure transmission is generally required.
If unsecured communication is nevertheless chosen, the patient must be fully informed of the associated risks – and be given a genuine choice (e.g. via a checkbox). The responsibility lies with the service provider to take appropriate technical measures (e.g. encryption, secure portals).
The information sheet emphasises that even administrative exchanges such as appointment scheduling can allow conclusions to be drawn about health conditions and should therefore be treated with caution.
Proportionality: only as much as necessary
A guiding principle of data protection is proportionality – that is, data should only be collected and processed to the extent necessary for the respective purpose. The information sheet raises awareness that many questionnaires in medical practices go beyond the intended purpose by systematically collecting data such as maiden name, marital status, employer or occupation without any clear therapeutic or diagnostic relevance. This practice should be critically questioned.
However, this does not mean that such information is fundamentally prohibited: if there is therapeutic relevance in individual cases (e.g. back pain and occupational activity), data collection may be justified – but it must be justifiable and documented in each individual case. All data processing should be traceable and within the scope of what the patient can expect.
Practical implications for practices and therapists
In many cases, the publication of this information sheet will require a review of current practices. Existing form templates should be critically reviewed and adapted: superfluous mandatory fields should be removed, unclear wording should be clarified, and clauses on blanket disclosure or unsecured communication should be reconsidered. It is advisable to provide a separate information sheet in clear language and to document in the consultation report or file that the duty to provide information has been fulfilled.
Consent is only required if data transfer beyond this scope is planned. In this case, checkboxes, voluntary participation and revocation options should be clearly visible. For technology and communication, this means that simple email communication without protective measures is generally not sufficient – instead, encrypted channels or secure portals are necessary. Where unsecured communication is permitted in exceptional cases, clear risk disclosure is mandatory.
Staff selection, training and process design in practice are also affected: every employee with access to data – from practice assistants to IT service providers – must be made aware of data protection, and technical and organisational measures (‘privacy by design’) must be an integral part of the process.
FDPIC vs. FMH: Why the template is no longer sufficient
Particular attention should be paid to the template provided by the FMH (Foederatio Medicorum Helveticorum, Swiss Medical Association) for patient forms and consent forms. This template dates from 2024 and is used as a basis in many practices. However, a comparison with the current FDPIC information sheet reveals contradictions. Among other things, the FMH template systematically requires the patient’s occupation and employer to be stated – information which, in the FDPIC’s opinion, is generally inadmissible under data protection law unless it is specifically relevant to the treatment. The FMH also takes a different approach to electronic communication: patients are required to give their blanket consent to the unsecured transmission of administrative matters – a practice that, according to the FDPIC, is only permissible under strictly defined conditions. Furthermore, the FMH template confuses the obligation to provide information with consent, which the FDPIC considers problematic as it creates the impression that simply taking note of the information constitutes legally valid consent. Doctors should therefore critically examine whether the FMH template is used in their practice and whether it meets the requirements of the FDPIC’s information sheet. It is conceivable that the FMH will revise its template, but until then, caution is advised.
Last but not least, it is not enough to simply put the data protection information on paper: the information and promises made in the forms must also be actually lived and implemented in everyday practice. This is the only way to ensure that particularly sensitive patient data is handled in accordance with the DSG.
Conclusion and outlook
With its new information sheet on patient forms, the FDPIC is sending a clear message to practices and therapists: transparency, data minimisation, secure communication and careful consideration are not mere recommendations, but mandatory guidelines in the new data protection regime. Those who react early and adapt forms and processes will strengthen data protection in their practice and reduce the risk of complaints.