In the Netherlands there are a wide range of insurances, and they generally concern goods, capital or people. In case the insured object is a natural person, for some insurances, the payment depends on the health or death of that person. Examples are life and disability insurance. Part of the acceptance process of the concerning insurer is a health assessment. The professional responsible for the assessment at the insurer is called the medical advisor.
Most insurers in the Netherlands are affiliated with the Dutch Association of Insurers. For them, ‘The Code of Conduct for the Processing of Personal Data by Financial Institutions" applies. Herein the rules for the 95/46/EG (Dutch law: Wet bescherming persoonsgegevens) are recorded and transformed into frameworks for financial institutions. It states, for example, there has to be a functional separation between giving medical advice and the acceptance of an insurance policy.
For the person to be insured, it is mandatory to inform the insurer prior to the realization of the policy about all facts he or she knows or should know that will affect the decision to accept and, if so, under what conditions.
The process is as follows:
An application for a life or disability insurance is being submitted to an insurer. The medical advisor asks to rate the risk and the health of the person to be insured. In case he or she indicates having a medical condition, the medical advisor will want to request additional information from the treating physician. Physicians are being approached on a regular basis to provide medical information to third parties. Often it concerns information from the medical file of the patient which, for obvious reasons, contains a lot of information that can be relevant for other parties.
Because of professional secrecy, in principle, the physician will not provide medical information to third parties.
However, some exceptions apply to this main rule. So is it, for example, possible for a patient to authorize a physician to provide the information by giving explicit consent? For this exception to be valid, the patient must have a clear idea about the intentions of the entity making the request, the content of the information, and the possible consequences of providing the information. Respecting professional secrecy, in general, physicians can be expected - based on the Guidelines on Medical Information of the Royal Dutch Medical Association, to which 59,000 physicians and medical students are bound - to cooperate with these kinds of requests within a reasonable amount of time. The reason to cooperate is, among others, to prevent medical research unnecessarily being carried out multiple times, which would be inconvenient and costly.
Patients have the right to see their medical file and receive a copy. When a patient requires a copy of her medical file, the physician is obliged to provide it. The law doesn’t mention a specific term but in any case it has to be provided "as soon as possible." In practice it will take about one-to-six weeks. The physician is allowed to charge a reasonable compensation, which tends to vary between 40 to 100 euros.
Let’s now consider this from the perspective of the GDPR, and, in particular, Article 15: the right of access by the data subject.
According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, when that is the case, to access that personal data. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Depending on where the patient is being treated, the physician, or the Board of Directors, is responsible for processing the medical file. This will also be the controller in the sense of the GDPR. The patient, or in other words, the candidate-insured person, is the data subject.
For this reason, the data subject can appeal to article 15. He or she can request the physician hand over a copy of the medical file. Fair enough, this is not a new right. Under the 95/46/EG (Dutch law: Wet bescherming persoonsgegevens), this is already an existing right.
However, new under the GDPR is that costs only apply when any further copies are requested. This means that any first request for a copy will be free of charge. Subsequently, when the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The request has to be met within a month. In case this is not possible, the physician has to communicate why it is not possible to provide the information within a month.
Besides the fact that the data subject can leverage the GDPR for determining the period in which the medical information should be provided, the cost aspect must be highlighted in particular.
The costs, for insurers, to obtain medical information are tremendous. Keep in mind that for about 50 percent of the insurance applications, additional medical information is required. A large part of these applications will not end up in a contract because of a rejection, restrictive terms, or a run time that is too long. Even so, the costs for obtaining the medical information will have to be paid to the physicians. The total amount of the costs will, as a premium component, be divided over the applications that actually lead to a contract. Because of this, the premiums for these contracts are significantly higher.
There is a realistic opportunity here for insurers and data subjects to make mutual beneficial agreements about the way medical information is exchanged, without the dependence and costs of the treating physician. From 25May 2018, because of Article 15 of the GDPR, it may be possible to eliminate unnecessary costs in premiums of life and disability insurances.