An ongoing GDPR case in Finland will set a precedent on insurance companies’ ability to access patient data to investigate claims.
Finland’s GDPR watchdog – the Data Protection Ombudsman – fined the Finnish Motor Insurers’ Centre for requesting full (unredacted) patient records from healthcare providers in order to investigate and settle insurance claims.
The Data Protection Ombudsman maintains that – under the principle of data minimization – an insurance company, when investigating an insurance claim, cannot request extensive (unredacted) patient records, but must rather formulate (on a case-by-case basis) a limited and clearly specified request to the healthcare provider, making sure to avoid accessing surplus information.
The Ombudsman dismissed the insurer’s argument that full patient records are necessary because a healthcare provider might omit essential information which otherwise would become apparent to an insurer if granted access to the full records (e. g. doctors’ appointments unrelated to the insurance event but falsely included in an insurance claim).
In addition, the Ombudsman recommends that disclosures be made in the form of a written statement by a healthcare provider, instead of a copy/excerpt of the actual patient records.
The decision is not final as the Finnish Motor Insurers’ Centre has appealed it to the administrative court.
However – this case holds considerable importance for the whole insurance industry, as it could set a foothold for the GDPR regulating authorities in other European countries. Authorities in other jurisdictions could follow suit and restrict insurance companies’ access (scope and form) to patient (or other) data, thus impeding and driving up the cost of key operations for all insurers in investigating and settling insurance claims.