Print this page

Highest Dutch judge demands opt-out regulation for medical privacy and professional confidentiality in mental healthcare

Monday, 12 March 2012
© Lisa S. / © Lisa S. /

The Netherlands is a democratic constitutional State. This implies that every government action is to be 1) democratically legitimized and 2) subject to the rule of law. Therefore the law decides what the government has to adhere by. Whereas the prohibition on vigilante justice applies to every citizen, it also applies to the government itself. In that sense the government fulfils an important exemplary role. But what if the government ignores a judicial verdict? In that case citizens in a constitutional State are fortunately able to go to court again to call the government to order. This is what happened last year in a lawsuit against the Dutch Healthcare Authority (Nederlandse Zorgautoriteit, NZa) about medical privacy and professional confidentiality within the Mental Health Sector (Geestelijke Gezondheidszorg, GGZ). Last week the Dutch Trade and Industry Appeals Tribunal (College van Beroep voor het bedrijfsleven, CBb) judged that the NZa had not adhered by an earlier verdict of the CBb and still has to do so. Here below Privacy First briefly clarifies the CBb’s verdict.  

In 2008, so-called Diagnosis Treatment Combinations (Diagnose Behandel Combinaties, DBCs) were introduced in the Netherlands. This means that every medical treatment has a special code. This code is printed on your invoice and on that of your health insurance company so it can verify your expense claim. Furthermore, a short description (‘layman’s description’) is indicated on the expense claim. Every DBC registration is also entered (pseudonymously) in a central government database: the DBC Information System (DIS). This database can be consulted among others by the Dutch Central Agency for Statistics (Centraal Bureau voor de Statistiek, CBS). Through linkage these DBC data can easily be tracked back to private individuals. All of this constitutes a violation of the medical privacy (of patients) and the professional confidentiality (of medical specialists) in medical healthcare, including curative mental healthcare. A few years ago a number of independent psychiatrists & psychotherapists (being represented among others by the KDVP Foundation and the DeVrijePsych) rightly alarmed the NZa about this. However, their objections against the DBC system were declared unfounded by the NZa, after which legal action with the CBb followed. In August 2010 the CBb decided in favour of the psychiatrists & psychotherapists: the NZa was summoned to henceforth exclude them from the DBC system. However, the NZa happened to be reluctant to live up to the verdict, after which new proceedings with the CBb followed to reconfirm the earlier verdict. In its verdict of 8 March 2012 the CBb judged that the NZa has not lived up to the earlier verdict:

‘‘Based on what was stated earlier, the question whether or not [the NZa], in its new decision on appeal, has in the right way implemented the earlier verdict of the CBb, has to be answered in the negative.’’ (para. 5.33)

The guiding consideration in the earlier verdict of the CBb reads as follows:‘‘Providing diagnosis data about individual patients to health insurance companies violates the medical privacy of these very patients. Appellants have extensively elucidated which objections - from the perspective of the patient, the treatment and that of the professional confidentiality - are linked to the passing on of this sort of information to third parties that are not involved with the treatment. In the view of the CBb these objections are substantial: it concerns diagnoses that affect the core area of private life of the individuals involved, which makes information about this very privacy-sensitive. In addition, when it comes to the treatment of mental disorders confidentiality and secrecy are of great importance, as appellants have maintained.’’ (para.

In the new verdict the CBb obliges the NZa to design an opt-out privacy regulation for the provision of diagnosis data for the treatment of mental disorders within the Mental Health Sector:

‘‘The outcome of the modification to the expense claim-system will in any case need to be that the obligation to indicate the diagnosis-classification code, as well as the obligation to indicate other data on the expense claim with which a diagnosis can be deduced, will be discontinued as such.’’ (para. 5.42)

In this context the CBb concludes on the one hand that the NZa (and the Dutch Ministry of Health) has the competence to realize this, and on the other hand that an exemption regulation (opt-out) is very well achievable. As the brand-new winner of a Dutch 'Big Brother Award', this is an excellent opportunity for Minister of Health Edith Schippers to restore her reputation with regard to privacy by closely monitoring the NZa’s implementation of the verdict. Privacy First is keen on keeping an eye on this.

Update 10 June 2012: Meanwhile the NZa has lived up to the verdict of the CBb by adjusting its rules. As of 7 June 2012, new NZa-policy rules within the Mental Health Sector apply according to the ‘letter and the spirit’ of the CBb:

1. In order to protect their privacy, patients who undergo psychiatric or psychotherapy treatment can reject indicating the diagnosis on the expense claim. In case patients want to make use of their health insurance, they must compose a ‘privacy statement’ together with the practitioner and send it to their insurance company. In that case it’s no longer compulsory to indicate the diagnosis. However, the medical advisor of the health insurance company may make inquiries respecting patient confidentiality.

2. For patients who pay for themselves, indicating the diagnosis is no longer compulsory. There is no need for a privacy statement.

3. In these two cases sending DBC registrations to the DBC Information System (DIS) is no longer compulsory either.

You can find more about this HERE on the weblog of the DeVrijePsych (in Dutch). Click HERE to read the entire decision (in Dutch) by the NZa dated 7 June 2012.

Update 7 July 2012: Privacy First appears to have been celebrating too soon: The KDVP Foundation appeals to the new policy rules of the NZa. ‘‘The opt-out regulation designed by the NZa is incomplete, ineffective and in practice it is hence useless with regard to insured healthcare within the Mental Health Sector’’, KDVP states on its website. Among other things, the NZa appears to have ‘‘failed to provide the necessary information about the introduction of a privacy opt-out regulation for the Mental Health Sector’’ and has insufficiently defined the regulation in order to prevent that diagnosis data can (still) be exchanged. With the current opt-out regulation it can in fact not be prevented ‘‘that diagnosis data can still be deduced from codifications and declared amounts of money.’’ You can read the entire point of view of the KDVP Foundation HERE (in Dutch). It would be to the credit of the NZa if it were to mend the flaws in the opt-out regulation that were ascertained by the KDVP Foundation as soon as possible.