Are drug test results protected by HIPAA

Data protection and research in general

The Federal Act on Data Protection (DSG) contains two provisions on data processing for research purposes: one applies to private individuals (Art. 13 Para. 2 lit. e DSG) and the other for federal bodies (Art. 22 DSG). Both private individuals and federal bodies are subject to less strict regulations under the following conditions:

  1. The personal data are used for non-personal purposes. This means that the identity of the person whose data is being processed does not play a role in the processing and anonymized or at least pseudonymized data is sufficient for the intended purpose.
  2. The research results are published in a form that does not allow any conclusions to be drawn about the persons concerned.

For federal bodies, Article 22 DSG provides for further requirements and simplifications. In application of the principle of legality (Art. 17), they must rely on a legal basis in order to process personal data for research purposes (for example on the Research and Innovation Promotion Act).

When processing anonymized data, there is no need to rely on Article 13 paragraph 2 letter e and 22 DSG. Since this is not personal data, its processing is not subject to the DSG. Personal data are considered anonymized when the person can no longer be identified. “Anonymize” means any process by which the assignment of data to a specific person is prevented or is only possible with extraordinary effort. With pseudonymization, on the other hand, all identifying data is replaced by a neutral data record (pseudonym). The pseudonymization can be reversed (as long as a correspondence table exists and is accessible, which enables the two parts of the data to be merged). The anonymization, however, is final. Only completely anonymized data are no longer considered personal data.

Articles 13 (2) e and 22 DSG therefore apply to the use of non-anonymized data for non-personal purposes, which excludes research on identifiable persons (primarily concerns historians and genealogists).

The following explanations are intended to provide researchers and federal bodies who have to forward data as part of a research project with the information they need to act in compliance with data protection regulations and to protect the interests of the persons concerned.

A note: data that are collected for medical research projects may only be processed if the persons concerned have given their prior consent or if they have been granted permission to disclose professional secrecy in accordance with Article 321bis of the Swiss Criminal Code and the Human Research Act (HRA, SR 810.30). This came into force on January 1, 2014. The 4th chapter «Further use of biological material and health-related personal data for research» is of particular interest here.


Requirements for researchers

Researchers are responsible for data protection when processing personal data. Even if each individual case has to be considered in the research context and in the light of its particularities, you should adhere to the following principles in particular in your research programs:

Anonymization

They prefer to use anonymized data in their project. This means that they ensure that data cannot be assigned to a specific person or only with extraordinary effort.

If, due to the nature or purpose of the research, it is not possible to work with anonymized data, for example because it is important to be able to contact the data subjects regularly, the researchers must encode or encrypt the data (pseudonymized data). You can use a code / reference number instead of the name and other identifying data, so that it is no longer possible to relate certain data to a specific person without the reference number. This approach is already widespread today. The correspondence table with the identifying data and the code itself may only be accessible to a restricted group of people who are authorized to do so and must be kept safe and encrypted. Depending on the scope and sensitivity of the project, the correspondence table can also be kept with an external, trustworthy third party who is not involved in the research project.

The data must be anonymized as quickly as possible.

The research result is to be published in anonymised form.

Justification and prior information

The use of non-anonymized personal data for research purposes can also be justified without the consent of the data subjects if the goals of a study are not personal and the results do not allow any conclusions to be drawn about individual persons. Since participation in research projects is voluntary, the data subject must consent to their data being processed and at least have the right to object. It is mandatory for researchers to obtain consent if they use data that is subject to professional secrecy, for example medical confidentiality. In the absence of consent, a special procedure can be used to obtain authorization that allows this secret to be disclosed under certain conditions.

According to the principle of legality (Art. 17 DSG), researchers working for federal bodies may only process personal data for research purposes if there is a legal basis (e.g. on the Research and Innovation Promotion Act (FIFG; SR 420.1).

However, this research privilege does not release you from the obligation to provide information about data processing. The data subjects must receive all information about the planned data processing in advance.

In particular, information must be provided about:

  • the author or the person responsible for data processing
  • Type and scope of the data collected / processed
  • the purpose of the data processing
  • the transfer of the data to third parties / addressee categories / the cross-border disclosure of data and the guarantees according to Article 6 paragraph 2 letter a DSG
  • the voluntary nature of participation in the project and the possibility of withdrawing consent at any time
  • the consequences for the data subject in the event of a revocation (you should not incur any significant disadvantages)
  • the right of access and the right to rectification

It is also advisable to provide information about the following:

  • the anonymization / pseudonymization of the data (is there a possibility to infer the person? in which cases? who keeps the correspondence table and who is allowed to access it and when?)
  • the storage of the data (form and duration) and their further use
  • the contract with third parties and their confidentiality obligations
  • the possibilities of the data subject to be informed about the research results

In the field of medical research, there are numerous legal provisions that stipulate which information must be provided in the context of information before consenting to participate in an experiment, for example in the Human Research Act (HRA; SR 810.30), the associated ordinance (HRO; SR 810.301) and in the ordinance on clinical trials in human research (KlinV; SR 810.305).

Purpose and proportionality

The data may only be processed for the purpose specified when they were obtained (principle of intended purpose).

Only those data may be processed that are necessary to fulfill the intended research purpose (principle of proportionality).

security

Personal data must be protected against unauthorized processing through appropriate technical and organizational measures. This applies to processing as well as to storage. Data security must be guaranteed (for private individuals see Art. 7 DSG; Art. 8-12 VDSG; for federal bodies see Art. 20 and 21 VDSG). The data must be kept in a safe place and - if it is in electronic form - be encrypted. In addition, only a small group of clearly defined people may have access to the data; the processing of the data is strictly confidential.

It must be specified how long the data will be kept. The retention period ends when the research goal is achieved. The data must then be destroyed or anonymized.

In the case of non-anonymized data, the data subjects must be granted access to the data and the person who can exercise this right of access must be identified.