Infomedics, a billing company that bills on behalf of healthcare providers, sends a patient an invoice containing specifications of the care provided. This patient is not happy about this and claims damages for violation of her privacy and confidentiality. Please find the rulings of the court and the court of appeal here:
What were the facts of the case?
It concerns an invoice for a medical treatment of €320, which read "099899060 1 or 2 outpatient visits/ remote consultations for heart failure or other heart disease." The patient in question receiving the invoice leaves it unpaid, after which Infomedics starts collection proceedings in court. The patient herself files a counterclaim, claiming damages for breach of privacy, destruction of her medical records and reimbursement of actual litigation costs. She is of the opinion that Infomedics, as a processor of personal data, violated the GDPR and the duty of confidentiality, and did so by taking note of the medical records and by using the invoice and payment reminder in the collection procedure, which stated the nature of the medical treatment.
What does the court rule?
The court upheld Infomedics' claims and rejected the patient's claim: according to the court, the patient had not sufficiently substantiated why Infomedics had acted negligently or unlawfully towards her by stating on the invoice and payment reminder which treatment the costs related to. The court also held that the use of the documents in the proceedings was not unlawful. After all: parties have to substantiate their claims. The claim to destroy the medical records was also dismissed.
What is the court's opinion on appeal?
The patient then brought the case before the court of appeal. She argues that the court wrongly ruled that Infomedics' processing of her personal data - stating on and bringing into the procedure the invoice containing the nature of the medical treatment - was lawful. This is because Infomedics itself is not a 'healthcare provider' and also did not have a sufficient (legitimate) interest in the use of the (treatment) data, according to the patient. Moreover, the patient believes that the submission of this information in proceedings is not required by law. The fact that Infomedics kept her medical file is also not justified.
The court of appeal holds that Infomedics is indeed a 'healthcare provider' within the meaning of the Healthcare Market Regulation Act (Wmg). After all, the party that charges rates in connection with the provision of care is also a 'healthcare provider'. Pursuant to Section 38(2) of the Wmg, healthcare providers must charge a rate stating the description of the performance delivered. According to the court of appeal, the performance description on the invoice was determined by the Dutch Healthcare Authority. Infomedics performed its statutory duty correctly and justifiably. Therefore, there is no violation of a healthcare provider's duty of confidentiality.
Furthermore, the use of the data in the proceedings is lawful, in view of Article 9(2)(f) and (g) GDPR: the use is necessary for the establishment, exercise and substantiation of a legal claim and, moreover, proportionate. The processing prohibition of Article 9(1) GDPR does not apply to Infomedics.
Finally, the court adds, for the sake of completeness, that the patient's objections, understandable in themselves, to the disclosure of data about her treatment (which are indeed very personal) are insufficient to deviate from the weighing up done by the legislator. Her claim for damages therefore fails. So does her claim for destruction of the medical records: Infomedics has disputed that it has this medical file in its possession, and the patient has not sufficiently argued that Infomedics received more than the description of the treatment that was performed.
If you want to read back the full judgment, you can do so here
Also have questions about the GDPR or other privacy issues? Please contact SPEE advocaten & mediation, we will be happy to help you.