Data protection and data security
heyPatient users decide themselves at any time whether and with whom they share their data.
Those who share their data, e.g. by connecting digitally with a health partner, will be informed by the app, stating which data is being shared. The transmission of data is encrypted.
We have compiled further information on this important topic for you below
Data protection principle of data minimisation
heyPatient complies with this principle, as service providers only receive data via heyPatient that has been approved by the patient and is required for digital interaction and effective treatment organisation.
There is also no need for mirrored data (in contrast to usual "patient portals"), as heyPatient is seamlessly integrated into the internal system environment and the interaction takes place, for example, directly from the clinical information system to the app and back..
Ethical principle: App Useage possible without sharing any data
The app acts as a digital health companion in all phases of life. Patients can use the app by entering their health appointments (incl. vaccinations, dentist, annual check-ups for children, blood pressure/eye doctor check-ups, etc.) themselves and have them in view at all times.
The personal dossier (digital insurance card, document filing, allergy register) is also available without the need to share data.
What data can I share, why and with whom?
Data can be shared to digitally connect with healthcare providers and/or include your personal care network into your health routine.
The app notifies users when and what data is shared. For example:
With "connect", the contact and insurance data required for (emergency) treatment are shared with the selected health partner.
With "register", the reason for registration and the referring doctor are shared.
With "heyFamily", health appointments are "shared" unless they are marked as "private".
Microsoft Swiss Azure Cloud
The heyPatient solution uses the services of Microsoft Azure Switzerland.
In compliance with Swiss legislation and the GDPR, the Microsoft Azure Cloud offers the highest security standards, enabling app users, service providers and other platform users to benefit from the highest quality and security in terms of data protection, data security, infrastructure availability, service understanding, flexibility and scalability.
The heyPatient solution is operated in the Microsoft Swiss Azure Cloud in data centres in the Zurich and/or Geneva area and thus meets the requirements for particularly sensitive personal data.
Who uses the Microsoft Swiss Cloud?
Among others, the administration of the Canton of Zurich in accordance with the government council resolution of 30.3.2022 as well as Swisscom, SMEs, banks and law firms, which have tested the offer under the aspect of "data protection and CLOUD Act" on bit and byte and found it to be good. See also Inside-IT article.
We use SwissID for this.
Secure identification of app users
So that health data (currently these are: Patient ID, Case ID as well as name, date, time and place of health appointments) are sent digitally to the "right person" (i.e. with verified digital identity), app users who want to "connect digitally" with health partners must have Swiss ID Trustlevel 1.
SwissID Trust Level 1 (LoT1) requires a digitally scanned ID document and a short video identification. heyPatient recognises the LoT1 status after successful video identification and enables the "digital connection". From this point on, app users can digitally register for admission and they will receive their appointments from the connected health partner directly on the app.
You can see how this online video identification works here.
Die SwissID - for ALL nationalities
For the video identification, all European passports, as well as passports of almost all other countries, are checked and processed either immediately automatically or manually within a maximum of 2 days. You can also use your Swiss identity card for identification.
What is a SwissID Trust Level?
In the digital world, different requirements have to be met for digital interaction, depending on how sensitive the associated data is.
The SwissID offers different "levels of trust" for the following applications(unfortunately in German, only):
Data stored in the app
Data stored in the app
These include, for example, self-saved documents, allergies, settings, the insurance card or even connections such as heyFamily, etc.
The data is stored encrypted in the Microsoft Swiss Azure Cloud.
Data transfer and data storage are encrypted. For the highest data protection requirements, we use dedicated FHIR agents (test as well as production environment), with optionally available specific, additional keys (Bring Your Own Key, BYOK).