Private health insurers are not allowed to evaluate invoices submitted by policyholders for reimbursement without their consent in order to identify candidates for health programs. Germany's Federal Administrative Court (BVerwG) in Leipzig has ruled on this, delivering a landmark decision on the handling of sensitive health data (Case No.: BVerwG 6 C 7.24).
At the center of the case was Debeka's practice of systematically analyzing submitted invoices to proactively reach out to policyholders for specific health programs. The Koblenz-based insurer offers programs for conditions like diabetes, asthma, and back problems as part of its health management. To identify potential participants, invoices submitted for claims reimbursement were analyzed, particularly for any diagnoses they contained. Policyholders who appeared suitable based on this evaluation then received an invitation to join the relevant programs.
According to the company, consent for this data analysis was obtained from new customers and when contracts were modified. However, for many existing policyholders, the evaluation was carried out without such consent. As early as February 2022, the data protection authority of Rhineland-Palatinate had warned the insurer about this practice. The authority believed that analyzing invoices without consent violated the requirements of the General Data Protection Regulation (GDPR).
The insurer was instructed to only carry out such data processing in the future based on valid consent from policyholders. Debeka subsequently filed a lawsuit against this order and initially won. Both the Mainz Administrative Court and the Koblenz Higher Administrative Court considered the data processing to be permissible.
However, the Federal Administrative Court overturned the lower court rulings and dismissed the lawsuit. According to the court, the evaluation does not fundamentally violate the prohibition on processing health data under Article 9 of the GDPR. The processing could, in principle, serve the purpose of health prevention. However, it was still impermissible because it could not be based on the legitimate interests of the insurer. In the required balancing of interests, the rights of the policyholders prevail.
The court particularly emphasized the especially high level of protection for sensitive health data. Furthermore, the offered prevention programs do not belong to the core medical field. In addition, the data evaluation affects a large number of policyholders, and those affected were not sufficiently informed about the insurer's interests.
For you as a policyholder, this ruling strengthens your data privacy rights. It means that your health insurer cannot mine your claims data for marketing or wellness program recruitment without your explicit permission. This is a significant victory for consumer privacy in the insurance sector. If an insurer approaches you with an offer based on your health data, you now have the right to ask: "Did you get my consent to analyze my invoices for this purpose?" If the answer is no, the approach may be unlawful. This decision reinforces that your sensitive health information remains yours to control.