Data Protection for Medical Practices: A Practical Monday-Morning Guide

Most data protection guides are written by lawyers, for lawyers. This one is written for the person who actually opens the practice on Monday morning. The legal framework matters, but what matters more is the everyday handling of patient information — who sees what, how long it stays, what to do when a patient calls and says "delete my file."

This guide focuses on Swiss medical practices but the principles apply equally to clinics in France, Belgium and the rest of the French-speaking EU. Where Swiss and EU rules diverge, we say so.

The five categories of patient data

Every clinic, no matter how small, holds five distinct categories of data. Treating them as one undifferentiated blob is what gets practices in trouble. Sort them mentally — and ideally in your software — into:

1. Identity data — full name, date of birth, AVS / national insurance number, ID document number.
2. Contact data — address, phone, email, emergency contact.
3. Clinical data — diagnoses, treatment notes, prescriptions, lab results, imaging, allergies. This is the "particularly sensitive" category.
4. Financial data — invoices, insurance policy numbers, IBAN if you do direct debits, outstanding balances.
5. Marketing-consent data — whether the patient agreed to receive newsletters, post-treatment follow-ups, or birthday messages, and when they gave (or revoked) that consent.

Each category has different access rules, different retention periods and different risks. Mixing them up is how a receptionist ends up seeing a patient's HIV status while looking up a phone number.

Who can see what: role-based access

The legal principle is data minimisation: every team member should only see what their job requires.

A workable default for a small clinic:

• Receptionists / administrative staff — identity, contact, appointment slots, invoice status. Not clinical notes. Not diagnoses.
• Practitioners — full clinical record for their own patients; full access during shared cases; read-only for colleagues' unshared cases when clinically necessary.
• Owner / practice manager — financial reports, audit logs, user management. Clinical notes only when also acting as a practitioner.
• Accountant — invoices and financial summaries. Never clinical content. Sign a written data processing agreement.

Your software should make this trivial to configure. If everyone in your practice logs in with the same account, that is a compliance problem — and a security one.

Retention periods you actually need to remember

Swiss medical record retention is governed by a mix of cantonal health law, the Code of Obligations and the FADP. The numbers worth memorising:

• Adult patient records: 10 years after the end of treatment in most cantons (some — Zurich for example — require 20). When in doubt, default to 20.
• Minor patient records: 20 years after the patient reaches adulthood, i.e. up to age 38.
• Invoices and accounting records: 10 years under the Code of Obligations (Art. 958f CO).
• Marketing consent records: as long as the consent is active, plus a reasonable proof window (3 years is standard).

In France, the equivalent rule (Code de la santé publique, Art. R. 1112-7) is generally 20 years from the last visit, with exceptions. EU practices should follow their national medical retention law, which always overrides GDPR's "no longer than necessary" principle for medical records.

Once a retention period expires you have a duty to delete or anonymise the data — not "leave it in case." Keeping it longer is a violation in itself.

When a patient asks for their file: the 5-step workflow

Patients have a right of access (Art. 25 FADP, Art. 15 GDPR). The first time it happens it feels stressful; if you have a workflow, it takes 30 minutes.

1. Verify identity. Ask for an ID copy if the requester is not in front of you. Don't release records based on an email signature.
2. Acknowledge in writing within 5 working days. A short reply is fine: "We received your request on [date], we will respond within 30 days as required by law."
3. Compile the file. Use your software's export function. Include identity, contact, clinical notes, lab results, prescriptions and a list of recipients with whom data was shared.
4. Redact where lawful. You may redact information that identifies a third party (e.g. a family member mentioned in the notes) or that would harm the patient's mental health (rare; document the reason).
5. Deliver in a usable format and log it. PDF is acceptable. Log the request and the response in your audit trail. Free of charge for a normal request.

When a patient asks for deletion

Right to deletion exists (Art. 32 nLPD, Art. 17 GDPR), but for medical records it is almost always overridden by the legal retention obligation. The correct response is rarely a full delete.

Practical answers:

• Marketing consent — yes, immediate removal from newsletters, no questions asked.
• Old contact details — yes, replace with a tombstone record ("patient last seen in 2017, opted out of marketing").
• Clinical record during the retention period — no. Explain in writing that retention is mandatory under cantonal medical law; offer to lock the file from active use.
• Clinical record after retention expires — yes. This is overdue housekeeping, not a special request.

Document every refusal in writing with the legal basis. Refusing without a reason is what gets practices reported.

The boring-but-mandatory security list

Most data breaches in healthcare are not sophisticated attacks. They are stolen laptops, shared passwords and "I just left the screen open for a second."

• Encryption at rest and in transit — AES-256 on the database, TLS 1.2+ on every connection. Your software should handle this; verify in writing.
• Unique accounts, no sharing — every team member has their own login. Shared logins make audit trails worthless.
• Strong unique passwords + 2FA — at minimum on the practitioner and admin roles. A password manager is cheaper than a breach.
• Automatic session lock — five-minute idle timeout on shared workstations.
• Regular off-site backups — at least daily, encrypted, tested by actually restoring once a year.
• Patched operating systems — Windows / macOS auto-updates on, antivirus installed.
• Locked file cabinets for the paper you still keep, and a shredder for what you throw out.

The email and WhatsApp trap

Sending an appointment reminder by email or WhatsApp is a data transfer to a third country. Both Gmail and WhatsApp store data on US servers; both fall under the CLOUD Act.

The trap: an SMS that says "Reminder: appointment Tuesday at 14:00 with Dr. Müller for your dermatology check-up" combines identity, contact and clinical category data in one message. That is a sensitive-data transfer to a US infrastructure.

Safer patterns:

• Use SMS or in-app notifications via a Swiss or EU provider (most clinic software now offers this).
• Keep reminder content non-clinical: "Reminder: appointment Tuesday 14:00. Reply STOP to cancel." No specialty, no doctor name if avoidable.
• Get explicit consent for WhatsApp / email reminders, document it, and offer SMS as the default.
• Never put a diagnosis, prescription or test result in an email or WhatsApp. Use your patient portal instead.

The data residency question, in one paragraph

When you sign with a clinic software vendor, you are not just buying a tool — you are choosing a country whose laws will apply to your patient data. Read the contract and ask one question in writing: "In which physical data centres, and in which countries, is patient data stored, including backups?" If the answer is "Switzerland and only Switzerland", you are in the strongest position. If it is "EU", you are in good shape. If it is "United States" or "we don't know", that is your answer.

A one-page action list

If you do nothing else this month:

• Configure roles in your software so only practitioners see clinical notes.
• Audit who has the admin password — and change it if anyone has left.
• Confirm in writing where your software stores data.
• Stop sending clinical content over email and WhatsApp; switch to your portal or to non-clinical SMS.
• Write a one-page privacy notice and post it at reception.
• Set a calendar reminder for next year to delete records past their retention.

Data protection in a small medical practice is not glamorous. But the practices that get it right are also the practices patients trust enough to recommend — and that is the kind of compliance that pays for itself.