Health data is considered sensitive personal data and is thus protected by the Personal Data Protection Act (ZVOP) and the Patients’ Rights Act. However, the former Minister of Finance, Dr Janez Šušteršič, recently revealed that the Financial Administration of the Republic of Slovenia (FURS) can request and receive named information about patients of “amphibian” doctors (those who work in the public and the private sector) and the procedures performed.
“The Financial Administration can find out anything about you without initiating proceedings, without a court order, just by writing to the person who has the information,” economist Janez Šušteršič pointed out in a post on the social network X, adding that the Administration can currently, for example, “request and receive personal data on patients of “amphibian” doctors and procedures performed”. “And you thought your diagnosis was confidential,” he added.
Dr Samo Vesel, a paediatrician cardiologist, responded to the above-mentioned note and asked Šušteršič: “From whom?” Adding that “the Financial Administration has absolutely no right to this information.” Šušteršič replied that the Tax Procedure Act says that everyone must provide FURS with information if FURS needs it. “A bank, for example, can send them everything about you if it receives an ordinary letter from them. I have seen this myself in tax files. As for patients, doctors have told me, and, judging by the responses, not only me,” he stressed.
As many people couldn’t help but be surprised by the matter, one X user wrote: “No joke, a friend/doctor working in a private clinic told me that they wanted a list. He resisted them.” Dr Rok Ravnikar, a family physician, highlighted the following belief in this regard: “Insights and obtaining medical data on individuals by unauthorised, even non-medical staff is very likely to be controversial. In a hyper-bureaucratised healthcare system, even billing invoices are likely to contain sensitive data.”
Theoretically, it is possible
When asked whether the legislation allows this, Ivan Simič, MSc, a tax consultant and former Director of the Financial Administration, pointed out that the Administration can obtain data based on Article 39 of the Tax Procedure Act (ZDP). “I have never seen a case of FURS requesting data on patients, but it is theoretically possible,” he added.
The Article in question reads as follows: “Article 39 (obligation to provide information) (1) The persons referred to in Article 31 of this Law and other persons authorised by law to establish, keep and maintain databases, registers or other records, shall, if so requested, make available to the tax authority the information necessary for the collection of tax or to fulfil obligations relating to international cooperation in tax matters and, to that extent, to facilitate the tax authority to have access to its documentation. They must make available the documentation they keep and the databases they maintain in the form of registers, records or compilations, whether or not they are required by law, if and to the extent that they are necessary for the collection of taxes or for the fulfilment of obligations relating to international cooperation in tax matters, and other information which is relevant for the collection of tax or for the fulfilment of obligations related to international cooperation in tax matters, including their own tax identification number and the tax identification numbers of other persons which they are required to hold pursuant to this Law or the law on taxation, and the personal identification numbers of the citizen, if the records do not contain information on the tax identification number. (2) The tax authority shall obtain information in accordance with the first paragraph of this Article: 1. Automatically, if such a method of providing the information and the type of information requested are provided for by law, 2. upon request, if not otherwise provided for by this Law, or 3. on the spot.”
Theoretically, it is possible
When asked whether the legislation allows this, Ivan Simič, MSc, a tax consultant and former Director of the Financial Administration, pointed out that the Administration can obtain data based on Article 39 of the Tax Procedure Act (ZDP). “I have never seen a case of FURS requesting data on patients, but it is theoretically possible,” he added.
The Article in question reads as follows: “Article 39 (obligation to provide information) (1) The persons referred to in Article 31 of this Law and other persons authorised by law to establish, keep and maintain databases, registers or other records, shall, if so requested, make available to the tax authority the information necessary for the collection of tax or to fulfil obligations relating to international cooperation in tax matters and, to that extent, to facilitate the tax authority to have access to its documentation. They must make available the documentation they keep and the databases they maintain in the form of registers, records or compilations, whether or not they are required by law, if and to the extent that they are necessary for the collection of taxes or for the fulfilment of obligations relating to international cooperation in tax matters, and other information which is relevant for the collection of tax or for the fulfilment of obligations related to international cooperation in tax matters, including their own tax identification number and the tax identification numbers of other persons which they are required to hold pursuant to this Law or the law on taxation, and the personal identification numbers of the citizen, if the records do not contain information on the tax identification number. (2) The tax authority shall obtain information in accordance with the first paragraph of this Article: 1. Automatically, if such a method of providing the information and the type of information requested are provided for by law, 2. upon request, if not otherwise provided for by this Law, or 3. on the spot.”
Director-General of the Financial Administration of the Republic of Slovenia, Peter Grum, also responded to Šušteršič’s post, writing the following on Linkedin:
“When you step on a cat’s tail, it meows. On Saturday, the 12th of April, former Minister of Finance Janez Šušteršič took to the X network to highlight the allegedly controversial acquisition of individuals’ health data by the Financial Administration. There are some untruths and misrepresentations in the record, so I feel it is only right that I write something about it.
Tax authorities do not generally ask healthcare businesses for patient information, but for the books, contracts and documents that form the basis of tax returns. To the extent necessary to carry out the procedure. If the authenticity of a particular document is questionable, the authority may also further verify that document in the course of the control procedure with other available facts and evidence. This may exceptionally include information from medical records.
But the Financial Administration is not interested in your diagnosis. We are interested in what services have been provided (not to whom), to what extent, whether the documents have been properly recorded, whether VAT has been correctly accounted for, etc. Access to information obtained by the inspector in the course of an inspection (always on the basis of an official request and always on the basis of the inspection procedure initiated) is limited, as only the employee of the Financial Administration who needs it to carry out his or her duties has access to it. This employee must also protect the information properly, as failure to do so could
constitute a breach of an obligation arising out of the employment relationship, which could lead to the dismissal of the employee on a regular or extraordinary basis and to the establishment of his liability for damages.
Regarding the legality and reasonableness of the procedures described, the Financial Administration also has the opinion of the Information Commissioner (attached), which confirms the appropriateness of the procedures described. And why is it necessary to monitor healthcare companies? Because these companies are also tax-risky. According to the Financial Administration, they are even considered to be an above-average risk, and systemic irregularities have been identified in this area. It would, therefore, be naïve to think that there is no tax evasion in the healthcare sector or that healthcare companies are fully compliant in their tax accounting. Reading Mr Šušteršič’s note, one would think that FURS would have to make a big detour around the controls of the healthcare sector. Probably the same applies to lawyers and anyone else.
It is a fact of life that private healthcare is a powerful business and that there are many lobbies and interests in it that do not want things to change. Fortunately, the Financial Administration is an independent enough body to be able to counter these interests in the exercise of its duties.”
The attached document that Grum mentioned, sent from the Information Commissioner, reads as follows:
“Regarding your question and the above-mentioned legal provisions, the Commissioner explains that the above-mentioned tax regulations provide the tax inspector with a sufficient legal basis for accessing medical records, waiting lists, etc., even if the records contain sensitive patient data. The tax inspector has a legal basis for accessing the aforementioned data for the very reason of the exercise of public interest, which in the present case is manifested in the supervision of the correctness of the taxable persons’ compliance with their tax obligations under the tax regulations, and, last but not least, for the purposes of tax inspection, the tax inspector is also given a legal basis for accessing patients’ medical records by the Tax Services Act (ZDS-1-UPB2), which does not explicitly specify in Article 18 which sensitive data the tax inspector may inspect in documents containing sensitive personal data (including the sensitive personal data of patients), but it does specify that the necessity and appropriateness of processing the requested personal data of patients in a specific case must be assessed in the light of the tasks performed by the tax service, which include, inter alia, the collection of taxes and other compulsory duties, and, in this respect, processing of data in light of the possible existence of an incorrect tax liability on the part of the taxable persons subject to the tax.
Therefore, in order to correctly determine the tax liability of taxable persons in tax control procedures, access by tax inspectors to patients’ medical records, waiting lists, etc., is necessary and permitted, as it is based on the law. This also follows from the aforementioned health regulations, which, except for users who have a basis in law (in the specific case, the tax inspectors), only allow the processing of sensitive personal data in the cases as defined by the individual health regulation. Last but not least, the data concerned is data necessary for the collection of taxes or information relevant for the assessment of taxes. However, the tax inspector will only use the personal data thus obtained from the above-mentioned documentation for the purposes of tax inspection.”
Šušteršič has already responded to Grum’s remarks, writing: “Thank you for squealing – and admitting that sometimes, you also look at medical records and that you only “generally” do not ask for patient data.”
A. H.
