The Federal Ministry of Health (‘BMG’) announced, on 1 April 2020, that the Federal Cabinet has adopted the draft Patient Data Protection Act (‘the Draft Act’) which aims to bring digital solutions to patients while respecting their personal data, and forms part of the bigger project to digitalise the German health sector.

Key provisions of the Draft Act

In particular, the Draft Act contains provisions on the right of patients to receive an electronic patient record (‘ePA’), digital transfers to specialists, and an app with which insured persons can redeem e-prescriptions in pharmacies. Moreover, the BMG highlights that from 2022, important medical documents, such as medical reports, vaccination cards, the maternity log and the medical checkup booklet for children (‘Gelbes Heft’) may be stored on the ePA. In addition, the BMG provides that from 2023, insured persons will have the option to make the data stored in the ePA available for medical research in a pseudonymised and encrypted form.

Responsibilities under the Draft Act and risk management options

Moreover, the BMG provides that everyone, including doctors, hospitals, or pharmacies, are responsible for protecting the patient data they process in the telematics infrastructure and that operators of services and components within the telematics infrastructure must report malfunctions and security deficiencies to gematik GmbH immediately, or otherwise risk a face a fine of up to €300,000.

Simon Assion, Associate at Bird & Bird LLP told OneTrust DataGuidance with regards to compliance by stakeholders: “This is yet another notification obligation that applies in case of security incidents. German law already holds multiple other such notification obligations, and the number is growing. One security incident can trigger multiple incident notifications obligations – just in Germany, while other jurisdictions can also be affected. In such cases, the timing and contents of the notifications are crucial. Companies need to prepare in advance. […] If service and component providers act as controllers, a Data Protection Impact Assessment (‘DPIA’) will often be mandatory. If so, companies should not only regard it as a burden but as a chance. A well-done DPIA is a good opportunity to improve the quality of the product and to take potential edges off before they can be spotted by customers, end users or authorities.”

Criticism by the BfDI Ulrich Kelber

Further to this, the Federal Commissioner for Data Protection and Freedom of Information (‘BfDI’) issued, on 3 April 2020, a statement (‘the Statement’) on the Draft Act, criticising certain provisions of the Draft Act for not being sufficiently compliant with data protection principles. While the BfDI welcomes that the security of essential components of the telematic infrastructure shall be ensured by certifications issued by the Federal Office for Information Security (‘BSI’), the BfDI suggests certain amendments, such as a harmonisation of the Draft Act with the Regulation (EU) No 910/2014 of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC (‘the eIDAS Regulation’) in order to ensure adequate authentication procedures.

In addition, the BfDI highlights that the provisions on access management, allowing the insured person to decide granularly who is authorised to see parts of the ePA or the ePA entirely, still need improvement. In this regard, Assion states, “I do not agree with this view of the BfDI. In practice, patients are interested in getting the best medical treatment, and not in managing access rights. Of course, transparency has to be ensured. […] The COVID-19 health crisis has shown how urgently we need functional e-health solutions right now. Legislators should not allow that the introduction of innovative e-health solutions is further delayed.”

The Draft Act is expected to enter into force in autumn 2020 and does not require approval in the Federal Council.

