How does data protection work in healthcare?

Data protection means that personal data is protected from misuse and from being stored and processed without the owner’s permission. The term also comprises the right to informational self-determination, meaning that every person can determine the details of how their own personal data is disclosed and used.

Huge volumes of personal data are collected and managed every day in the healthcare system. In a medical context, other relevant data includes health-related data, i.e., details of health conditions and treatments, which is subject to doctor-patient confidentiality. It is essential for patients to be able to trust their doctors in relation to this data.

Due to the increasing connectivity between institutions and the digital transfer and storage of personal and medical data, it is essential for data protection regulations to be implemented in a way that ensures that data protection is guaranteed at all times.

When digital networks were being developed in healthcare, special standards of protection were observed and the telematics infrastructure (TI) was created. This is a secure network for exclusive use by the healthcare system that can only be accessed by registered individuals and institutions. The TI enables secure communication and data transfer.

To find out how the secure data network of the German healthcare system is structured, see the article about the telematics infrastructure.

Patients have the option of using digital services within the telematics infrastructure, such as the electronic patient record (ePA) or the electronic medication treatment plan (eMP). The ePA gives you control over your medical data and gives you access to it – for example, by allowing you to see reports and treatment recommendations at any time. You yourself can decide whether you want to use these services and who will have the right to access your data.

More information about access rights is provided in our article discussing the electronic patient record.

In the real world, a person’s identity can be verified by their physical features (for example, using a photograph of their face or a fingerprint) as well as by their personal details in conjunction with a document such as their personal identification card.

In the virtual world, identifiers such as user names, passwords, chip cards, tokens or biometric data are used for digital authentication. To ensure secure authentication, these identifiers are linked with the identity of a person. For this purpose, the identity may need to be verified beforehand, for example, using a personal identity card.

How are identities authenticated within the telematics infrastructure? 

All users of the telematics infrastructure (TI) are required to authenticate their identities in order to exchange medical data. The following authentication methods are used:

• Insured patients use their electronic medical data card or health ID as authentication
• Health professionals use their health professional card

For example, insured patients must initially use their electronic medical data card together with the corresponding PIN or their health ID to authenticate their identity before logging in to their electronic patient record. After this first login, they can use other login methods, such as their fingerprint.

The combination of stored keys and a certificate creates an individual digital identity, which is independent of the type of authentication used.

Various permissions are linked to the relevant keys in the TI. For example, a doctor performs different healthcare-related functions to a pharmacist and therefore has different rights in terms of accessing medical data. Health insurance funds can add data to the ePA but do not have read permission for this data. Old results are an exception. At the request of the patient, these may be digitized by the health insurance fund and added to the electronic patient record.

Only insured patients can access their own electronic patient record (ePA) and no-one else can do so – unless granted access by the patient to the entire record, individual sub-folders or specific documents.

This is guaranteed by means of a unique electronic “record key” belonging to each ePA and a “document key” assigned to each individual document in the record.

If a patient grants permission for a medical practice to access documents in their electronic patient record (ePA), the practice is given the corresponding key. This is the only way for the practice to view or store data and documents in the ePA.

Providers of video appointments and other telemedical services must demonstrate that they comply with legal data protection and information security requirements. For example, the content of the video appointment must be transmitted using the latest technology and with end-to-end encryption. The provider must also ensure that the content cannot be viewed or saved. However, these services run over a regular internet connection, rather than the secure network of the telematics infrastructure.

Services that are not embedded in the telematics infrastructure may be associated with problems relating to data protection legislation, despite meeting the statutory requirements. For example, third-party tracking cookies may be used with the consent of the user. These enable the collection of data on the platform, which can subsequently be used for marketing, the creation of user profiles, social media or usage analysis. Providers may also retain data for longer than is actually necessary in some cases.

Tips for managing personal data when using video appointments are provided on the consumer advice center website.

The Health Data Use Act (“Gesetz zur verbesserten Nutzung von Gesundheitsdaten”) enables research institutions to use data from the ePA and other sources, such as the cancer registry, subject to certain conditions. Medical data can only be released for use in research with the prior consent of the patient. When used for this purpose, the data must be pseudonymized so that it is not possible to identify the individual patient to whom it relates. Health service providers can also use healthcare data for research purposes, quality assurance and patient safety. 

The pseudonymized data is pooled and processed by the Federal Institute for Drugs and Medical Devices (BfArM) in the Health Research Center.

Health insurance funds and long-term care insurance funds currently use non-medical data such as age and sex in order to make members aware of cancer screening tests, for example. In the future, health insurance funds will also be able to use cost reimbursement data to send members personalized recommendations. For example, it is hoped that this will enable them to create more suitable cancer screening services for people in high-risk groups, while also avoiding unnecessary testing of people in low-risk groups. Such recommendations can only be made if they can be shown to serve the purpose of individual health protection.

Various measures can be used to increase data privacy. The German Society for Telematics (gematik GmbH) defines which privacy measures are to be demonstrated by the individual service providers in accordance with the relevant legal provisions.

For example, basic security functions such as authentication, encryption and signatures are provided by the TI infrastructure. The services offered must use these functions.

All technical components and services must be approved by the German Society for Telematics (gematik GmbH) and tested in advance in accordance with the standards developed by gematik GmbH in conjunction with the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). Potential vulnerabilities, threats and risks are monitored on a continuous basis. This ensures that data protection and data privacy always keep pace with the latest requirements. 

In addition, a new Digital Advisory Board has been established to provide the German Society for Telematics with advice and support in relation to data protection and information security. The Digital Advisory Board includes representatives of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the German Federal Office for Information Security (BSI).

For information about the technical specifications relating to the telematics infrastructure and data protection, see the specialist portal of gematik.

For information about data protection requirements in relation to healthcare applications, see the BfArM website.