On June 29 2017 Parliament passed a law revising the safeguarding of secrecy where third parties are involved in the exercise of professional duties by persons with a duty of confidentiality.
The legislature responded to calls for a long-overdue reform and finally updated the criminal rules on secrecy for certain professionals (eg, doctors, dentists, psychotherapists and health insurers). For the healthcare sector, this reform opens up a number of new opportunities for using the services of external service providers without facing the risk of criminal liability.
Previously, secrets and confidential data entrusted to healthcare professionals could, without the consent of the patient, client or insured, be disclosed only to 'professional assistants' – a term which usually encompasses nurses or other employees, but not external service providers. It is now possible to disclose such information to 'other collaborating persons'. This means that hospitals and hospital operating companies can implement a financially worthwhile opportunity for data processing (including IT outsourcing) and use data storage (eg, cloud solutions). The law opens up a completely new industry of clients to the healthcare sector.
Section 203 of the Criminal Code prohibits certain healthcare professions from disclosing confidential information entrusted to them. These professions include doctors, dentists, pharmacists, lawyers, notaries, auditors and tax consultants, who traditionally act as individual advisers. However, it also covers bigger entities such as hospitals, hospital operating companies and health insurers. As it was generally accepted that providing the opportunity of obtaining knowledge of the secrets constituted the criminal offence, these companies previously could not, or only to a limited extent, make use of third-party services, particularly in information technology.
The sole exception was for disclosure to 'professional assistants', a term which some consider to also cover external service providers. However, this interpretation was broadly challenged, and there have been no precedents to clarify this argument thus far.
After the revision of the rules on professional secrecy, confidential information can now be disclosed to:
"persons who collaborate in the occupational activity of the professional with a duty of secrecy if the knowledge of the secret is necessary for providing the services of the collaborating persons."
The explanatory memorandum gives the following examples of collaborative actions:
- accepting telephone calls;
- archiving and shredding files;
- setup, operation and maintenance – including remote maintenance – and adjustment of IT equipment, applications and systems of all kinds (eg, correspondingly equipped medical devices);
- providing IT equipment and systems for external storage of data; and
- collaborating on the fulfilment of accounting and tax law obligations of the healthcare professional with a duty of secrecy.
Data can thus be passed on to these people in the future even without the consent of the patient or insured. This expressly enables the use of IT remote maintenance or cloud computing services. Healthcare professionals with a duty of secrecy (including doctors and hospitals) did not previously have this option.
The downside of expanding the circle to whom the secret can be passed on is criminal liability if the secret is disclosed by third-party service providers. This is now specified in Section 203(4) of the Criminal Code. It affects the personal criminal liability of the "other collaborating persons" – in other words, the third-party service provider.
Additionally, this section provides for criminal liability of the healthcare professional himself or herself if that person:
"failed to ensure that the other collaborating person committed to confidentiality and this person discloses without authorisation a secret which became known to her during the exercise, or by occasion, of her activity."
The requirements which such an obligation must meet are not specified in the draft.
Some guidelines are provided by the rules about specific healthcare professional obligations, which were also revised during the reform. The legislature only regulated the passing on of secrets to third-party service providers for lawyers, notaries, patent attorneys, tax consultants and auditors, since it has no legislative powers for the other professions concerned. Hence, there is no rule specific to doctors, which – according to the legislature – lies within the authority of the federal lawmaker and not of the German states. This may be correct, but it does not explain why there is no rule for insurers, since the federal lawmakers have legislative powers in this area.
It can be assumed that with these specific provisions the legislature wanted to create a blueprint for an appropriate obligation for third-party service providers for other professions, so that these rules can be consulted for drafting service agreements for the healthcare sector. For example, the revision in the Federal Lawyers' Act provides that:
- the service provider must be chosen carefully;
- the contract with the service provider must be entered into in written form;
- the service provider must be informed of the criminal consequences of a breach of confidentiality;
- the service provider must be asked to commit to obtaining knowledge of third-party secrets, insofar as necessary to perform the contractual services; and
- it must be specified to the service provider whether he or she is authorised to deploy other persons to perform the contract.
The new law opens up broad application possibilities for healthcare professionals and groups to use IT services which were previously not permitted.
When designing specific contracts it is important to carefully define individual obligations. The new law offers some starting points which must be solidly implemented. Beyond this, it lacks clear guidance. For example, it is unclear:
- how detailed the instructions issued to the service provider must be;
- whether and in what form this instruction must be passed on to employees;
- whether the original healthcare professional must know the individuals involved; and
- what requirements there are for selection.
The basics of the contract should therefore be drafted with great care or be reviewed if necessary.
For further information on this topic please contact Fabian Badtke or Martin Schorn at Noerr LLP by telephone (+49 69 971 4770) or email (firstname.lastname@example.org or email@example.com). The Noerr LLP website can be accessed at www.noerr.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.