Q&A: Data protection, privacy and digital health in Germany

Data protection, privacy and digital health

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation?

The Federal Office for Information Security, the Federal Commissioner for Data Protection and Freedom of Information and the relevant state commissioners for data protection and freedom of information are considered the most important supervisory bodies when it comes to the security and protection of personal data during processing.

The office of the state commissioner of the relevant federal state is the supervisory authority for the processing of personal data. Unlike the Federal Commissioner for Data Protection and Freedom of Information, state commissioners supervise both public and private bodies.

In Germany, Regulation (EU) 2016/679 (the General Data Protection Regulation (GDPR)) is supplemented by the Federal Data Protection Act and the data protection laws of the federal states. These basic laws are supplemented by a variety of area-specific laws, such as the Telecommunications Act and the Social Security Code (SGB). Given the large number of data protection laws, it is of great importance for companies to know the individual laws and obligations.

The Patient Data Protection Act recently made digital offerings such as e-prescription or electronic patient file usable, while also regulating the protection of the health data concerned in these cases. The telematics infrastructure is intended to connect all participants in the healthcare system, such as doctors, dentists, psychotherapists, hospitals, pharmacies and health insurance companies, as part of digital health applications. Medical information needed for patient treatment should thus be available more rapidly and more easily. According to the e-Health Law, all German medical practices must implement suchan e-health provision.

Every user of the telematics infrastructure is responsible for protecting the patient data it processes. The details of this have also been regulated in the draft Patient Data Protection Act.

Examples of important area-specific regulations on the permissibility of processing health data include the following.

Federal laws are:

• Federal Data Protection Act (eg, section 27 on scientific or historical research purposes or statistical purposes);
• Regulations in the social security codes, in particular in general for the processing of social data (section 67a et seq of German Social Code, Book X (SGB X)), in German Social Code, Book V (SGB V) for statutory health insurance (eg, section 284 et seq of SGB V) or in SGB XI for statutory long-term care insurance (eg, section 93 et seq of SGB XI);
• Infection Protection Act (eg, section 9);
• Transplantation Act (eg, section 13 et seq);
• Medical Devices Implementation Act (eg, section 29);
• Transfusion Act (eg, section 14); and
• Insurance Contract Act (eg, section 213).

In Germany, the federal states are primarily responsible for healthcare. There are therefore numerous regulations under state law that contain data protection provisions, for example:

• mental health laws (eg, section 84 et seq of the Berlin Law on Assistance and Protective Measures for Mental Illnesses);
• laws on the execution of measures (eg, article 34 of the Bavarian Measure Enforcement Act);
• hospital laws (section 24 paragraph 4 of the Berlin State Hospital Act);
• ecclesiastical law for hospitals under ecclesiastical sponsorship;
• cancer registry laws; and
• health service laws.

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

In the German healthcare system, high data protection and privacy requirements are set in order to adequately protect patients‘ sensitive health data. These requirements are laid down in various laws and regulations, including the Federal Data Protection Act and the GDPR. Here are some of the basic requirements:

• Consent: the processing of health data usually requires the explicit, informed and voluntary consent of the data subject. This consent must be obtained in writing or electronically and can be revoked at any time.
• Data economy: only health data may be collected and processed that is necessary for the intended purpose. Unnecessary or superfluous information should be avoided.
• Purpose limitation: health data may be processed only for the purposes for which it is collected. Use for other purposes is permitted only in exceptional cases and under certain conditions.
• Data security: appropriate technical and organisational measures must be taken to ensure the security of health data. These include measures such as encryption, access controls and regular security checks.
• Commissioned processing: if service providers process personal data on behalf of a healthcare professional or facility (eg, IT service providers), they must conclude a commissioned processing contract that regulates data protection requirements.
• Data protection officer: in certain cases, service providers must appoint a data protection officer and notify the data protection authority.
• Data subjects' rights: patients have the right to information about their stored data, the right to rectification of inaccurate data, the right to deletion under certain conditions and the right to data portability.
• Data protection breach notification: in the event of data breaches that pose a risk to the rights and freedoms of data subject, the breaches must be notified within 72 hours to the data protection authority and, where appropriate, to the data subjects.
• Data protection impact assessment: in certain cases, in particular where the processing of health data poses a high risk to the rights and freedoms of data subjects, a data protection impact assessment must be carried out.
• Supervisory authority: the data protection authority (in Germany, the Federal Commissioner for Data Protection and Freedom of Information and the data protection authorities of the federal states) monitors compliance with data protectionregulations and can impose fines in the event of violations.
• In the German healthcare system, data protection officers must be appointed in accordance with article 37 (1) of the GDPR and section 38 of the Federal Data Protection Act. This applies to bodies that process personal data, provided that they usually employ at least 20 persons permanently with the automated processing of personal data. This includes hospitals, medical practices, pharmacies and other healthcare facilities. Larger practices and medical care centres require a data protection officer. This is mandatory if at least 20 people regularly process data automatically – for example, on a computer. In rare cases, smaller practices must also appoint a data protection officer, namely when a data protection impact assessment becomes necessary.

The task of the data protection officer can be taken on by a professionally qualified employee (not the practice owner) or an external data protection officer. The name and contact details of the data protection officer must be communicated to the State Data Protection Commissioner.

Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The German authorities have issued specific guidelines and regulations for data protection and privacy in the healthcare sector. The most important legal foundations for data protection in the healthcare sector in Germany are the Federal Data Protection Act and the GDPR.

• GDPR: the GDPR is an EU-wide data protection regulation that also applies to the German healthcare system. It imposes strict requirements on the processing of personal data, including health data. Under the GDPR, healthcare institutions, such ashospitals and doctors' practices, must comply with data protection principles, appoint data protection officers and obtain patients' consent for the processing of their data.
• Patient Data Protection Act: the Act is a special law that regulates the protection of patient data in the healthcare sector. It implements some provisions of the GDPR and the Federal Data Protection Act and contains detailed regulations on the processing of health data.
• German Social Code, Book V (SGB V): section 284 of SGB V contains a regulation on data protection with regard to social data at the statutory health insurance funds. This regulation aims to balance, on the one hand, the need to collect and evaluate data necessary for the provision of services with regard to the functioning of the health insurance system with, on the other hand, the risk to prevent the creation of a 'transparent insured person' and comprehensive health profiles through the unrestricted collection and consolidation of sensitive personal data.
• Professional regulations: for certain professions in the health sector, such as doctors and pharmacists, there are also professional regulations that govern data protection and the confidentiality of patient data.

Data protection authorities at both the state and federal levels are responsible for monitoring and enforcing these regulations. They can impose fines and other sanctions for violations of data protection rules. The protection of privacy and the secure handling of health data are high priorities in Germany, especially in the health sector where particularly sensitive personal information is processed.

What are the most common data protection and privacy infringements committed by healthcare providers?

In healthcare, many stakeholders encounter complex and multifaceted legal frameworks. The sharing of person-related data is severely restricted due to the sensitivity of this data and is subject not only to social and data protection law, but also to a considerable extent to professional law, as well as criminal law, and violations are sanctioned accordingly.

In the healthcare sector, the fact that third-party service providers are used for contract processing is often problematic. In addition, data is not only subject to general data protection requirements, but is also frequently subject to professional confidentiality (medical confidentiality, etc). This leads not only to special requirements for special products (eg, apps), but also data processing by third parties. In particular, the disclosure of data to other professionals (physicians, etc), as well as the involvement of service providers, for example, in the context of data processing for invoicing purposes, but also diagnostics (laboratories, etc), often cause difficulties. This also applies to Big Data applications. The processing of data without appropriate justification (consent, etc) is often problematic, as is the use of data for purposes not covered by consent.

Which authorities regulate the provision of digital health services and what is the applicable legislation? What basic requirements are placed on healthcare providers when it comes to digital health services?

In principle, the processing of person-related data is permitted only when justified. For sensitive health data, additional requirements apply in addition to the general data protection requirements. These include, for example, organisational measures to protect health data, but also certain measures to safeguard user rights. In principle, the general data protection principles must be observed. These are the aspects of lawfulness, fairness, transparency, purpose limitation, data minimisation, data accuracy, time limitation of storage and data security as the data protection law principle of integrity and confidentiality.

With regard to the competent authorities, it is necessary to differentiate fundamentally between the regulatory framework under data protection law on the one hand, and the regulatory framework under reimbursement law on the other. In terms of data protection law, in addition to the GDPR and the corresponding federal laws, the provisions of state law must also be observed. This leads to a wide range of responsible actors and authorities. In terms of reimbursement law, the Federal Institute for Drugs and Medical Devices, on the one hand, and the National Association of Statutory Health Insurance Funds, on the other, should be mentioned here in particular – for example, when it comes to the reimbursement of digital health applications. In terms of data protection law, the data protection authorities of the individual states should be mentioned first and foremost, as well as the Federal Data Protection Commissioner and the commissioners in the individual states. In addition, the Federal Ministry of Health, the Federal Institute for Drugs and Medical Devices and the responsible supervisory authorities for the respective professionals (medical associations, etc) are also competent.