The legislative packages are intended to provide facilitated access to health data for, inter alia, patients, researchers and politicians. A similar project already exists at EU level.
It remains to be seen whether the political strategy will work, especially with regard to the prerequisite of a (new) interoperable IT infrastructure. The requirements for the protection of personal data requiring special protection, such as health data, are known to be high. This has an impact in particular on the technical and organizational measures to be taken. In connection herewith, companies should always consult specialists to support them with their appropriate expertise when implementing new systems and structures in order to use resources efficiently and avoid additional expenses due to incorrect implementation of data protection requirements.
Why are policymakers striving for a digitalization strategy in healthcare?
The background to the proposed legislation is that patients do not yet have any regulated access to their health data (such as lab reports, X-rays, diagnoses). Furthermore, health data can only be collected, stored and (further) processed subject to the strict requirements pursuant to GDPR and BDSG (German Federal Data Protection Act). This is a challenge in particular for research or, as experience has shown, even leads to the impression that health data cannot be used in a permissible manner anyway.
What’s behind the Health Data Utilization Act?
According to the German Coalition Agreement, the Health Data Utilization Act’s declared objective is “to improve the scientific use of health data in line with the GDPR”. This is to be enabled by the establishment of a central data access and coordination office, which will provide access to research data from various sources (for example, cancer registries, health insurance companies).
By means of research pseudonyms, the various data sources are to be linked in order to move away from the previous “data silos”. Such cross-sectoral use of health data is intended to improve medical care for patients (primary use) and promote innovation, especially in the pharmaceutical industry (secondary use).
Access to health data: Complex implementation challenges
In technical terms, this requires health data to be structured and standardized in such a way that it is interoperable. With Art. 355 SGB V (German Social Code, Book V), the legislature has already created a legal framework for this with regard to the electronic patient file, and with the enactment of the Health IT Interoperability Governance Ordinance (Gesundheits-IT-Interoperabilitäts-Governance-Verordnung, GIGV) based on Art. 394 a SGB V. Nevertheless, the practical implementation will probably pose very complex challenges for IT, affected companies in the healthcare sector, and physicians.
The Health Data Utilization Act is also intended to extend the leading data protection supervisory authority for cross-state research projects to all health data, and data protection supervision will then only be performed by a state data protection commissioner. In addition, the research industry is to be able to submit requests for data access to the German Health Data Lab (HDL) in the future. In light of this, only the purpose of use and not the sender will be decisive for future data requests.
EU-Regulation vs. Health Data Utilization Act
Finally, it remains to be seen to what extent the Health Data Utilization Act will already be compatible with the forthcoming regulation on the creation of a European Health Data Space (EHDS Regulation), which is currently being discussed by the European Council. The EDHS Regulation aims to establish a so-called European Health Data Space; consequently, there will in any case be many parallels with the Health Data Utilization Act.
In view of the fact that the EU Regulation takes precedence over national regulations due to the primacy in application of EU law, it is to be expected that the Health Data Utilization Act will be limited to the essentials. A challenge for both EU and national legislators in this regard will be the ECJ’s case law on data retention, because the planned retention of health data is nothing else.
The Digital Act and the introduction of the electronic patient file
The Digital Act aims to establish an electronic patient record (“ePA”) for all people with statutory health insurance by the end of 2024. In order to accelerate the establishment accordingly, a so-called “opt-out” principle is to apply. This means that use of the ePA will basically be voluntary, but anyone who does not expressly object to it will automatically receive an ePA.
The ePA is intended to provide patients with a complete overview of their health data that are stored with doctors and hospitals, i.e., an overview of doctor’s notes, treatment plans and medications. This should also enable medical service providers to access such data and therefore also use it for research purposes. It remains to be seen how this will be implemented in detail, taking into account the requirements of the GDPR.
In addition, the Digital Act is intended to make the e-prescription a binding standard in the provision of medicines by January 1, 2024. After the e-prescription was considered too complicated in its old version, it will now be possible to redeem it with both the health card and the ePA app for simplified use.
In light of this, physicians and healthcare companies are well advised to keep an eye on regulatory developments and adapt to the changes they bring.