Current legislation – The German Patient Data Protection Act (PDSG)

Cologne, 21.09.2020

In parallel to the special tasks of combating the pandemic, the German Federal Ministry of Health headed by Federal Health Minister Jens Spahn has also devoted itself this year to the development of legislation. The focus was on the organization of the digitalization of medical and nursing care in Germany. On 3 July 2020, the Bundestag adopted the Federal Government's draft of the Patient Data Protection Act (PDSG) in its third reading. After the Bundesrat had also approved the law on 18 September 2020, it is to enter into force shortly. The PDSG not only concerns data protection issues but also provides for comprehensive new regulations in the area of Telematik infrastructure and its applications. The following is intended to provide an overview of some interesting topics.

I. Electronic prescriptions

A very important issue for health care practice is how doctors prescribe health care services at the expense of the statutory health insurance funds. In the future, the current prescription forms for remedies are to be gradually replaced by electronic prescriptions. The PDSG provides in a new § 360 (2) SGB V that such e-prescriptions in statutory health care must be used for the prescription of prescription drugs from 01.01.2022 onwards.

In future, doctors will have to create the electronic prescription in their practice management system, sign it electronically and store it in the Telematik infrastructure. Patients will then be able to call up the e-prescription information on their smartphone using an app and assign it to a pharmacy of their choice. Alternatively, the access data for the e-prescription can also be displayed on the smartphone as a 2D code. This enables pharmacies to retrieve the e-prescription in the specialist Telematik application and enter it in the pharmacy management system in order to redeem the prescription. As an alternative to this, the PDSG provides in a new § 360 (2) SGB V that insured persons can also choose to have the access data for retrieving the prescription provided to them by the doctor as a printout on paper. The insured persons can present the printout to the pharmacy of their choice to retrieve the e-prescription. Although the actual prescription is transmitted digitally from the doctor to the pharmacy as an e-prescription without media discontinuity, the insured persons still have the option of handling their "prescription" in paper form as usual.

For the prescription of all other pharmaceutical products sold in pharmacies, including narcotics, as well as other services that can be prescribed by statutory medical practitioners, the e-prescription will be used in the future as soon as the necessary services and components are available throughout the country. Other providers of medically prescribed services, e.g. in the field of medical aids, will also be given access to the prescriptions in electronic form according to a new § 361 (1) No. 5 SGB V.

In the view of the German Federal Government, competitive advantages of pharmacies over other service providers such as medical supply stores, which are not yet connected to the Telematik infrastructure, cannot arise from the introduction of the e-prescription, because the electronic prescription is initially limited to pharmacy-only medicines and the electronic prescription of aids is only to be introduced gradually. 

II. Ban on prescription brokerage

Also included in the PDSG is the implementation of a ban on prescription brokerage. Amendments to §§ 31 and 33 SGB V further concretize the fundamental prohibition of allocation and influence in the statutory health insurance system. According to these amendments, SHI-accredited physicians and health insurance funds may neither influence the insured persons to redeem prescriptions at a certain pharmacy or other service provider, nor directly or indirectly assign prescriptions to certain pharmacies or other service providers, unless otherwise provided for by law or unless a recommendation is required in individual cases for medical reasons. This also applies to the use of electronic prescriptions.
The ban on unlawful agreements between pharmacists and healthcare professionals in § 11(1) of the Apothekengesetz (German Pharmacy Act) concerning the preferential supply of certain medicines, the supply of patients, the allocation of prescriptions or the manufacture of medicines without full details of their composition is also extended to all third parties and mail-order pharmacies in other European countries, provided that they supply patients in Germany. In particular, under a new § 11(1a) of the Apothekengesetz, third parties will now be expressly prohibited from collecting prescriptions, including in electronic form, from mediating or passing them on to pharmacies and in return demanding, accepting or granting an advantage for themselves or others.

III. Electronic patient record

A central application of the Telematik infrastructure will be the electronic health record (ePA). The PDSG redefines its future legal basis in §§ 342 ff. SGB V. In order to clearly emphasize the voluntary nature of the use of the ePA and to emphasize patient sovereignty, § 342 (1) SGB V will stipulate that from 01.01.2021 the ePA will only be made available to insured persons by the health insurance funds upon request and with their consent. In a first implementation stage (01.01.2021 to 31.12.2021), the ePA is to enable, among other things, that medical information on the insured can be stored and made available by service providers and health data provided by the insured themselves.

In a second stage of implementation (01.01.2022 to 31.12.2022), insured persons will be allowed to technically authorize or restrict access by service providers to specific documents and data sets or entire groups of documents and data sets stored in the ePA in advance. This "fine-granular authorization management" is supposed to be possible with a user interface via mobile devices such as smartphones or tablets. According to a new § 338 SGB V, the health insurance funds will provide technical infrastructure for the use of the user interface for insured persons without suitable terminals.

For insured persons who do not want to use this user interface, a "medium granular authorization management" is planned, in which a restriction to categories of documents and data records, in particular medical specialty categories, will be possible. To this end, the insured persons are to use their electronic health card and PIN entry to carry out access management with the service providers, using the practice management systems or user interfaces of the service providers.

IV. Integration of further institutions to the Telematik infrastructure

For the further expansion of the Telematik infrastructure, the PDSG provides for new regulations on the issue of electronic health professional and professional cards and components for the authentication of service provider institutions in a new version of § 340 SGB V. In future, the gematik will be able to issue the components required for authentication as service provider institutions for connection to the Telematik for service provider groups and institutions not yet covered. The gematik will also be able to issue electronic health and professional cards to service providers for which the federal states are not responsible, e.g. for service providers from other European countries. This means that in future there will also be regulations governing access to the Telematik infrastructure by private doctors, institutions involved in Bundeswehr health care and pharmacies from other Member States of the European Union.

V. Data protection

For the processing of personal data with the coming specialist applications, the PDSG provides clarifications on data protection responsibility. To this end, the Telematik infrastructure is broken down into decentralized infrastructure, central infrastructure and application infrastructure in a new § 306 (2) SGB V. In future, § 307 SGB V will clarify who is responsible for data protection in which organizational area. According to § 307 (1) SGB V, the service providers are responsible if they use components of their decentralized infrastructure for authentication and secure transmission of data to the central infrastructure if they are involved in deciding on means of the data processing. This also expressly applies to the proper commissioning, maintenance and use of the components. The service providers who have to use certain services, applications and components of the Telematik in order to process e-prescriptions or access the electronic patient record must therefore also take suitable and appropriate technical and organizational measures in this respect where necessary. The justification for the legislation draft mentions, for example, the securing of Telematik connectors against unauthorized access and the use of appropriate state-of-the-art encryption standards.

The importance of compliance with data protection regulations is shown by the recent imposition of a fine of 1.24 million euros on the AOK Baden-Württemberg by the State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg, in accordance with the provisions of the Basic Data Protection Regulation. In this case, participants in raffles were contacted for the purpose of recruiting members without their consent. Social or health data of the insured persons were not affected.

In determining the fine, a mitigating factor was that the health insurance company cooperated with the data protection authority and quickly took appropriate measures to adapt its internal organization. In addition to the size and economic power of the health insurance company, particular account was also taken of the fact that the AOK has the statutory task of maintaining, restoring or improving the health of the insured persons. This task was not to be endangered in view of the corona pandemic.

VI. Summary

The new regulations of the Patient Data Protection Act show that the Federal Ministry of Health and the Federal Government are still willing to actively steer the digitalization of medical care in Germany. If the legislative requirements are implemented and digitization is actively and innovatively co-designed by service providers and cost units, an improvement in care can also be achieved. We will gladly advise you on all questions of digitization of the German health care system.

GÖRG Newsletter

We inform you about current legal developments in the areas relevant to you.

Subscribe to our Newsletter