Electronic patient records: Concerns remain about data security and initial goals

Lifelong electronic patient records (ePA) for all people with statutory health insurance is considered a milestone in the digitalization of the health care system and is seen as a ray of hope for more efficient care. All medical information should be centrally and legibly available to everyone involved in the treatment process. Health Minister Carl Lauterbach’s plan is ambitious, the testing phase is very short and there are still unanswered questions, including the safety concept and overall responsibility.

Advertisement

To clarify this, the Federal Health Ministry launched an information campaign 100 days before the planned start. In doing so, Health Minister Karl Lauterbach wants to “prevent biases and fake news from arising (…). So far, most people trust the electronic patient file as improving their treatment, some are skeptical. We are confident that we can convince even the skeptics.” Lauterbach said in late September. Although he is According to TI Atlas A word to 49 percent of those surveyed, yet most don’t know much about electronic patient records.

However, two months before the start in the test fields, many are no longer confident that the ambitious program can be sustained. BMG itself now lists a March date on its website – possibly due to technical difficulties that arose during the implementation of the complex specifications. “Following an information phase for insureds from October 2024, the EPA will begin for all on January 15, 2025. It will initially be implemented in two model areas for four to six weeks from the beginning of March 2025 and will be available to everyone throughout Germany,” it says there.

Critics had already expressed that the program was hard to meet the expectations of those involved and raised concerns that an incomplete product could lead to disappointment for everyone involved. Erztblatt recently reportedThat for months it will not be possible to upload image files to EPA in JPG and PNG formats as usual. Due to security concerns, these must be converted to PDF/A documents before uploading. Health insurance companies do this for insured individuals, as do some primary system manufacturers. There is currently no mention of images in DICOM format like X-ray in EPA’s plans.

What control do insured people have over their data?

Although all data automatically flows into ePA 3.0, insured persons retain a certain amount of control: they can hide documents and deny access to individual doctors or institutions.

Insured people who have not registered for EPA – i.e. do not use their health insurance company’s app – can make changes to EPA settings using the health insurance company’s ombudsman offices, for example restricting access Or uploading documents. At the request of the insured, health insurance companies must upload a maximum of 20 documents to the EPA over two years.

By default, all treating physicians have access to EPA to optimize drug therapies, prevent duplicate exams, and billing fraud. When it comes to sensitive information like miscarriage, doctors should be consulted before documenting it. Critics see a danger of misunderstandings here and fear an increased burden of explanation for doctors, as health insurance information at the EPA is considered partly inaccurate and not easy to understand – some even to the point of loss of confidentiality. Are doing. With the current EPA, it is possible to deny access to all doctors without completely denying them access to the document.

In addition to the plan to use the EPA to make all data centrally available to those involved in treatments, there is also a goal of making more data available to pharmaceutical companies and research. The Health Data Use Act and the Medical Research Act pave the way for this. Another promise is to give insured individuals more control over their data. However, through the opt-out system, insured persons must actively prevent all treating doctors from accessing their data and can also refuse to set billing data and specifically hide documents.

All billing data should be automatically added to EPA

“You can finely control access to your medical data and release the data only to those who want it. This fine-grained control is not possible with billing data. Therefore, you can only be reasonably assured Each treated person sees only what they want so that billing data is not included in the EPA,” explains attorney Jan Kuhlmann, who, among other things, worked as an IT developer for a health insurance company. Served as and is co-chairman of “.Patient Rights and Data Protection eV” Is.

“According to EPA version 3.0, billing data is established by health insurance companies using the opt-out principle. If the insured does not object, this happens automatically,” explains Zematic upon request. Accordingly, it is intended that “billing data set in the EPA will be visible to authorized service providers in the specific treatment and to the extent necessary, provided that the setting of the billing data is not objected to.” With Article 25B created into the Health Data Use Act, health insurance companies should also be able to warn about interactions with medications, for example, based on billing data.

Research data extraction from mid-2025

From mid-2025, it is planned to automatically transfer data from the electronic patient file to the health research data centre. Billing data from health insurance companies is already stored there. With the Health Data Use Act the storage period was increased to 100 years. It was based on the average lifespan of a person in Germany. Many effects would only be detected many years later, which is why previous limits were so narrow. The reason for collecting data is not just for research, the data should also be used for political purposes and to train AI. BMG has no concerns about the Constitutional Court, as was made clear in a data protection event at the beginning of the year.

Data protection advocates criticize opt-outs

According to representatives of BMG, the change for all insured persons to automatically receive an EPA is an adaptation to the needs of the population. This means that no one will have to register with the EPA. About 1.6 million people have already done so – with the help of the new electronic ID card, this should work quickly for most health insurance companies. The EPA is facing a lot of criticism from data protection experts for changing the opt-out variant.

Recently, the Federal Commissioner for Data Protection and Freedom of Information, Professor Luisa Specht-Riemenschneider, also criticized the fact that no details about the information campaign about the EPA were specified. It is unclear when and how insured individuals will be notified of the changes to the EPA. Some health insurance companies are only now beginning to inform their insured persons – as a rule, not all six options for objection (against the EPA, against the drug list, against billing data, posting of documents by the physician Against, against) posting of billing data, against use of data for research purposes).

This poses challenges not only for the practice of doctors, but also for hospitals, which have to upload documents to the telematics infrastructure and inform their patients in detail about them – unless this is done by health insurance companies. has not been done adequately. Spect-Riemschneider wanted their autumn stage Additionally, insured individuals are better informed before data from EPA is sent to the Health Research Data Center. The opportunity to lodge an objection should also be limited – this is not yet the case with all health insurance companies.

Measures in case of IT disruption or cyber attacks

Asked what happens in the event of cyber attacks, Zematic said: “EPA’s modern security architecture for all fundamentally enables the highest level of security protection. (…) In the event of a security incident The relevant security authorities and all other parties involved are immediately informed; the procedures and measures planned for such a case may vary depending on the specific situation and threat scenario. Details are not public. A recently published security report by Fraunhofer SIT – which was created using “Gematic-GPT” due to the complexity of the specifications – raises doubts about the security concept of the electronic patient file.

“The hidden image of diffusion of responsibility” also in the health care system.

The whole process seems opaque as relevant information is rarely taken into account and there is no central responsibility – as was already noticeable when e-prescription was launched. “As with e-prescription at the beginning, a hidden picture of diffusion of responsibility is emerging again. It does not help to give Zematic more responsibility, because that would not change anything about the highly complex system. Also , Zematic was given NIS2 “The implementing act clearly excludes this. This means it is not responsible in the event of a cyber incident or serious IT disruptions affecting supplies and does not report such an incident as critical to BSI,” says Manuel Atug, founder of the independent AG Critis and Spokesperson.

(Mac)