All You Need to Know About Germany’s Patient Data Protection Act
On 3 July 2020, Germany’s Federal Parliament, the Bundestag, passed the Patient Data Protection Act or Patientendaten-Schutz-Gesetz (PDSG). It entered into force less than four months later, on 20 October 2020.
The PDSG is part of a push for the digitalization of the German healthcare system. It introduces a number of innovative digital applications and requirements for the protection of patient information stored in an electronic format.
The PDSG applies to all healthcare institutions, including hospitals, doctors, health insurance providers, and pharmacies using services, applications and components of the German healthcare system’s telematics infrastructure to process patient information. The size of an organization does not matter.
A shift towards electronic patient files
Under the new law, starting in 2021, health insurance providers are obligated to offer clients electronic patient files or elektronische Patientenakte (ePA). From 2022, ePAs will also include sensitive information that has only been documented in hardcopy until now, such as maternity logs, pediatric health records and vaccination cards. Patients will have the power to decide what is stored on their ePAs and who will have access to them.
From 2023 onwards, patients will be able to voluntarily make data on their ePAs available to researchers as part of a data donation. Patients will need to give their informed consent for it, but it will be possible for them to do so digitally. Data donations will be restricted to certain research purposes, such as for improving the quality of healthcare. Patients will also be able to choose the scope of their data donation and limit access to certain information.
The introduction of e-prescriptions
The PDSG will also digitize a number of documents that have so far been only provided in hardcopy. The most notable of these are prescriptions which will now be generated electronically and added to the German digital healthcare system’s telematics infrastructure that supports data communication between all stakeholders, including patients and healthcare providers.
Doctors will now have to create electronic prescriptions in their practice management system, sign them electronically and add them to the telematics system. Patients will be able to access the e-prescription from their phone using an app and assign it to a pharmacy of their choice. Pharmacies will then be able to retrieve the e-prescription from the telematics system and enter it into the pharmacy management system to redeem the prescription.
Patients can still choose to receive a paper prescription from their doctor and redeem it at their pharmacy of choice. However, it will still be registered in the telematics system and retrieved digitally by the pharmacy using the information provided in the paper prescription. Essentially, paper prescriptions will become printouts of e-prescriptions.
Referrals to specialists are also digitized under the PDSG. Until now, if patients required a referral, they would be done in writing and would imply a visit to the doctor’s office for collection. Patients will now be able to receive a referral from doctors to medical specialists in digital format.
Data Protection under PDSG
As of 1 January 2022, all healthcare institutions, regardless of their size, will be required to take precautions to prevent any risks to the availability, integrity and confidentiality of patient data they process in the telematics system. They will also be required to secure their technology systems, components, and processes crucial to protecting patient information and the functionality of a hospital’s network.
As repositories of access points to the telematics infrastructure, healthcare institutions’ computer systems must be protected from both malicious outsiders and careless insiders. This means applying both basic cybersecurity measures such as firewalls, antivirus software and strong password policies, but also ensuring that sensitive data is not stored locally when there is no need for it or transferred via unauthorized channels such as emails or file sharing and cloud services.
The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Germany’s Federal Commissioner for Data Protection and Freedom of Information has also warned health insurance providers falling under his jurisdiction that PSDG compliance will not exempt them from the need to comply with the General Data Protection Regulation (GDPR). The BfDI will ensure that German data subjects will continue to benefit from the rights granted to them under the GDPR when it comes to their health records.
The PDSG marks a milestone in the digitalization of the healthcare system in Germany. It also means a vast amount of highly sensitive data will be made available in an electronic format for the first time and will likely attract the attention of malicious outsiders and tempt insiders to exfiltrate data. Healthcare institutions will need to face the challenges posed by this large-scale digitalization and be prepared to protect patient information as it goes virtual.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.