[Dossier] Electronic Patient Record

Tags:
Health Insurance , Electronic patient record , Information privacy

The electronic patient record (ePA/elektronische Patientenakte) will be/was introduced on January 15, 2025. The purpose of the electronic patient record (ePA/elektronische Patientenakte) is to function as a digital health folder for those with statutory health insurance. It stores health data such as doctor's letters, medical findings, medication plans, laboratory findings, X-rays and possibly self-entered documents. The use or non-use of the electronic patient record (ePA/elektronische Patientenakte) must officially have no negative impact on healthcare. However there are considerable doubts about it and this promise.

Content
Background
Meaning
Risks
Options for Action

Content

An electronic patient file (ePA/elektronische Patientenakte) must be created for those with statutory health insurance, unless the person objects. Electronic data capture is therefore standard for those with statutory health insurance. The electronic patient file (ePA/elektronische Patientenakte) for those with statutory health insurance is therefore optional but not voluntary. This obligation does not apply to those with private health insurance. Private health insurers can offer this, but they are not obliged to do so. [1] [2] [3]

The medical documents stored in the electronic patient file (ePA/elektronischen Patientenakte) include among other things electronic medication plans, data for checking drug therapy safety, laboratory and image findings (X-rays, CT or MRI images), treatment findings, doctor's letters or discharge letters. In the future, the electronic medication plan, the e-vaccination pass, the e-dental bonus booklet, the electronic examination booklet for children and the e-maternity pass will also be stored. These are so-called medical information objects (MIO/medizinische Informationsobjekte). [4]

The electronic patient record (ePA/elektronische Patientenakte) is touted as being designed to facilitate the exchange and access of medical documents between doctor's offices, pharmacies, clinics and patients. Its use is intended to, among other things, eliminate unnecessary duplicate examinations, make it easier to change doctors and shorten hospital stays. But this assumption ignores the fact that particularly in medicine a further ruling can be indispensable and cannot be considered useless across the board. In addition the electronic patient record (ePA/elektronische Patientenakte) is intended to enable so-called voluntary data donations for public welfare purposes.

Officially there should be no negative impact on healthcare whether or not one uses the electronic patient record (ePA/elektronische Patientenakte). But it is unclear how the above-mentioned incentives for the electronic patient record (ePA/elektronische Patientenakte) and this promise are compatible.

Access to the electronic patient file (ePA/elektronische Patientenakte) takes place using the health insurance company's special ePA app. Statutory health insurance companies are obliged to offer the electronic patient file (ePA/elektronische Patientenakte) and consequently they are also obliged to offer a corresponding ePA app. [1] [2] [3]

With the ePA app health insurance holders should be able to access the contents of the electronic patient file (ePA/elektronische Patientenakte) at any time. Documents should be able to be viewed, inserted and deleted and access rights should be able to be changed. Healthcare providers such as doctors are only allowed access if this is necessary for treatment. The service providers should also only have access for a limited time, doctors and hospitals 90 days and pharmacies 3 days. How copies will be prevented is unclear however. [1] [2] [3]

The electronic patient record (ePA/elektronische Patientenakte) inevitably requires a stable technical infrastructure. Health insurance holders need a suitable device. The health insurance companies' ePA apps must go through the gematik approval process and run on a gematik-approved telematics infrastructure (TI/Telematikinfrastruktur). [1] [2] [3]

Only statutory health insurance companies are obliged to offer an ePA app. In addition to an appropriate operating system, health insurance holders need a card reader with security class 2 or higher and their own keyboard. Health insurance holders without an ePA app can only use the electronic patient file (ePA/elektronische Patientenakte) passively and cannot make any changes. [4] [5] [6]

Background

Gematik GmbH (Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH) was originally an association of German statutory health insurance companies. It was founded to support the electronic health card (elektronische Gesundheitskarte/eGK) and its infrastructure in Germany.

In 2013 the contract to set up and operate the central telematics infrastructure (TI/Telematikinfrastruktur) went to arvato Systems, a company in the Bertelsmann Group. This contract has now been extended until 2027. And in 2019 the Federal Ministry of Health under Health Minister Jens Spahn (CDU) took over 51% of Gematik's shares for €510,000. The National Association of Statutory Health Insurance Funds (GKV/Spitzenverband Bund der Krankenkassen) accused the Federal Ministry of Health of creating a subordinate agency that is financed by the contributions of those with statutory health insurance. [2] [3] [4]

But the subsequent replacement of the management is explosive. Just a few days after taking over the majority, the Federal Ministry of Health under Health Minister Spahn (CDU) made Markus Leyck Dieken head of Gematik. Spahn (CDU) bought an apartment from Dieken for 980,000 Euros. And the same apartment was for sale in 2021 for 1,585,000 Euros. [5] [6]

The digital infrastructure with which the healthcare providers and recipients are connected is called the telematics infrastructure (TI/Telematikinfrastruktur). According to the law Gematik is responsible for this telematics infrastructure (TI/Telematikinfrastruktur). Access to the electronic patient file (ePA/elektronische Patientenakte) is provided via the telematics infrastructure. Gematik designs the technical requirements for this and approves products and services in the digital economy. All ePA apps must pass the Gematik approval process. So far the companies Compu Group Medical, RISE, x-tention GmbH and IBM have been approved as providers of ePA file systems. [1]

However there is a suspicion that this is less about better health promotion than about medical data flows and business models. The EU has initiated the European Health Data Space (EHDS). Its aim is to link the health systems of the member states more closely with one another through the exchange of health data. Here too the bundling of health data is intended to improve health systems. In this way access by and consequently the range of services providers gets expanded. [7]

Src:
[1] Elektronische Patientenakte (ePA): Digitale Gesundheitsakte für alle kommt 2024-07-01
https://www.verbraucherzentrale.de/wissen/gesundheit-pflege/krankenversicherung/elektronische-patientenakte-epa-digitale-gesundheitsakte-fuer-alle-kommt-57223
[2] Zulassungs- und Bestätigungsübersichten
https://fachportal.gematik.de/zulassungs-bestaetigungsuebersichten?tx_wfgemtables_tables%5Baction%5D=list&tx_wfgemtables_tables%5Bcontroller%5D=Admissiontable&cHash=6f0a4113fd5af19d635acb0fc6b2d169#c2946
[3] Arvato Systems bleibt IT-Partner der gematik
https://www.arvato-systems.de/mehr/presse/arvato-systems-bleibt-it-partner-der-gematik
[4] BMG zahlt 510.000 Euro für gematik-Anteile 2019-06-06
https://www.zm-online.de/news/politik/bmg-zahlt-510000-euro-fuer-gematik-anteile/
[5] Spahns Mann fürs Digitale: Leyck Dieken wird neuer Gematik-Chef 2019-06-17
https://www.handelsblatt.com/politik/deutschland/gesundheitswesen-spahns-mann-fuers-digitale-leyck-dieken-wird-neuer-gematik-chef-/24465862.html
[6] Spahn-Wohnung stand für über 1,5 Millionen Euro zum Verkauf 2021-01-15
https://www.t-online.de/nachrichten/deutschland/parteien/id_89286164/jens-spahn-bietet-offenbar-seine-wohnung-fuer-ueber-1-5-millionen-euro-an.html
[7] Europäischer Gesundheitsdatenraum schnell erklärt
https://www.vfa.de/de/wirtschaft-politik/abcgesundheitspolitik/eu-gesundheitsdatenraum-schnell-erklaert.html

Meaning

As a result of the Corona pandemic the perception and public discourse about health measures changed. The willingness to provide information about one's own health and to accept measures has increased significantly.

Measures to provide information about one's own health are presented as a solution or at least as an aid to maintaining health. The Corona vaccination certificate that was introduced was in fact a necessity for many people and many things. This created the conditions for widespread distribution. But the RKI files show that the vaccination certificate is intended to enable the recording of vaccination effects and long-term side effects.

- Das Impfzertifikat soll die Erfassung von Impfwirkung, Spätfolgen etc. ermöglichen, nicht Grundlage für Kategorien und Vorrechte sein.
- WHO befürwortet die Zertifikate nicht: Lack of data, keine Fälschungssicherheit, ethische Gründe (Diskriminierung).

- The vaccination certificate should enable the recording of vaccination effects, long-term side effects, etc., and should not be the basis for categories and privileges.
- WHO does not support the certificates: lack of data, no protection against forgery, ethical reasons (discrimination). [1, Ergebnisprotokoll 05.03.2021, P.7]

According to the Federal Commissioner for Data Protection and Freedom of Information, the design of the electronic patient file (ePA/elektronische Patientenakte) violates the General Data Protection Regulation (GDPR). On the one hand health insurance holders who do not have their own suitable device or do not want to use it have only limited access to their electronic patient file (ePA/elektronische Patientenakte). The sovereignty of these health insurance holders over their data is restricted because they cannot determine who can see which of their data. In addition these health insurance holders do not have direct access to their own electronic patient file (ePA/elektronische Patientenakte) which they have to maintain themselves. Due to this disadvantage of these health insurance holders a two-class society was created with the electronic patient file (ePA/elektronische Patientenakte). [2] [3]

Risks

The potential damage is proportional to the amount of data stored. And the danger is misuse and theft. In fact there are clear examples of unauthorized access to stored data.

In Finland an attack on the psychotherapy data system took place in March 2019. Confidential notes from psychotherapy sessions of tens of thousands of patients were stolen. As a result patients have reported being blackmailed directly by the hackers via E-Mail. [4]

In Ireland an attack on the local health data system took place in May 2021. The IT infrastructure was disrupted and the health data was encrypted by the attackers. As a result access to the health data was initially lost and up to 80% of patient appointments were canceled. The restoration of the health data and the IT infrastructure took about four months and cost at least 500 million Euros. After the extortion attempt failed the attackers published 700 GB of unencrypted health data. [5] [6] [7] [8]

In November 2022 an attack took place on the IT infrastructure of a local health insurance company in Australia. The attackers blackmailed the insurance company with the stolen data. After this blackmail failed unencrypted health data of 9.7 million insured people was published. This included names, dates of birth, addresses, passport numbers and information on medical findings and therapies of those affected. [9]

Und im Dezember 2024, also noch vor der verpflichtenden Einführung, hat der Chaos Computer Club (CCC) explizit vor der elektronische Patientenakte (ePA) gewarnt. Nach Angaben vom Chaos Computer Club (CCC) können sich Kriminelle vergleichsweise leicht Zugang zu den sensiblen Daten verschaffen. [10] [11]

Src:
[1] RKI Files
https://www.rki.de/DE/Content/InfAZ/C/COVID-19-Pandemie/COVID-19-Krisenstabsprotokolle_Download.pdf?__blob=publicationFile

https://my.hidrive.com/share/2-hpbu3.3u
[2] Die elektronische Patientenakte
https://www.bfdi.bund.de/DE/Buerger/Inhalte/GesundheitSoziales/eHealth/elektronischePatientenakte.html
[3] Art. 18 DSGVO - Recht auf Einschränkung der Verarbeitung
https://dsgvo-gesetz.de/art-18-dsgvo/
[4] Vertrauliche Psychotherapiedaten in Finnland gehackt 2020-10-27
https://www.aerzteblatt.de/nachrichten/117742/Vertrauliche-Psychotherapiedaten-in-Finnland-gehackt
[5] Irish health cyber-attack could have been even worse, report says 2021-12-10
https://www.bbc.com/news/technology-59612917
[6] Cyber-attack on Irish health service 'catastrophic' 2021-05-21
https://www.bbc.com/news/world-europe-57184977
[7] HHS to providers: Learn from mistakes made in cyberattack that shut down Ireland health system 2022-02-04
https://www.scmagazine.com/analysis/incident-response/hhs-to-providers-learn-from-mistakes-made-in-cyberattack-that-shut-down-ireland-health-system
[8] Ireland HSE Cyberattack is a Cautionary Tale For US Healthcare Orgs 2022-02-07
https://healthitsecurity.com/news/ireland-hse-cyberattack-is-a-cautionary-tale-for-us-healthcare-orgs
[9] Cyberangriff auf Krankenversicherung - Patientendaten im Darknet gelandet 2020-11-11
https://taz.de/Cyberangriff-auf-Krankenversicherung/!5894511/
[10] CCC fordert Ende der ePA-Experimente am lebenden Bürger 2024-12-27
https://www.ccc.de/de/updates/2024/ende-der-epa-experimente
[11] Leichter Zugriff für Kriminelle? - Chaos Computer Club warnt vor unsicherer EPA 2024-12-30
https://www.pharmazeutische-zeitung.de/chaos-computer-club-warnt-vor-unsicherer-epa-152224/

Options for Action

An electronic patient file (ePA/elektronische Patientenakte) is provided for those with statutory health insurance anyway but not for those with private health insurance. In addition private health insurers are not obliged to offer their health insurance customers an electronic patient file (ePA/elektronische Patientenakte). Private health insurance customers can therefore receive an electronic patient file (ePA) under certain circumstances. On the other hand those with statutory health insurance can object to the electronic patient file (ePA/elektronische Patientenakte) in any case. [1]

Statutory health insurance companies are obliged to inform their insured persons in due time about the provision of the electronic patient record (ePA/elektronische Patientenakte). Statutory health insurance holders should be able to object fully and partially before and after the introduction. A partial objection should be able to prevent, for example, the uploading of documents in certain treatment situations, the storage of health insurance data or the forwarding of data from the ePA for research purposes in the public interest. Such restrictions should be able to be withdrawn at any time. [1]

Assuming that an objection to the electronic patient record (ePA/elektronische Patientenakte) is legally equivalent to a termination, this must be done in writing and with a handwritten signature. According to Section 126 of the German Civil Code (BGB) a termination requires the written form and a signature or a notarized signature. [2]

Einfache Standards

Dieses Blog durchsuchen