The EU is gearing up for massive reform concerning the use and accessibility of health data, and Germany is taking note. Recently, Germany proposed several draft legislation focusing on the use of health data. The Health Data Use Act, (Gesundheitsdatennutzungsgesetz, (GDNG)); The Digital Act, and A Law to Promote the Quality of Inpatient Care through Transparency (Hospital Transparency Act) are just a few of the newest pieces of proposed legislation designed to improve the use and accessibility of health data for German citizens. This move by the German Federal Ministry of Health is part of an EU-wide reform effort under the European Commission’s (“Commission”) European Health Data Space (EHDS).
Germany’s new legislation is designed to align with EHDS principles and these laws not only impact healthcare providers and hospitals in Germany but also companies that collect the health data of German residents. Below are the main takeaways of these proposed laws and what U.S. companies can expect moving forward.
What is the EHDS and Why is it Relevant to Germany’s New Law?
Before understanding Germany’s proposed legislation, it is vital to understand what the EHDS framework is and how Germany’s proposed laws align with the EHDS.
Background. Similar to what HIPAA was intended for in the United States, the EHDS aims to make health data more accessible. Alongside the GDPR (the EU’s comprehensive data protection legislation governing the use of personal data), the EHDS specifically focuses on (I) empowering individuals to take control of their own health data (ii) providing support for the use of health data for better healthcare delivery, research, innovation and policy making; and (iii) enabling the EU to benefit from the safe and secure exchange, use and reuse of health data.
Following the COVID-19 pandemic, the Commission announced the launch of the EHDS in May 2022. The pandemic exacerbated the demand for the EHDS by highlighting the urgent need for available and up-to-date health data through digital tools/platforms to make informed public health decisions. According to the Commission, at the height of the pandemic, few European Member States could send health data across borders and very few can now. Additionally, some Member States still heavily rely on health data in paper form. To eliminate this antiquated way of maintaining and transferring health data, the EHDS is a health-specific data-sharing framework that establishes clear rules, common standards and practices, infrastructures, and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics, or regulatory purposes.
Heath Data Defined. Health Data is defined in Article 4(15) of the GDPR and means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
EHDS Governance. In addition to creating standards for health data usage and portability, the EHDS will reinforce health data governance at the national and EU level. This framework will regulate not only primary uses of health data (e.g., using data for treatment of patients) but also secondary uses (e.g., the re-use of aggregated health data by researchers, policymakers, and innovators).
To govern appropriate uses of health data, a new EHDS Board will be created, composed of the representatives of digital health authorities and new health data access bodies from all the Member States, the Commission, and observers. This Board will contribute to a consistent application of the rules throughout the EU, including by advising the Commission while cooperating with other EU bodies and stakeholders such as patient organizations. Transfers of Health Data under the EHDS. Member States are also required to cooperate at the EU level on two cross-border digital infrastructures to enable data sharing (one infrastructure for primary uses of health data and another one for secondary uses of health data).
What are the Takeaways for the Draft German Legislation Concern Health Data?
- Overview: The German Federal Minister of Health Prof. Karl Lauterbach, acknowledged that Germany’s healthcare system was decades behind in terms of digitization. This legislation seeks to digitize health records as part of Germany’s overall digitization strategy in the healthcare sector to improve treatment. The legislative proposal includes the following initiatives:
- Transitioning to electronic patient records for all those with statutory health insurance by the end of 2024;
- Transitioning to e-prescriptions to supply medicines by January 1, 2024;
- Creating an automated system for e-prescriptions;
- Creating infrastructure to support assisted telemedicine in pharmacies and health kiosks; and
- Developing The Society for Telematics (Gematric GmbH) into a digital agency under the full sponsorship of the federal government and strengthening the society’s ability to enforce the Act.
- Applicability: Pharmacies, treatment facilities, and insurers that maintain healthcare records.
- Effective Date: The Digital Act is part of a larger digitization strategy linked above (in German only), but relevant portions of the Act appear to take effect at various points in 2024.
Health Data Use Act (Gesundheitsdatennutzungsgesetz; (GDNG))
- Overview: The GDNG’s core purpose is to facilitate the use of health data for public welfare purposes. This law is designed to prepare German data-holding bodies for compliance with the EHDS. Among other things, the GDNG will create a decentralized health data infrastructure with a central data access and coordination point for the use of health data. Along with central data access, the new law has several aims which include:
- Decentralizing health data to make it easier to find and reduce access hurdles for data users;
- Making billing data available for research purposes;
- Facilitating the linking of health data;
- Simplifying the procedures for coordinating with supervisory authorities while also strengthening health data protections;
- Making electronic patient records (ePA) available for research; and
- Allowing statutory health and nursing care funds to use data to improve the quality of care.
- Applicability: “Data-holding bodies.” This is a very broad term that encompasses virtually any companies that maintain “health data” (which has the same meaning under the GDPR)
- Effective Date: January 1, 2024
- Overview: The German Federal government is also prioritizing hospital reform. The Hospital Transparency Act is the basis for the planned publication of structural and performance data of hospitals in Germany. Under this law, patients will be able to see which hospitals in their area offer which services and how the hospital performs in terms of quality as well as medical and nursing staffing – referred to as a transparency directory. This transparency directory will be published by the Federal Ministry of Health starting in 2024. To this end, hospitals will be required to submit documentation to the Institute for the Remuneration System in Hospitals (InEK), that includes the following information:
- assignment of services to service groups;
- location reference for diagnoses and procedures; and
- data on nursing staff and data on medical staff.
- The InEK is then obligated to submit the data and evaluations sent by the hospitals to the Institute for Quality Assurance and Transparency in Health Care (IQTIG). The IQTIG then evaluates this data together with the quality data available to it and submits the evaluations to the Federal Ministry of Health for publication.
- Applicability: Hospitals and specialist clinics and providers
- Effective Date: January 1, 2024
Understanding both the EU and specific EU Member State requirements for health data is important as the EHDS and other health data frameworks take shape. As a reminder, the German laws discussed above are only proposed laws and are not in effect at the time we have posted this. Looking ahead, companies collecting or processing health data of EU residents should learn about the EHDS. We anticipate that like the GDPR, companies that meet the requirements outlined in the EHDS will likely meet the requirements of Member State-specific laws. Next, companies should identify where the specific EU Member State(s) and their data subjects (i.e., the individuals whose health data the company is collecting and processing) reside and monitor for legislative updates in those countries.
We will continue to monitor EHDS updates and guidance on health data laws in other European Member States. For more information on data privacy and security regulations or other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.