Electronic patient file (ePA) - in accordance with the Digital Act (DigiG)
1 (Still) current status of the ePA
The ePA is currently designed as an opt-in model. This means that patients can only access the EPR if they expressly request it.
Access by service providers (especially doctors) is structured in a similar way: The patient must actively grant access rights. However, there are sometimes considerable technical restrictions with regard to the granularity of usage rights. There is also considerable legal controversy as to whether more granular rights management should be possible. On the other hand, it is being discussed whether this could lead to liability risks (see below).
The ePA is also currently only filled at the patient's request. For example, a patient must make a corresponding request to their doctor and the doctor must then enter the relevant documents, which must relate to the treatment, in the EPR. The data format is currently largely unstructured. This is why it is sometimes referred to somewhat disparagingly as a "PDF repository".
2 New: Opt-out EPA in accordance with the DigiG
The DigiG transforms the previous opt-in EPA into an opt-out EPA. This will apply from 15.01.2025.
From this date, the electronic health record will automatically be made available to all those with statutory health insurance.
However, there is the option to object (opt-out). Insured persons therefore have the right to object to the creation and storage of data in the PPR. The objection period is six weeks from being informed by their respective health insurance fund. After the six-week period has expired, the PPR can be deleted at any time.
3. prioritized use cases
In order to speed up the introduction of the electronic health record and make it a success, some so-called "use cases" will be singled out and implemented as a priority. Specifically, this is the "digitally supported medication process" for the launch on 15.01.2025. As soon as the technical requirements are in place, other use cases will be added, in particular the electronic patient summary file (ePKA), laboratory data and laboratory findings as well as declarations on organ and tissue donations.
Data relating to these use cases must be transmitted to the ePA by the service providers (e.g. doctors) unless the patient objects on site. The Federal Ministry of Health (BMG) will define the details and deadlines in a statutory order.
As part of the "digitally supported medication process" presented above as an initial prioritized use case, it is planned that data will be stored in a structured and standardized data format in the ePA. Service providers are obliged to enter the relevant data (unless the patient objects). The patient's right to object is limited to the extent that it can only relate to the entire use case. An all-or-nothing principle therefore applies in relation to the use case. This applies accordingly to any deletion. The aim is to ensure that the data is consistent and complete (or missing in the event of a contradiction). This prevents incorrect assumptions by service providers due to unrecognized gaps in the EPR data.
4. access management
One of the points that has certainly been discussed the most in the context of the current reform is the design of access management to the EPR. Comprehensive access authorizations to the ePA in its upcoming form in accordance with the DigiG will automatically be granted to numerous service providers. With regard to doctors, for example, this applies automatically if they are involved in the patient's treatment. This presupposes a temporal connection with the respective treatment. Partially deviating and more detailed regulations can be found in the DigiG or in the SGB V reformed by the DigiG with regard to the different cases of application. However, the doctors' right of access only exists legally insofar as it is necessary for the patient's care.
The patient also has the right to object to the access options. This right of access can be at the level of the service provider (e.g. a specific doctor) or at the level of a use case or a combination of the two above criteria. A more granular way of defining access rights is not envisaged (see "Shadowing" below).
With regard to the secondary use of data for research purposes (Section 363 SGB V), there is a separate right to object. This is followed by separate aspects of the Health Data Utilization Act (GDNG) and the EHDS Regulation (Regulation on the European Health Data Space), which provide for secondary use, e.g. via the EU platform MyHealth@EU. However, the EHDS Regulation regulates rights of objection that do not fully coincide with the current DigiG regulation.
The previous model continues to apply for non-healthcare providers: patients must actively grant a right of access. In terms of granularity - as described above - procedures can be carried out at the level of the service provider, the use case or a combination of both.
There is also provision for a patient to be able to "shadow or hide" data. This means that a patient can make data invisible to all service providers. Only this patient can then view this data. In a new form, the question will arise here as to what extent such concealment and masking is indicated so that, for example, doctors can recognize during medical treatment that data that may be relevant to the treatment is missing and can inquire accordingly.
5. filling the ePA
According to the DigiG, it is now mandatory for service providers (e.g. doctors) to fill in the ePA with regard to the respective current use cases. For example, laboratory findings, doctor's letters and discharge letters must then be stored. In addition, data from the treatment context must be stored in the EPR at the patient's request. Some data must even be transmitted "automatically" to the EPR. This applies to drug prescriptions, for example.
Special regulations are provided for certain areas. For example, in the area of the German Genetic Diagnostics Act (GenDG), the results of genetic tests or analyses may not be transmitted or stored in the electronic health record, or only if the patient has given their express prior consent. This consent must be given in writing or electronically (in the sense of the legal form) - somewhat contrary to the idea of digitization.
In addition, service providers must inform patients separately of their right to object to the transmission and storage of their data if unwanted disclosure of the data could lead to discrimination or stigmatization of the patient. According to the law, this should be the case in particular in the area of sexually transmitted infections, mental illnesses or in the case of abortions.
6. privately insured persons
The above statements only apply to those with statutory health insurance. However, private health insurance companies can also provide their policyholders with an EPC. However, this is not mandatory. At the time of writing this article, the number of private health insurance companies offering an ePA is still extremely limited.
7. summary
The DigiG makes it clear that the ePA is to be a success. The previous model, in which the ePA must be actively requested (opt-in), will be abolished in favor of an opt-out model. Patients who do not take any further action will have an EPR that is automatically filled with data.
In the context of medical care, the additional requirements with regard to setting up and filling in the EPR must now increasingly be integrated into everyday practice. Patients are even entitled to certain support services from a doctor's practice with regard to the use of the EPR. This requires a one-off payment of EUR 10.00 is provided for this.
The secondary use of medical data is of particular importance - and is now certainly one of the main objectives of digitization in the healthcare sector. The aim is to aggregate data that can then be used for research purposes. The aim is to create AI-based medical products, for example. The data from the ePA will be fed into the European Health Data Space (EHDS). Access to this data is regulated in the EHDS Regulation and the Health Data Utilization Act (GDNG). These data are likely to be of considerable importance for research and development. This is particularly true in view of the hurdles that currently still exist in the case of research with medical data: As a rule, individual consent must be obtained from each patient to date, whereby the information and consent must be transparent and specific to the individual case. Broad consent, on the other hand, which is of particular interest for future-oriented research, for example in the field of AI, is considered to be quickly ineffective. For this reason, the new possibilities for using the medical data of a significant proportion of those with statutory health insurance will be of considerable interest.
This article is based on a presentation at the event "Digitalization and data protection in (dental) medical practices" on 24.04.2024.
Picture above: Dall-E