Electronic health record as an opt-out?

The electronic patient record (ePA) has been available since January 1, 2021, but so far only as an opt-in solution (application solution). How an opt-out solution (objection solution) can be designed in the future is now being examined.

What is the electronic health record (ePA)?

The electronic patient file is an insurance-managed electronic file. The insurance company can make this available to the insured person upon request. The insured person should be able to view findings, diagnoses, therapy measures and treatment reports electronically. It is also possible to integrate other personal data such as emergency data, doctor's letters, bonus booklet for dental visits, examination booklet for children, maternity and vaccination records.

People with statutory insurance have been able to apply for ePA from their insurance company since January 1, 2021. For privately insured persons, this option has been available since January 1, 2022.

According to § 341 IV SGB V, the health insurance company is the data controller (Art. 4 No. 7 DSGVO) within the scope of the electronic patient file.

Opt-out instead of opt-in for electronic health records?

Up to now, the electronic patient file has been an opt-in (application solution). Anyone who wants to have an electronic patient file as an insured person must therefore actively apply for it. As a result, only fewer than 1% of those with statutory health insurance have applied for an electronic patient file to date. The coalition agreement between the SPD, FDP and Greens stipulates that the ePA will be available in the future as an opt-out (objection solution). Insurance companies will then have to create an ePA for every insured person unless they actively object. However, the use of this electronic patient record will remain voluntary.

The gematik company is now examining how an opt-out can be designed. In November 2022, gematik stipulated that all insured persons should have an ePA (opt-out). All service providers should then have access to the ePA as part of the treatment and be able to fill it with data. For research purposes, this data can then be forwarded pseudonymously. There are various opinions on this solution from both a medical and a data protection perspective.

Opt-out from a medical point of view

The German Medical Association is clearly in favor of an opt-out. However, the electronic patient file must be handled with care. The ePA must not be allowed to degenerate into a mere repository for PDF documents. Rather, AI-based evaluation and structured data exchange between providers are needed so that the full potential can be exploited.

From the point of view of medical research, an opt-out is particularly exciting if it is accompanied by the use of pseudonymized data for research purposes, as envisaged by gematik. Currently, researchers have to obtain so-called "broad consent" for this (exemption if specific purpose is not possible). If researchers had access to pseudonymized data from electronic health records, this would make an enormous amount of data available to research. Even with an opt-out, it would of course be possible to object to data being shared for research purposes.

Objections from the data protection authorities

Data protection experts fear that data protection aspects will fall by the wayside. After all, the ePA still contains health data and thus personal data of a special category that is stored for a long period of time.

The transfer of pseudonymized data to research also raises data protection issues. The main issue here is the regulation of access to these data sets. From the perspective of data protection experts, a research data law would once again be necessary here.

Opinions differ as to whether this means that the opt-in must take precedence over the opt-out or whether the opt-out can already be sufficiently designed to comply with data protection requirements.

Whether and to what extent the opt-out for the electronic patient file is considered to be in line with data protection requirements therefore remains to be seen in the absence of any information on the specific design.

Do you need support on the topics of data protection and data security? Our team of experts will be happy to advise you. Contact us without obligation here!