Healthcare and Life Sciences

The Health Data Use Act: Expanding the infrastructure for health data in Germany

Two key components of Germany’s healthcare digitalisation strategy recently cleared the final hurdle in the legislative process. On 2 February 2024, the Federal Council of Germany, the Bundesrat, passed the Health Data Use Act (Gesundheitsdatennutzungsgesetz, “GDNG”) and the Digital Act (Digitalgesetz, “DigiG”). Both acts will enter into force soon.

This article provides an overview of the relevant provisions in the Health Data Use Act that will fundamentally change how health data are managed in Germany. Patients will be able to opt out of having data transferred from their electronic patient record as well as further processing of their health data by statutory health insurance (SHI) funds and healthcare facilities. The research industry will receive access to the data held by the Health Data Lab, a unit of the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, “BfArM).

Background and aims

The European Union is seeking to create a European Health Data Space (“EHDS”), a health-specific framework for sharing data between national healthcare systems, by 2025. Member States are therefore required to digitalise their healthcare systems and enable patients to access their data electronically. The digitalisation strategy launched by the Federal Ministry of Health (Bundesgesundheitsministerium, “BMG”) in March 2023 lays the groundwork for connecting the German healthcare system to the EHDS as the latter develops. The GDNG is one part of that strategy’s legal framework.

The GDNG’s stated goal is to eliminate existing obstacles to data use and access in the healthcare sector and thus improve the usability of health data. One major obstacle at present is that data collected in the German healthcare system rarely becomes available for further use beyond the immediate provision of healthcare. Differing rules on data access, differences in federal and state-level data protection regimes, and inconsistencies in how supervisory authorities interpret the law have all contributed to this problem. The decentralised structure of the German healthcare system also means that health data are stored in various places, whilst there are no explicit rules and procedures for linking these data.

In light of this, the GDNG aims to improve the transfer and further processing of health data by introducing the regime described below to remove obstacles to such processing.

Ongoing development of the Health Data Lab

One of the GDNG’s main aims is to make it easier to access and use the billing data collected by the Health Data Lab. Previously, only healthcare facilities specifically listed have been authorised to use that data, but the decisive criterion in future will be the intended purpose of that use. In addition, the purposes of use are being expanded to include, among others:

  • academic research in health and nursing care,
  • improving healthcare quality and safety standards,
  • ongoing development and monitoring of the safety of drugs, medical devices, remedies and aids.

In line with the European Commission’s EHDS proposals, this switch from the current access mechanism, based around who wants access, to one based on what they want that access for will enable private entities such as those from the pharmaceutical research industry to access the Health Data Lab’s data for the first time.

Furthermore, Health Data Lab data is to be made available much more rapidly. At present, it can take a long time for the SHI funds to receive billing data from the regional associations of SHI-accredited physicians for remuneration of SHI-accredited care. This means that the billing data become available for the Health Data Lab’s purposes even later. To make these data available more quickly in future, the GDNG provides that the regional associations of SHI-accredited physicians send the SHI funds preliminary billing data for SHI-accredited care in advance (no later than four weeks after the end of the quarter) for the SHI funds to then forward to the Health Data Lab. 

Introduction of opt-out procedure for transfer of data from the electronic patient record to the Health Data Lab

The transfer of data from the electronic patient record to the Health Data Lab is currently governed by an opt-in procedure requiring the data subject’s consent in all cases. This will be replaced by an opt-out procedure to increase the availability of the electronic patient record data held by the Health Data Lab. This means that all electronic patient record data will be automatically made available by the Health Data Lab, in pseudonymised form, for the statutory processing purposes unless the insured person expressly objects to data transfer. SHI funds are required to notify insured individuals of their right to object to such transfer, which may be restricted to certain processing purposes. Insured persons may declare their objection via the user interface of a suitable end device (electronic patient record app or desktop client) or to the ombudsman’s offices of the SHI funds.

Insured individuals are already able to make their electronic patient record data available for research by giving their informed consent, independent of data transferred to the Health Data Lab. This provision will be retained. The new GDNG will also give the BMG the power to issue ordinances regulating the technical procedures for sending electronic patient record data to researchers.

In addition to the GDNG’s provisions on the electronic patient record, the DigiG also introduces an opt-out procedure. From 15 January 2025, SHI funds will be obliged to provide every insured person with an electronic patient record unless, after prior notification, that insured person has objected within six weeks to the record being created.

At European level, the original Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space (the “proposed EHDS Regulation”) in its version of 5 May 2022 did not include a right for data subjects to object to secondary use of electronic health data. But on 13 December 2023, the European Parliament agreed at first reading to incorporate a provision clarifying the fact that natural persons have the right to object to processing of their data for secondary purposes. To this end, Member States are to establish an opt-out mechanism enabling natural persons to expressly state their wish that some or all of their personal electronic health data not be processed for some or all purposes of secondary use. The current trilogue negotiations will decide on whether the final version of the Regulation provides for such right to object.

Consent not required for further processing by healthcare facilities

In future, data-processing healthcare facilities such as medical practices may – without the data subject’s consent – further process data collected in the course of care where this is required for one of the following purposes:

  • quality assurance and promoting patient safety,
  • medical, rehab and nursing research and
  • compiling statistics, including for Germany’s health reporting system.

Under current data protection law, such data processing is largely permitted even without the data subject’s consent, for example for research purposes under section 27 Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) or the corresponding provisions in state-level hospital laws. In practice, however, secondary use of patient data for research usually relies on consent, while the statutory clauses permitting research are seldom used due to legal uncertainty and conflicting rules at federal and state levels. The new rules seeking standardisation across Germany are therefore to be welcomed, but whether they take precedence over the BDSG and state-level hospital laws remains unclear.

The initial draft of the GDNG provided for a ban on transmitting data to third parties, but widespread criticisms led to the incorporation of a provision allowing transmission of personal data for further processing if the data subject gives consent or another statutory rule permits. Moreover, healthcare providers are allowed to anonymise data collected for healthcare purposes before transferring them for the purposes of medical or nursing care research, for instance. Publicly funded co-operations between data-processing healthcare facilities (including collaborative research projects and networks linking practices engaged in research) are also allowed to jointly use and process data where, among other requirements, a data controller’s interest in processing substantially outweighs the data subject’s interest in excluding it and the competent data protection supervisory authority has approved such joint use and processing of the data. Accordingly, data-processing healthcare facilities face strict requirements if they wish to transmit personal data to third parties.

Further data processing by SHI and nursing care funds

The data that Germany’s SHI and nursing care funds accumulate also represent a major resource for identifying, at an early stage, the individual health risks faced by insured persons. The new GDNG rules aim to improve use of this database, and the SHI and nursing care funds are now authorised to analyse the health data in their possession – without the data subject’s consent – for the following purposes:

  • to detect rare conditions,
  • to detect cancer,
  • to identify severe health risks that the drug therapy might create,
  • to identify a need for nursing care under section 14 Social Security Code XI (Sozialgesetzbuch XI),
  • to identify similar severe health risks insofar as SHI or nursing care funds believe this to be in the prevailing interest of the insured person,
  • to identify vaccine indications.

If the analysis identifies a specific health risk, possible illness, need for nursing care or vaccine indication, the SHI and nursing care funds can also alert the insured person in question and give them a non-binding recommendation to obtain medical assistance. This means that SHI funds will play a stronger role in medical issues themselves, but will not be permitted to give specific instructions on eliminating the health risk.

The SHI and nursing care funds are obliged to notify the supervisory authority of the aims of the analysis and the range of data involved before starting to process data for one of the purposes referred to above. At least four weeks before data processing begins, moreover, they must inform the insured person of the data processing and the fact that the insured person can object to it. There is a general ban on transmitting insured persons’ personal data held by SHI and nursing care funds to third parties, but (third party) processors are still permitted to process such data.

Duty to publish research findings

In cases where health data is processed on the basis of the GDNG – as set out above – without the data subject’s consent, the GDNG provides that research findings must be published in anonymised form within 24 months of the research project’s completion. They can be published on the data controller’s website, for example, or in databases. The research findings can then be used by researchers. The proposed EHDS Regulation includes a corresponding duty to publish the results or output of secondary use of health data no later than 18 months after processing is completed.

Establishment of a data access and coordination body

Another key element of the GDNG is the creation of a national data access and coordination body to assist and advise data users in connection with access to health data. One of the body’s roles will be to coordinate data processing by accepting requests for data use and forwarding them to the competent bodies. Besides coordination, this body will also be tasked with using a metadata catalogue to generate transparency regarding the sources of health data in Germany. The data access and coordination body will be independent of the Health Data Lab and initially established within the BfArM. The long-term aim, however, is to develop it into an independent institution within the EHDS.

Health data protection underpinned by criminal law

To strengthen the right to informational self-determination in secondary use of health data, the GDNG imposes a duty of confidentiality on researchers who make use of health data, and breaching this duty is a punishable offence. Unlawful use, transmission to third parties or processing of disclosed health data can be punished by up to one year’s imprisonment or a fine. Where such acts are committed in return for payment, with the intent of (self-)enrichment or harm to another party, they can be punished by up to three years’ imprisonment or a fine.

Outlook

Compared to other countries, the German healthcare system certainly needs to catch up on the digitalisation, sharing and (secondary) use of health data. The BMG is therefore working hard to make its healthcare digitalisation strategy a reality. The GDNG is a welcome step in the right direction. But how it will align with the final version of the proposed EHDS Regulation, due to be adopted in the second half of 2024, remains to be seen.

Forward