At a glance: data protection and healthcare data management in Germany


Data protection and management

Definition of “health data”

What is “health data”? Is there a definition of “anonymized” health data?

Health data is defined in a separate provision of the German Federal Data Protection Act (Section 46 No. 12 BDSG). It states that information about the mental and physical health of a natural person as well as about the health care services used are health data if information about a health condition can be derived therefrom. However, this definition corresponds word for word to the definition of health data set out in article 4 n°15 of the General Data Protection Regulation (GDPR). The same applies to genetic and biometric data.

A definition of anonymization is also not found in the BDSG. In German legal doctrine, with reference to the European legal basis, it is emphasized that in matters of pseudonymization, it is an increased form of unrecognizability of the individual. Such a form of anonymization is only possible in principle, depending on the type of health data. For example, the anonymization of genetic data is by definition not possible.

Data Protection Law

What legal protection is given to health data in your jurisdiction? Is the level of protection higher than that granted to other personal data?

In principle, the level of protection of health data corresponds to the standard set by the European Union. In this context, the protection of health data differs in particular from the level of protection of data which are not counted among the special categories of personal data. However, in derogation or in addition to this European standard, on the one hand, a modification of the permissive elements of Article 9 (2) of the GDPR by Article 22 of the BDSG can be pointed out. According to this provision, health-related data may also be processed in Germany by non-public or public bodies, inter alia, if required by social security rights, for the purposes of preventive health care and health care by medical personnel or personnel with obligations of confidentiality or if the public interest so requires. For example, many federal laws, such as the Infection Protection Act, the Medical Devices Act or the Social Code (Sozialgesetzbuch (SGB) V, provide exceptions in favor of the processing of personal data. Appropriate measures for the protection of personal data must be implemented in this context.

Such a requirement for appropriate measures can be found both in the special legal regulations on data protection in the SGB V, in particular in the implementation of the German healthcare system (IT) and in the application of the digital applications component health and care (DiGA and DiPA) in Germany.

SGB ​​V devotes a separate Chapter 10 to data protection in the context of statutory health insurance. The data likely to be processed by the health insurance funds and the doctors associated with the compulsory health insurance (AMS) are regulated according to their purpose.

With regard to components and applications in IT, it is regulated in sections 306 subseq SGB V that the entire structure can only be operated with the components that can guarantee the data protection requirements personal. Since the data processed in IT is likely to be special categories of data, the data security requirements are therefore high (for this see the explicit regulation in § 306 paragraph 3 SGB V) . In particular, a comprehensive level of protection is ensured by complete subsidiarity of data liability for processing in IT. § 306 paragraph 5 SGB V states that gematik GmbH is responsible for the processing of personal data, insofar as it determines the means of processing and no other person responsible for a specific situation results from statutory provisions.

In accordance with these standards, the health data protection requirements when using digital health offerings in SHI are highly regulated. Already, listing in the directory according to § 139e SGB V is only possible if the digital health applications guarantee data security.

Anonymized health data

Is anonymized health data subject to specific regulations or guidelines?

The anonymization of health data is not subject to any particular legal provision. As already apparent from European requirements, the application of data protection law is not appropriate even for special categories of personal data if no identification of the person is possible on the basis of the available data. , even if third-party information is used. However, the Federal Ministry for Economic Affairs and Energy in particular argues that it is difficult to completely anonymize health data.

This is why guidance on the anonymization of health data was published in 2018. Although the Federal Ministry also points out that it can only be decided in individual cases when the anonymization has been successful, it nevertheless provides guidelines for action. For example, randomization, generalization, removal of rare attributes (rare diseases) and especially the combination of these techniques are recommended.


How are the data protection laws in your jurisdiction enforced with respect to health data? Have there been any notable regulatory or private actions regarding digital health technologies?

In accordance with § 9 BDSG, the Federal Commissioner for Data Protection and Freedom of Information (Data Protection Commissioner (BfDI)) and the data protection authorities of the individual Bundesländer are responsible for the application data protection provisions. While the Federal Data Protection Commissioner is responsible for the supervision of public bodies and private companies, the data protection authorities of the Bundesländer are responsible for the supervision of natural and legal persons in the non-public sector. In accordance with the provisions of Regulation (EU) 2017/679, in particular Articles 57 and 58, both the Federal Data Protection Commissioner and the data protection authorities of the Länder have the corresponding powers to monitor and enforce the provisions relating to to data protection. This also applies to health data in particular.

The BDSG also provides criminal provisions for the commercial violation of data protection regulations. The acceptance of remuneration or the intention to enrich oneself or to enrich a third party by violating the provisions relating to data protection are criminal offences.

With regard to the breach of health data in the context of the use of health technologies, no relevant decisions of the data protection authorities of the federal states or of the Federal Data Protection Commissioner are known at this time. day.

cyber security

What cybersecurity laws and best practices are relevant to digital health offerings?

Cybersecurity in the context of the use of digital health applications is already regulated in the relevant legislation mentioned above. Both the SGB V and the legal ordinances on digital health applications (DiGA-V) require the implementation of sufficient measures to maintain data security in accordance with the state of the art. In addition, from 1 January 2023, manufacturers of digital health apps must meet the requirements of the Federal Office for Information Security in accordance with § 139e paragraph 10 SGB V and acquire the corresponding certificate. The Federal Office for Information Security already provides specifications for the implementation of data security requirements under the technical guideline BSI TR-03161. However, the directive is still being tested to determine whether the requirements and testing procedures set out therein are sufficient.

In addition, the application of special regulations may also be required due to the classification of the healthcare sector as a component of a critical infrastructure zone. Although the healthcare sector is generally considered a critical infrastructure area within the scope of Article 6 of the BSI Criticality Ordinance, the use of digital health applications is not directly covered by it. However, their use in the context of hospital treatment, for example, is very much subject to the BSI regulations on criticality. In such a case, Article 8a of the BSI Act applies, which obliges the operator of critical infrastructures to maintain appropriate organizational and technical precautions to ensure the availability, integrity, authenticity and confidentiality of the systems, components and processes. Digital health applications and IT services and applications may be particularly relevant as components of these structures.

The Artificial Intelligence Act was announced in April 2021 and has yet to be adopted by the European Parliament and Member States. It provides new regulations and security requirements on artificial intelligence based on four classes of risk.

Good practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of raw and anonymized user data, as well as the output of digital health solutions?

When processing health data, the controller must first be registered in a structured manner according to the definition of the General Data Protection Regulation (GDPR). In particular, joint processing requires that responsibilities be explicitly separated in a contractual agreement. There is no ownership of health data under German law, therefore individual responsibilities must be clearly regulated between the parties.

Even before the processing of personal data, especially special categories of data, the establishment of technically secure and resilient systems should be considered mandatory. This corresponds to the legal requirements for approvals both in the context of IT and for approvals of digital health and care applications.

Finally, regarding subsequent secondary use of health-related data, possibly for research purposes, it is advisable to obtain broad consent from the data subject at the start of the data processing. The possibility of such processing on the basis of the informed consent of the data subject was created at the Data Protection Conference (Conference of the Federal Data Protection Commissioner and the Data Protection Authorities of the Länder) of April 15, 2020. As part of the conference, a standardized patient consent template was approved as part of a resolution.


Comments are closed.