The German Government is in the process of introducing far reaching electronic processes to the German health care system. An electronic health card (e-health card) will be replacing the current insurance card from 1 January 2006. The e-health card will store and process personal and medical data about the insured person. To enable this, the card will carry a micro processor which allows information to be encrypted and authenticated and facilitates functions for an electronic signature.
In the first phase, the e-health card will help with administrative functions and introduce the electronic prescription. Later, in a second phase, it will provide, for insured people, additional functions like electronic medical reports (“Arztbrief”), electronic patient files (”Patientenakte”) or information on drug interactions. These functions however will only be implemented on the individual health card if the insured person applies for it.
The scope of the project is enormous. The e-health card will be provided to about 80 million insured people. Roughly 350,000 doctors, 22,000 pharmacists, 2,200 clinics and about 300 health insurance funds will become members of the medical network.
In order to safeguard the data subjects’ interests, the Federal Legislator has enacted sector specific data protection law. The government enacted, in particular, the so called Health Care System Modernisation Act (“Gesundheitssystemmodernisierungsgesetz”) with effect from 1 January 2004. Section 291 of this Act introduced a Social Code V, which contains the specific data protection requirements for the e-health card such as information and documentation obligations, access rights, deletion obligations and inquiry rights. However, the details of the obligations, rights and the structure remain open.
On 10/11 March 2005 the data protection authorities (DPAs) of the single states (“Länder”) and the Federal bodies held their annual meeting and expressed their concerns about this project in a resolution. The DPAs found that most of the processing on the e-health card will require the express informed consent of the data subject. They, therefore, requested that all applications and components undergo a compliance with data protection law review before being introduced. The resolution shows that the specific legal requirements for the protection of sensitive data need to be considered to ensure success. Anyone contributing to or participating in this project should take this aspect into account at an early stage in order to avoid wasting both time and money.