E-Health, Data Protection and Data Security: Legal foundations and practical implementation of data transfer management in the health sector
Telematics infrastructure and everyday processing: Current challenges in the processing of health data
In our highly collaborative health care system, private and public stakeholders process the personal data of patients partly for their own purposes and partly to provide services for third parties. The latter include specialised external laboratories, which have received more attention than usual of late due to the COVID-19 pandemic; but there are also health insurance providers, testing points, health authorities, suppliers, therapists, pharmacies, manufacturers of medical devices as well as clinics, community health centres and individual physicians, all of them assuming a wide variety of roles and functions. The transmission of health data is the one connecting element between these stakeholders. Not least due to the establishment of a telematics infrastructure using insurance master data management, the KIM communication service, the Electronic Health Professional Card, and the Electronic Medication Plan and Electronic Certificate of Incapacity for Work, all European health care industry participants face a tsunami of digitalization that has and will demand a great deal of their patience, money and time.
Why digitalize bad processes? Compliance, law and documentation
As if the economic and technical challenges weren’t big enough, there are also plenty of data protection requirements. Compliance with these calls not only for expert legal knowledge but also for a great deal of diligence when it comes to documenting data processing operations that involve patients and contractual partners.
The fear of sanctions from supervisory authorities and health insurers, pressure from insurance companies, permanent monitoring as part of health-specific quality management and, last but not least, critical enquiries from patients themselves, have all led to the desire for a form of digitalization that also makes essential legal processes simpler and more manageable. The complexity of adhering to different protection requirements, compliance, quality assurance, and material data protection can be significantly reduced by using a compliance and data protection management system.
There’s more to data protection law than the GDPR: Legal relationships and legal bases
The processing of personal data for health purposes is an elementary part of the health care industry, but data protection in the health care sector is one of the toughest fields ever generated by German law. Whether it’s fitness apps, ordering medication, or sending samples to labs for analysis: all of these cases involve processing special categories of personal data within the meaning of Art. 9(1) GDPR and transmitting that data to third parties. Apart from institutions and service providers governed by social law (e.g. health insurance funds and statutory health insurance-accredited physicians), which are subject to specific data protection regulations under Books I, V and X of the German Social Code (SGB), personal (health) data is transferred between – and therefore processed by – pharmacies, therapists, physicians, laboratories, manufacturers of medical aids, and a wide variety of IT service providers, to name but a few.
Given the multitude of special regulations, exceptions and U-turns, classifying a specific data processing operation in the health sector under the correct legal basis is often very tricky and requires a considerable amount of research. Relevant legal bases can be derived from both the GDPR and the German Federal Data Protection Act (BDSG). But It’s also important to consider state laws such as state hospital laws, special laws like the Act on Assistance and Protective Measures for Mental Illnesses (PsychKG) or, if the medical service is provided under ecclesiastical sponsorship, additional church data protection regulations (Catholic: KDG or KDR-OG; Protestant: DSG-EKD). It may also be the case that relevant legal bases result from the respective books of the German Social Code (SGB).
As if that wasn’t enough, there are also important confidentiality obligations to consider under criminal law (Sect. 203 of the German Criminal Code, StGB) and professional codes (e.g. professional regulations of the State Chambers of Physicians).
Data transfers in health care: Not everything is processing on the controller’s behalf
As a rule, any data transfer needs to occur on the basis of accompanying agreements under data protection law. The law does not provide for data transfers to processors or fellow controllers without an accompanying contractual basis. As potential contractual bases, the law explicitly mentions data processing agreements (Art. 28 GDPR) and joint controllership (JC) agreements (Art. 26 GDPR). Also of practical relevance are agreements under data protection law concerning at least technical and organisational measures between several controllers who pursue different purposes (controller-to-controller or C2C agreements).
Out of the frying pan into the fire: Legal consequences of concluding the wrong type of contract
In practice, too little care is often taken here, giving rise to considerable gaps in the legal safeguards on which the transfer of sensitive data is based. If you ever need to convince a sceptical contract manager of just how important an agreement is, just point out that if transferring data to a processor is already enough to necessitate a contractual basis for the processing under Art. 28(3) GDPR, then this applies all the more to each and every other controller who is not bound by instructions, not least in order to meet the objective of appropriate information security for the processing under Art. 32 GDPR and the accountability obligation under Art. 5(2) GDPR.
What’s more, anyone who thinks that just any agreement will suffice – specifically, that a data processing agreement could also serve this purpose – is mistaken. Correctly documenting a data exchange as processing on the controller’s behalf, or perhaps as an example of joint controllership or even as a controller-to-controller relationship, is crucial for the question of whether or not agreements under data protection law are fit for purpose.
If someone concludes a data processing agreement when what they actually require is a C2C or JC agreement, they shouldn’t be surprised to hear that their contract, as what has been termed a “contract at the expense of third parties” (cf. VG Mainz, judgment of 20 February 2020 – 1 K 467/19.MZ), would be regarded as void by the courts. Consequently, not only would the parties be automatically deemed jointly and severally liable in the eyes of the law (which in itself is disadvantageous), they would also face the threat of sanctions by supervisory authorities, since under German law a void agreement is the same as not having an agreement at all (Sect. 134 of the German Civil Code, BGB). As a further negative consequence, it should be noted that data processing and data transfers carried out on the basis of a void agreement then lack a legal basis altogether, meaning the data should never have been processed in the first place. There is no provision in data protection law for curing such legal violations. Void contracts under data protection law can also have an impact on the principal agreement (analysis, product manufacturing, training of machine learning systems, etc.), which can ultimately invalidate claims for remuneration for particular services.
It is also essential to document any C2C agreements concluded, as these play an important role in reducing the company’s own level of liability. In respect of claims for damages under Art. 82(2) GDPR, the GDPR makes no distinction between joint and individual controllership. In fact, “any controller involved in processing” is liable for the damage caused by processing which infringes the GDPR.
Particularly in the case of the C2C agreements mentioned above, clear provisions on the parties’ obligations with regard to data security and confidentiality should be included, as should internal recourse arrangements in the event that the parties are actually involved in a personal data breach or data misuse.
Often overlooked when processing health data: Special technical and organisational measures under Sect. 22(2) BDSG
There’s more: in cases where health data is processed by health professionals or other persons bound by professional secrecy, Sect. 22(2) BDSG stipulates that “appropriate and specific measures shall be taken to safeguard the interests of the data subject”, if the data processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of health care, the management of health systems and services, or on the basis of a treatment contract.
This obligation applies in particular to the transfer of a patient’s personal data to another party bound by professional secrecy if the data processing is necessary for the purpose of preventive medicine or medical diagnosis (Sect. 22(1) No. 1(b) BDSG). The measures to be taken, with standard examples provided in Sect. 22(2) Sentence 2 BDSG, have to be recorded in a data transfer agreement between the parties bound by professional secrecy, and this in turn has to be documented in a verifiable manner.
Conclusion: Draft, document, monitor
Without professional support from internal or external experts as well as streamlined processes, it is impossible to cope with the highly complex legal requirements in the health care sector, with negotiations with contractual partners in the hustle and bustle of day-to-day business, and with the all-important documentation that will prove indispensable in the event of an audit or conflict. Even recording data processing operations throughout your company (“data flow management”) with the involvement of external service providers requires support in the form of professional data protection management software. This is also an indispensable tool for the challenge of manually classifying all processing operations, working out which GDPR standards apply to each of them, and documenting everything in records of processing activities. After all, reliable and quickly available documentation of well-thought-out processes is essential for reliable data protection contract, deadline and risk management.
Article provided by: Peter Hense (Spirit Legal, Germany)
Dr. Tobias Höllwarth (Managing Director INPLP)