Digital Supply: Much criticism of centralized collection of patient data


The Federal Government comes because of their plans for the collection and dissemination of health data in the criticism. The so-called Digital Supply Act (DVG) provides that the health insurance companies transmit the data of their members to a data collection point in the central association of health insurances, which then pseudonymizes it forwards to a research data center. However, according to experts, the draft does not specify how this data can be securely protected. Federal Data Protection Commissioner Ulrich Kelber and the Federal Council also expressed concerns.

The 100-page bill (PDF) wants one, among other things "Benefits of insured persons to digital health applications" How medical apps regulate by law. In addition, supposedly "legal regulations for data transparency" be extended. The reasoning: "The social data of health insurance companies is a valuable source of data not only for the control and further development of health care in statutory health insurance (GKV), but also for scientific research."

Affected 73 million patients

According to the draft, the coffers of the 73 million persons insured by the law submit a large amount of data to the collection center, which, in addition to information on age, gender and place of residence, contains the billing data of doctors, pharmacists and hospitals. These data are transmitted to the Research Data Center without the insurer number, "where each individual data record to be assigned to an insurer identifier is marked with a work number", In turn, a trust office will receive a list of the insurer IDs including the work numbers.

The trust office is according to the plans "to establish, in agreement with the Federal Office for Information Security, a key-based procedure for pseudonymisation that corresponds to the state of the art and science", The appropriate procedure should ensure that "from the pseudonym but can not be concluded on the insurer's mark or the identity of the insured", According to section 303e, the Research Data Center is to make the pseudonymised data available to a whole range of health care institutions upon request.

No consent provided

Job market

  1. EnBW Energie Baden-W├╝rttemberg AG, Cologne
  2. MVC Mobile Video Communication GmbH, Stuttgart

The data should, among other things "in support of political decision-making processes for the further development of statutory health insurance" or "Exercise of health reporting tasks" can be used. Even for data sets with small case numbers, where the risk of de-pseudonymisation is quite high, the indication of one "permitted use" to submit the data.

The consent of the patient for the data transfer is not provided for at any time. This is in line with the EU General Data Protection Regulation (GDPR). Because according to Article 6 of the GDPR No consent is required if data processing is required to fulfill a legal obligation. Although it is loud Article 9 the processing of health data generally prohibited. But even in this case, paragraph 2, letter j provides an exception 'on the basis of Union law or the law of a Member State' in front. However, only if the law "is proportionate to the objective pursued, preserves the essence of the right to privacy and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject",