Health Data Protection in Germany
We advise on data protection in healthcare
Health data are sensitive personal data that are covered by special legal protection in Germany and Europe. Health data include all data which relate to the health condition of a data subject and reveal information about the data subject’s former, present, or future physical or mental health condition.
When health data are concerned, it is irrelevant, which body processes said data. As a consequence, hospitals, doctors’ offices, care facilities, health insurances, pharmacies, research institutions, and even other organizations processing health data, like mutual aid fellowships or foundations aiming at promoting public health and public healthcare mandatorily have to address health data protection in Germany.
As, in addition, digitization is also playing an increasingly important role even in healthcare (electronic patient files, telemedicine, health apps), the data protection and data security requirements are very likely to continue to increase in the future.
Special protection of health data in Germany
Data concerning the health condition of a person, including data about a disease, treatment, or diagnosis, risks of disease, genetic data or visits to the doctor constitute highly sensitive information. If such data fall into the wrong hands, the consequences for the person concerned may be very unpleasant. Hence, the level of data protection must be very high when health data are concerned.
Due to their high sensitivity, the General Data Protection Regulation (GDPR) protects health data as “special categories of personal data”. In addition, sector-specific provisions need to be observed. These include
- provisions of the social codes,
- the German E-health Act,
- federal state laws on hospitals, or
- the professional codes of ethics for physicians and pharmacists.
Healthcare facilities run by churches are additionally subject to independent ecclesiastical data protection laws.
No health data without data protection concept
In addition to the requirements under data protection regulations, medical secrecy must also be protected.
In order to fulfill their responsibilities in terms of data protection, all entities processing health data are required to implement an efficient data protection concept. Given the high degree of complexity of health data protection, we offer you professional assistance based on our extensive practical expertise in the field of data protection law.
Our consulting services in health data protection
Your data protection in the hands of experts! We will be pleased to assist you in designing health data processing chains that comply with German legal requirements while being adapted to your practical needs.
Our consulting services in health data protection include:
- Reviews for compliance with data protection provisions and development of data protection concepts
- legal assessments of matters relating to health data protection
- conducting employee training programs, e.g. for physicians, nursing staff, receptionists
- consulting in connection with the use of external service providers (so-called “digital health providers) e.g. for patient data administration
- designing all processes in compliance with European data protection regulations, e.g. patient admission, documentation of examination results, and patient discharge
- consulting on health data transmissions to third parties, like other specialist departments, accounting centers, social security, medical service of the health insurances, in compliance with data protection regulations
- consulting on introducing and designing data processing programs (like hospital information systems) and creating authorization concepts in compliance with data protection regulations
- drafting the required documentation, like letters of commitment, declarations of approval, or confidentiality release forms
- consulting on the documentation, archiving, and erasure of health data in compliance with data protection regulations
- consulting on designing e-health offers, like e-health apps, online-assisted appointment scheduling etc. in compliance with data protection regulations
- consulting with respect to the data protection impact assessment required by art. 35 of the GDPR
- provision and tasks of an external data protection officer
- introduction of processes ensuring and implementing the rights of data subjects, like information requests