In our highly specialized healthcare system, private and public entities process patients’ personal data partly for their own purposes and partly to provide services to third parties. The latter include specialized external laboratories, which are currently the focus of particular attention due to the COVID-19 pandemic; however, health insurance companies, testing centers, public health departments, suppliers, therapists, pharmacies, medical device manufacturers, as well as clinics, medical care centers (MVZ), and individual physicians also operate in a wide variety of roles and functions, with the transmission of health data between these actors serving as the connecting element. Not least through the establishment of a telematics infrastructure (TI) featuring insured person master data management (VSDM), the KIM communication service, the electronic health professional ID card (eHBA), the electronic medication plan (eMP), and the electronic sick leave certificate (eAU), a wave of digitalization is sweeping over stakeholders, demanding a great deal of patience, money, and time from participants in the healthcare sector.
In addition to the economic and technical challenges, there are also data protection requirements, compliance with which demands not only legal expertise but also a great deal of diligence in documenting data processing procedures involving patients and contractual partners.
Concerns about sanctions from regulatory authorities and health insurance funds, pressure from insurers, ongoing monitoring within the framework of healthcare-specific quality management, and, not least, critical inquiries from patients all contribute to a desire for a form of digitization that also makes legally required processes simpler and more manageable. The complexity of adhering to various protection objectives, compliance, quality assurance, and substantive data privacy can be significantly reduced through the use of a compliance and data privacy management system.
The processing of personal data for healthcare purposes is a fundamental component of the healthcare industry, yet data privacy in healthcare ranks among the most challenging areas of law that German legislation has produced. Whether it involves fitness apps, ordering medications, or having tests performed by laboratories: In all cases, special categories of personal data within the meaning of Art. 9(1) GDPR are processed and transferred to third parties. In addition to social security providers (e.g., health insurance companies) and service providers (e.g., contracted physicians) who are subject to the sector-specific data protection regulations of the Social Code (SGB) I, V, and X, the transfer and thus processing of personal (health) data occurs in particular between pharmacies, therapists, doctors, laboratories, manufacturers of medical devices, and a wide variety of IT service providers.
Due to the multitude of special regulations, exceptions, and counter-exceptions, classifying a specific data processing operation in the healthcare sector under the correct legal basis is often laborious and requires considerable research effort. Relevant legal bases may arise from both the GDPR and the BDSG, as well as from state laws such as state hospital laws, special laws such as the Act on Assistance and Protective Measures in Cases of Mental Illness (PsychKG), or, if the medical service is provided under church sponsorship, additionally from church data protection regulations (Catholic: KDG or KDR-OG; Protestant: DSG-EKD). Furthermore, relevant legal bases may also stem from the respective Social Codes (SGV).
Furthermore, criminal law (§ 203 StGB) and professional confidentiality obligations (e.g., professional codes of the state medical associations based on § 9 MBO-Ä) must always be observed.
Data transfers must generally be secured by accompanying data protection agreements. Data transfers to processors or other controllers without contractual “protection” under data protection law are not provided for by law. To ensure this, the law expressly refers to data processing agreements under Art. 28 GDPR and joint controller agreements (“JC agreements”) under Art. 26 GDPR. In addition, data protection agreements regarding at least the technical and organizational measures between multiple controllers who do not pursue common purposes (“controller-to-controller” agreements (“C2C agreements”)) are of practical relevance.
In practice, insufficient care is often still taken here, resulting in significant gaps in legal safeguards when transferring sensitive data. Anyone wishing to convince skeptical contract managers of the necessity of an agreement should point out that if the transfer of data to a processor already triggers the obligation to establish contractual safeguards under Art. 28(3) of the GDPR, this applies in a special way to every additional controller not bound by instructions, not least to meet the objective of appropriate information security in processing under Art. 32 of the GDPR as well as the accountability requirement under Art. 5(2) of the GDPR.
Furthermore, anyone who believes that any agreement will suffice—and in particular that a data processing agreement can fulfill this function—is mistaken. The correct classification of a data exchange as data processing, joint control, or a controller-to-controller relationship is crucial to the question of the validity of data protection agreements.
Anyone who has concluded a data processing agreement instead of the actually required C2C or JC agreement must assume that this will be regarded as a so-called “contract at the expense of third parties” in court (see VG Mainz, judgment of Feb. 20, 2020 – 1 K 467/19.MZ) and will be deemed void, with the consequence that not only does the legally mandated but disadvantageous joint and several liability apply in the internal relationship as well, but regulatory sanctions also loom, since the law in § 134 BGB equates a void agreement with a non-existent agreement. Another negative consequence to note is that data processing and data transfers carried out on the basis of a void agreement then lack a legal basis; thus, this data should never have been processed in the first place, and data protection law does not provide for a remedy for such legal violations. Void data protection agreements can also affect the main contract (analysis, product manufacturing, training of machine learning systems, etc.), thereby also nullifying claims for remuneration for the relevant service.
Corresponding C2C agreements must also be documented and play an important role in reducing one’s own liability. Under Article 82(2) of the GDPR, the GDPR does not distinguish between joint liability and individual liability when it comes to claims for damages; rather, “each controller involved in the processing” is liable for the damage caused by processing that does not comply with the GDPR.
Particularly in the C2C contracts mentioned above, provisions regarding the parties’ obligations with respect to data security and confidentiality must therefore be included, as well as internal recourse provisions in the event that the parties are actually involved in a data breach or data misuse.
Furthermore, Section 22(2) BDSG requires that, in cases where health data is processed by medical personnel or other parties bound by confidentiality obligations, “appropriate and specific measures be taken to safeguard the interests of the data subjects” if the data processing is necessary for the purposes of preventive healthcare, medical diagnostics, treatment in the healthcare sector, the administration of systems and services in the healthcare sector, or based on a treatment contract
This obligation applies in particular to the transfer of a patient’s personal data to another professional bound by confidentiality if the data processing is necessary for the purpose of preventive healthcare or medical diagnostics (Section 22(1)(1)(b) BDSG). The measures to be taken, with examples provided in Section 22(2), second sentence, of the BDSG, must be set forth in an agreement on data transfer between the parties bound by professional secrecy, which in turn must be verifiably documented.
Without professional support from internal or external experts, as well as clear processes, it is impossible to navigate the highly complex legal landscape in the healthcare sector, handle negotiations with contractual partners in the hectic day-to-day business, and provide the necessary evidence in the event of an audit or dispute. Even the company-wide recording of data processing operations (“Data Flow Management”) involving external service providers requires support from qualified data protection management software, which serves as an indispensable foundation even for the manually required classification of these processing operations, their categorization under the applicable provisions of the GDPR, and their documentation in a record of processing activities. This is because robust and accessible documentation of well-designed processes is essential for reliable contract, deadline, and risk management under data protection law.