x.panel: Medatixx exchanges patient data for a discount on software

The Health Data Utilization Act is intended to improve access to health data in order to use it for research and development in the pharmaceutical industry. The practice management system manufacturer Medatixx GmbH & Co. KG, which claims to collect anonymized treatment data from medical practices and make it available for scientific purposes, has also recently taken advantage of the new regulation.

Participating practices that use Medatixx software receive a discount of between 30 and 40 euros – for providing patient data, depending on the number of doctors. This could make the monthly fee for the practice software up to 28 percent cheaper. This was first reported by the Ärztenachrichtendienst (Aend). Doctors must first ask their patients for consent, according to Medatixx on request. The software manufacturer provides text modules for informing patients.

Medatixx project "x.panel"

Medatixx has launched the "x.panel" project for its project. The anonymized data is collected in a secure environment and forwarded to selected data recipients, whereby it cannot be traced back to individual practices, doctors or patients. Bundesdruckerei supports the project as a trust center. Research partners include research-based pharmaceutical manufacturers and scientific institutions.

"The anonymization concept complies with the legal framework of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Bundesdruckerei GmbH is also used as a trusted authority to ensure anonymity," says the Medatixx website. The topic of anonymization is currently the subject of controversial debate, as the Hessian Data Protection Authority, which advised Medatixx on x.panel, is also aware.

"However, a legal basis is required for the anonymization process, as anonymization also involves data processing. However, legal bases can regularly be used for this, e.g. Section 27 (1) of the Federal Data Protection Act (BDSG) for the purposes of scientific research," the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) told heise online. § Section 6 para. 3 sentence 3 of the Health Data Usage Act therefore "expressly permits data-processing healthcare institutions to anonymize the health data stored in accordance with Art. 9 para. 2 lit. h) GDPR in order to transfer the anonymized data to third parties for the purposes specified in Section 6 para. 1 sentence 1 GDNG".

"We have set up various safety nets. The data is already anonymized locally in the practice software," says Medatixx on request. To ensure anonymity, Medatix wants to use "individually defined threshold values" to ensure that no re-identification is possible, even with background knowledge. A "tool specially developed for research data by the Charité in Berlin" is used to check anonymity. It is also not possible to trace the data back to individual practices. Medatixx did not want to provide further details or the anonymization concept that was finalized with the HBDI for reasons of business confidentiality. Among the methods used, Medatixx refers to k-anonymity.

Uncertainties regarding the subsequent use of data

Thilo Weichert, former data protection commissioner of Schleswig-Holstein, points out that it has not yet been clarified to what extent service providers are allowed to reuse allegedly anonymized data from their clients. "The ECJ has always had a very broad understanding of personal data. In the Breyer and IAB decisions, the ECJ emphasized the relevance of available additional knowledge. Such additional knowledge is difficult to keep sufficiently secret in the case of medical treatment due to the large number of social benefits," says Weichert. New data is regularly available for sale on the Darknet, which criminals can use to de-anonymize other stolen data records. According to Weichert, unsuccessful anonymization is particularly sensitive if patients are not informed that their doctor is disclosing this sensitive data.

(mack)