Electronic patient records for everyone: the most important questions & answers

The "electronic patient file for all" (ePA 3.0) is intended to save insured persons paperwork and provide a better overview. It is also intended for the secure exchange of data in the healthcare sector. The test phase will begin in mid-January in the test regions in selected practices in Hamburg, Franconia, North Rhine-Westphalia and Westphalia-Lippe. The Associations of Statutory Health Insurance Physicians want to closely monitor this phase and feed the feedback back to Gematik, which is responsible for digitalization, and the Federal Ministry of Health, as Dr. Sibylle Steiner, Member of the Board of the National Association of Statutory Health Insurance Physicians, has announced. She expects "comprehensive and transparent monitoring" and that errors are identified and rectified.

Only when the software is working can the ePA be launched nationwide. On top of this, insured persons must be sufficiently informed. "90 percent of practices expect the ePA to save a lot of time and administrative effort, but of course also to educate patients," says Steiner. The KBV is providing a comprehensive information package for this purpose.

Note: All information known to date relates primarily to the forthcoming electronic patient record from version 3.0. Due to constant developments and the contradictory information disseminated by the Federal Ministry of Health, for example, this FAQ will be adapted in line with the latest findings. We were unable to test the new electronic patient file. Some health insurance companies already offer functions in their smartphone apps, such as a vaccination overview, which will only be officially included in the ePA at a later date.

What advantages does the ePA offer patients and doctors?

The ePA is intended to provide patients with a better overview and, in future, make vaccination records, dental bonus booklets and all treatment-related information available digitally so that documents no longer need to be requested from other doctors. In conjunction with the e-prescription, the ePA should increase the safety of drug therapy and help to avoid incorrect medication. The end of unnecessary duplicate examinations and the simplified obtaining of a second opinion are cited as further advantages. The Federal Ministry of Health promises numerous other functions in the coming months and years. From mid-2025, for example, there will be a connection to the TI Messenger, which will later enable secure video communication with (and between) doctors and the sending of all possible file formats.

However, with the launch of the ePA for all, doctors will not yet be obliged to upload documents, so it will be some time before most insured persons actually feel the benefits. Doctors are hoping that the ePA will enable them to receive hospital discharge letters electronically. The electronic doctor's letter and the electronic medication plan are also expected to be of benefit, but these will only be available in one of the next ePA versions.

Health Minister Karl Lauterbach also promises to be able to accumulate a large, representative data set with the help of the ePA data. However, experts have doubts about the representativeness of the data set, as it will not include data from all population groups, for example those with private health insurance.

What kind of medical data and documents can be stored in the ePA 3.0?

Insured persons can upload image files and PDF files, which are converted into PDF/A format by the health insurance app. Doctors can also store other documents, and the electronic medication plan will be added in 2025, which will be visible to everyone with ePA access. Dentists can also store information in the dental bonus booklet. The billing data will be uploaded to the ePA by the health insurance companies for all to see. Anyone who does not want this can object to it.

As a patient, can I store data in the ePA myself?

Yes, these are all converted to PDF/A format for security reasons.

Can patients decide what information is stored in their ePA?

If patients actively use their patient file, for example by having the app on their smartphone, they can set which documents no one is allowed to see and which documents everyone is allowed to see. Individual doctors can also be excluded from accessing the ePA. Anyone who does not have a suitable electronic device usually has to arrange this via the health insurance company or a person who is also authorized to access the system.

Does fine-grained authorization management still exist in the new ePA?

No, the option of allowing individual doctors to access certain documents no longer exists and is not planned for the future. If you don't want doctors to be able to see data in the ePA, you have to deny them access completely. Insured persons can now make individual or multiple files visible either to everyone or to no one. Furthermore, in the medication list, individual medication details cannot be removed from the list. There is only the option of not using the medication list. The same applies to the health insurance companies' billing data, which is automatically visible to everyone in the ePA.

What can I object to?

It is possible to object to the creation of an electronic patient file with your health insurance company before the start of the ePA. It is also possible to object to the evaluation of the billing data by the health insurance companies, which make recommendations for action on this basis. An existing EPR can also be deleted after it has been created. It is also possible to deny individual doctors and institutions access to the ePA and object to the electronic medication list, the posting of billing data and the like, either via the ePA app or at the health insurance companies' own ombudsman's offices. Gematik also lists the objection options.

How can I manage the ePA of someone close to me?

If, for example, you want to manage the ePA of your child or another person, you will need the person's health ID. Due to the changeover to the "ePA for all", some health insurance companies may currently have problems setting up a deputy arrangement. If the person no longer wants you to take on the proxy role, they can ask their health insurer to deactivate the proxy arrangement.

What steps should be taken if there are discrepancies in the data stored?

You can ask your doctor or health insurance company. If you suspect that someone has accessed your file without authorization, you should contact your health insurance fund immediately and block access.

What role does the ePA play in emergency care?

All data relevant to care, including information on intolerances, should be stored in the EPR. In future, the ePA could play a role in emergency care. However, it is not expected to be launched in 2025 for the time being, as the ePA and the relevant software must first pass the test phase. It would therefore not be a good idea to rely on the ePA in an emergency situation. Alternatively, the data can also be stored and read on the electronic health card, provided the emergency services have a card reader.

How is the ePA used in practice?

There is an ePA module in the doctors' practice management systems. This allows doctors to access their patients' health data stored in the TI, provided they have previously inserted their electronic health card into the doctor's card terminal. They can then upload electronic doctor's letters to the telematics infrastructure, for example, and insured persons can view the documents via their ePA. The findings report should also work, although implementation is still lagging behind. Doctors will also be able to view the electronic medication list, which is made up of billing data. In the case of particularly sensitive information, doctors must ask whether this should be stored in the ePA. According to the National Association of Statutory Health Insurance Physicians, insured persons are obliged to point out relevant information in the ePA. The ePA does not replace medical documentation.

How can patients access their ePA?

You will need the ePA app from your health insurance provider Die Gematik lists all ePA apps. Insured persons must then create a health ID – if they do not already have one. This can be done using an NFC-enabled smartphone and either the electronic health card or the ID card, each with the corresponding PIN. A card reader on a PC can also be used instead of a smartphone.

Who has access to a patient's ePA?

As soon as you insert your electronic health card into the card reader at the doctor's –, for example at the surgery or in a clinic –, the doctor will have access to your health data for 90 days. Pharmacies also receive read rights and can see all documents except for the dental bonus booklet – but only for three days. Pharmacies are granted write access to the medication process.

All documents that are posted and not shadowed are then visible – mainly files in PDF/A format or the electronic doctor's letter as a medical information object (MIO), with the electronic medication list to follow from mid-January. Theoretically, more would also be possible, but all systems would have to be able to talk to each other, which is still a problem in practice.

Is the ePA also available for privately insured persons?

Private health insurance companies can offer their customers the electronic patient file, and only insurance companies are already doing so. However, private health insurers first want to see whether the ePA offers any added value.

How can the security of the data in the ePA be guaranteed?

With the new security architecture, the end-to-end encryption of data has been removed, instead it is stored in a Trusted Environment Execution (VAU) and protected by means of confidential computing. Intel SGX is used for this, and possibly its successor TDX in the future. Attacks on Intel SGX were previously only possible with physical access. Data security is to be guaranteed through regular security audits. According to experts, the security level can be very high.

"The methodology is based on the relevant procedures of the BSI, for example the creation of protection requirements, risk analysis and also the consideration of conditions," said a Gematik spokesperson in 2023. "Regular and ad hoc audits of the operators of TI services" are also carried out by Gematik. An independent security assessor would also be used for the ePA file systems. Furthermore, the operators of the TI services are integrated in the Informationssicherheitsmanagementsystem of the TI. This allows "continuous monitoring of security by Gematik". Incidents could therefore be detected quickly.

One point of criticism, however, is the centralized data storage, which experts believe is not necessary, as knowledge can also be generated in a decentralized manner. Another point of criticism is that there is still no central office that is responsible in the event of problems.

The Federal Ministry of Health relies on deterrence to ensure the security of the electronic patient file. Anyone who processes data from the EPR "beyond the regulated access authorizations and requirements without authorization is liable to a prison sentence of up to one year or a fine. [...] If the perpetrator acts in return for payment or with the intention of enriching himself or others or harming others, the penalty is imprisonment for up to three years or a fine (Section 399 (2) SGB V)", according to the BMG.

There are also inconsistencies in the assessment of the risk by "state actors". The Federal Office for Information Security and the Fraunhofer SIT report both assess the risk as relevant. "In principle, any threat that targets the protection requirements of an infrastructure or the security of data is relevant. The motivation of an attacker (political, economic or otherwise) is not the decisive factor here, but rather the potential impact of an attack. A holistic security approach that takes into account all threat actors - including state actors - is particularly necessary for sensitive data such as in the ePA," says the BSI. It is also known "that state organizations have considerable resources and expertise to collect targeted information or compromise infrastructures". The BSI therefore believes that it is "not appropriate to rule out potential attacks by foreign government organizations". The BSI also points out that the protective measures mentioned in the Fraunhofer report help against cyber attacks by state actors.

Why was the security architecture rebuilt?

According to the BMG, the security architecture was modified to enable doctors to search the documents and for researchers to access the data after a successful research application. Another reason cited is a simple ePA migration when changing health insurers. In the past, the BMG also stated that this would increase data security. In addition, the new ePA version should be faster with the end of end-to-end encryption. However, the BMG emphasizes that communication between the service provider environments and the ePA file system is end-to-end encrypted.

What's the deal with the transfer of research data?

From mid-2025, pseudonymized data from the electronic patient records of people with statutory health insurance will be transferred to the Health Research Data Center at the Federal Institute for Drugs and Medical Devices. Anyone who does not want this can object. This is not planned for private health insurance companies.

What criticism is there regarding the electronic patient file?

There are numerous ambiguities and points of criticism, for example due to the lack of transparency. The biggest point of criticism, apart from the central storage of pseudonymized health data, is that the ePA will be automatic for everyone. Important data protection and security experts – including the former and current Federal Commissioner for Data Protection and Freedom of Information – have criticized the switch from "opt-in" to "opt-out". Other points of criticism currently include the sometimes contradictory and inadequate information provided by some health insurance companies and the Federal Ministry of Health. They tend to emphasize the benefits and generally fail to provide information about the risks.

For example, Deutsche Aidshilfe criticizes the fact that the lack of fine granularity in authorization management enables discrimination. The ePA is also not barrier-free, people with little technical expertise have to contact their health insurance provider, and some issues can also be resolved via the healthcare provider. If you really want to control access to your ePA, you need an ePA and even then, the exact access – i.e. which person has accessed the data – will only be logged from 2030. Until then, only access by institutions such as surgeries or hospitals will be logged.

Software developers complain that the ePA will not be technically mature when it is launched in January 2024 and will initially have to work with many provisional solutions. For example, the file systems on which the insured persons' data will be stored have not yet been certified.

It is unclear what criteria need to be met for the ePA to be rolled out nationwide and for all doctors to be able to use it. Although the ePAs of the individual health insurance funds are to be available by mid-2025, the modules must also be implemented and functional in the software systems of doctors' surgeries, hospitals and other facilities. Otherwise, doctors and medical professionals will not be able to fill in the ePAs. Criticism from doctors includes the fact that, as with other digitization projects, they have to inform their patients – about the ePA, as they have not been sufficiently informed about the innovations by other bodies.

Furthermore, the ePA for children could also lead to further conflict situations in doctors' surgeries, for example if parents disagree about whether the child has an ePA or who is authorized to access it. Overall, the consensus among experts is that there are still many things that need to be clarified regarding the ePA.

(mack)