When the state wants to read the electronic patient record

Contents

The ePA (elektronische Patientenakte, electronic patient record) for all is here and with it a central location for sensitive health data that can provide information about the physical, mental and psychological condition of the patient. After the attack in Magdeburg, Carsten Linnemann (CDU) said in an interview with Deutschlandfunk radio that it was "a major deficit in Germany" that there was no "grid" for mentally ill violent criminals. In addition to registers for right-wing extremists and Islamists, a register for mentally ill perpetrators of violence was also needed, he demanded.

The former data protection commissioner of Schleswig-Holstein, Thilo Weichert, warns against such measures: "The possibility of police access to the data of mentally ill people to protect them from attacks or rampages would be a huge security risk: mentally ill people would often no longer seek treatment for fear of the police, which can prevent them from acting out their pent-up aggression. The police lack the expertise on mental illness and also the knowledge about the background to prevent attacks. Not only would trust in psychiatrists be weakened, but also trust in the police."

"Mentally ill people are generally no more dangerous than mentally 'healthy' people," emphasizes Susanne Berwanger, Vice President of the Professional Association of German Psychologists (Berufsverband Deutscher Psychologinnen und Psychologen e.V.) to heise online. Registers or the relaxation of the duty of confidentiality would mean that patients "could be more critical of treatment". This would not only reduce the chance of help for the sick person, but also the chance of preventing a potential crime through appropriate treatment and stabilization.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) firmly rejects calls for police and law enforcement authorities to be allowed to access patient records held by doctors and psychotherapists, according to her press spokesperson in response to a request from heise online.

Protecting patients from public authority

"The protection of the relationship of trust between patients and healthcare professionals is one of the fundamental basic and human rights," emphasizes the BfDI. The Federal Constitutional Court also sees it this way and has ruled in the past: Information provided by a doctor on medical history, diagnosis and therapeutic measures and the assessment of the patient's state of health are "highly personal matters" of the patient and are subject to the protection of the general right of personality under Article 2 (1) in conjunction with Article 1 (1) of the Basic Law. This right protects the patient in principle "from the collection and disclosure of findings on the state of health, mental state and character" against access by public authorities.

In 1972, the then Federal Minister of Justice Gerhard Jahn summed it up in a constitutional complaint (BVerfGE 32, 373): "The doctor's right to refuse to give evidence and the corresponding prohibition of seizure served the patient's interest in the protection of his privacy and thus promoted the willingness of the individual to undergo medical treatment without fear of state investigation".

Prohibition on the confiscation of medical records

Doctors are subject to a duty of confidentiality and are subject to professional secrecy. The fact that medical documents and records about patients cannot simply be confiscated is regulated in the Code of Criminal Procedure (StPO) in § 97 Prohibition of confiscation. The prerequisite is that the items to be seized are "in the custody of those authorized to refuse to testify".

As the electronic health card is not in the custody of the doctor, but in the custody of the patient, the paragraph was amended by the Act on the Modernization of Statutory Health Insurance (GKV Modernization Act – GMG). In the explanatory memorandum, it was stated (PDF) that "health data is generally in the custody of doctors authorized to refuse testimony" and is therefore subject to protection against confiscation. "With the introduction of the electronic health card, health data will also be in the hands of patients to a considerable extent. The intended quality improvements in the healthcare system must not lead to a deterioration in the legal position of patients". The amendment to Section 97 of the Code of Criminal Procedure should ensure the protection of the doctor-patient relationship. This is because patients "must be able to trust that the data on the health card will actually only be used for the intended purpose of the health card, i.e. to optimize their treatment."

Electronic patient record not subject to confiscation ban

What is written in black and white in the law for the eGK does not apply to the ePA. It does not appear in Section 97 of the German Code of Criminal Procedure, and there is still no explicit provision in the law to protect the EPR from access by law enforcement authorities.

During the legislative process for the Act on the Protection of Electronic Patient Data in the Telematics Infrastructure (Patienten-Schutzgesetz, PDSG), the German Medical Association attempted to have Section 97 of the Code of Criminal Procedure amended to include the electronic patient file. The then BfDI Ulrich Kelber also advocated such a clarifying addition to the legal text in his statement (PDF). However, the proposal was not implemented and Section 97 of the Code of Criminal Procedure remained without an EPR addition.

In 2023, it was still unclear to the BfDI at the time whether the police and judiciary would have access to the electronic patient record or whether the ban on confiscation under Section 97 StPO would apply. In 2025, the new BfDI is convinced that there is an "absolute ban on the seizure" of medical records under current law. According to the BfDI, it is not only "healthcare professionals who have a right to refuse to testify and also a duty of confidentiality under criminal law. The employees in the practices are also covered by this, as are IT service providers who look after the electronic practice systems".

The ban on confiscation presupposes that the protected documents (except the electronic health card) are in the custody of the person entitled to refuse to give evidence (doctor). However, if the health insurance company and not the doctor has custody of the EPC and the health insurance company itself is not entitled to refuse to give evidence, what then?

Role of the health insurance fund as the body holding the record

The Federal Government is convinced that the protection against confiscation also exists for electronic patient records, and sees no need for a separate legal regulation. Parliamentary State Secretary Dr. Edgar Franke explained this in an answer to a question from Anke Domscheit of the Left Party on 20 February 2023:

"Under current law, there is a ban on confiscation if the data is held by the doctor providing treatment and also if it is held by the health insurance fund keeping the record. The health insurance fund keeping the record (Section 342 of the Fifth Book of the German Social Code – SGB V) is a "cooperating person" in the context of keeping the electronic patient file in accordance with Section 53a (1) sentence 1 of the Code of Criminal Procedure and is therefore also entitled to refuse to give evidence. In addition, the prohibition of confiscation under Section 97 of the German Criminal Code (StGB) would also apply to data that is entered into the electronic patient file by a person authorized to refuse to testify".

According to this view, it is therefore irrelevant whether patient data is stored in analog form in card index boxes in the doctor's practice. It is also irrelevant whether patient data is stored electronically in a data storage system of a service provider that is separate from the practice. However, whether health insurance companies fall under the right to refuse to testify as a "cooperating person" is disputed among experts , according to a report by the Bundestag's Scientific Service from March 2023.

Role of the patient as master of their EPR

According to the Federal Ministry of Health, patients are the masters of their data in the EPR. It is a patient-managed record. And it is the statutory duty of health insurance companies to provide their policyholders with an EPR. Although the doctor is obliged to fill in the EPR at the patient's request, the EPR is not in the doctor's custody – it is secondary documentation and not primary documentation that a doctor is responsible for keeping. According to §630 f of the German Civil Code (BGB), doctors are obliged to keep their patient files for treatment for ten years as a rule. An ePA, in which a patient as the master of his health data can delete whatever he wants, does not meet these requirements.

Critics say that health insurance companies are not service providers to healthcare providers when it comes to the ePA, but service providers to the insured. The provision of an infrastructure for data storage has no intrinsic, direct connection with the respective treatment process. If this argument is followed, health insurance companies and the service providers they commission are also not collaborators of the service providers and therefore have no right to refuse to testify.

It remains to be seen what impact the absence of the EPO in the legal text will have on the prohibition of seizure. This is because no supreme court decisions have yet been made in this regard.

Medical confidentiality is not absolute

"Doctors and psychotherapists are obliged to report and prevent the announcement of violence," says Berwanger. Medical confidentiality is not absolute. For example, if there is a current danger to the health or life of other people and the danger could be averted by disclosing information about the patient that must be kept confidential, this constitutes a justifiable emergency. Doctors can then breach their duty of confidentiality with impunity. Doctors would be liable to prosecution in the same way as other persons if they failed to report certain planned criminal offenses, including homicide, crimes against personal freedom, robbery, arson and other dangerous crimes.

Failures by the authorities in the current legal situation

"The authorities already have a wide range of powers to avert danger. In the case of mentally ill perpetrators of violence or in the event of suspicion, the investigating authorities are free to commission a psychiatric expert opinion. This is then not subject to the protected relationship of trust because it was specifically commissioned by the investigating authorities." says the BfDI spokesperson. People can also be forcibly detained in a psychiatric hospital for the purposes of averting danger or criminal prosecution.

There is already a register for mentally ill offenders. Under certain conditions, the police can store personal references (PHW) in the police information system (INPOL) for law enforcement and prevention purposes. Such a reference to a "mental and behavioral disorder" can only be stored "if it has been medically established that the person concerned suffers from a mental illness and that this could result in danger to themselves or others, especially police officers". A written medical certificate or expert opinion is required.

The perpetrator of the Magdeburg attack was already known to various authorities in different federal states before the attack; Der Spiegel reports from a confidential BKA report, according to which 105 cases relating to the perpetrator were on file. Although he had had "many contacts with government agencies", "he was also in contact with many other agencies and people", Attorney General Jens Rommel told SWR's justice reporters.

"The chronology is frightening," Sebastian Hartmann, the SPD's spokesperson for internal affairs, stated at the meeting of the Committee on Internal Affairs, summarizing that it was a "long series over many years", "of threats, public statements, Twitter posts, criminal convictions, which then even culminated in refugee status being granted anyway. Being licensed as a doctor. That they worked in a clinic."

Alexander Thom, the CDU's spokesperson for internal affairs, calls for the security authorities to "better exchange and analyze the data available to them so that we can better protect our population". Sebastian Hartmann clarifies that in the case of the perpetrator in Magdeburg, "many of the details already known were sufficient for the authorities to have taken tougher action".

(mho)