Between wish & reality: How far along is the e-patient record in hospitals?

Contents

Experts discussed the status of the electronic patient record (ePA) at an event hosted by the German Hospital Federation (DKG), which was also referred to as a self-help group. Doctors and IT managers from hospitals discussed their experiences from pilot and early production phases – beyond political target visions and glossy technical presentations.

It quickly became apparent: the ePA is less a finished product than a complex overhaul of ongoing care and documentation processes. Topics such as document formats, automation, objection rights, technical dependencies, cost issues, IT security, and actual usability by patients came to the fore.

As early as July, the DKG pointed out that German hospitals have particularly low IT spending compared to international benchmarks. At the same time, investments in IT security and stable infrastructure place an additional financial burden on hospitals' already tight budgets.

Heart of the digitalization of the healthcare system

The ePA is considered one of the central digitalization projects in the German healthcare system. It is intended to make medical information available across sectors, avoid duplicate examinations, and make care more coordinated. Politically, it has been positioned for years as the key to modern, data-driven healthcare.

At the same time, it was pointed out long before the launch of the “ePA for all” that this goal could not be achieved from the outset. Particularly from medical, technical, and organizational circles, the assessment was early on that the ePA would primarily be designed as a document record at launch. Content would initially be predominantly in PDF files, while structured, machine-readable information could only follow gradually.

Document-centric launch of the electronic patient record

Even in the preparatory phase of the ePA, it was foreseeable that a largely structured record would not be realistic at launch. Professional articles and statements – including from medical self-governance bodies – made it clear that structuring deeply affects primary systems, requires new workflows, and places high demands on standardization.

Structured data require stable standards, in-depth adjustments to hospital information systems (KIS) and subsystems, clearly regulated processes across sector boundaries, and high acceptance among users. All of this could not be implemented simultaneously with a nationwide rollout. The consequence: the ePA inevitably started as a document-centric record, supplemented by individual structured elements such as the medication list.

Moritz Esdar from the DKG put this into perspective. The legislator formulates transmission obligations but deliberately leaves the concrete technical implementation open. This allows for a gradual entry, but comes with a discrepancy between political ambition and operational reality. While “not every single laboratory result generated in a treatment case needs to be loaded into the ePA […] but above all the cumulative result, i.e., the result and laboratory data that are ultimately relevant for follow-up care.”

Organizational and technical framework conditions

At the event, it became clear that the challenges of implementing the ePA in hospitals cannot be reduced to file formats. Rather, several levels overlap: legal requirements, technical specifications, established IT landscapes, cost and resource issues, and a clinical routine that leaves little room for additional manual steps.

Hospitals work with highly complex system environments. In addition to the central hospital information system, there are numerous subsystems – for radiology, sonography, functional diagnostics, or pathology, for example. These systems generate data and documents in very different formats and levels of maturity.

Sven Lindenau from Alexianer DaKS GmbH, Alexianer's IT service provider, commented: “The complexity lies not in the KIS but in the many connected subsystems.” Many of these systems are technically incapable of delivering structured content or generating valid PDF/A documents without additional conversion and verification steps.

Files such as doctor's and discharge letters clearly belong to the world of documents. If insured individuals upload files, they are also automatically converted into PDF files. This contrasts with structured content such as medication lists. These are based on standards such as the Medical Information Objects (MIO) specified by the National Association of Statutory Health Insurance Physicians and HL7 FHIR and are machine-readable.

PDF/A not equal to PDF/A

The PDF/A issue also faced criticism. PDF/A is fundamentally useful as an archiving format for long-term stable storage of central documents. At the same time, it became clear that PDF/A is only one component among many. Furthermore, PDF/A is not a uniform standard. The variants PDF/A-1, -2, and -3 with different conformance levels differ significantly. Not every KIS or subsystem generates valid PDF/A files, and automatic conversions are prone to errors. In practice, therefore, a pragmatic approach is taken. The decisive factor is that documents are complete, correctly classified, and usable – not whether they formally meet every PDF/A specification.

Some KIS manufacturers have consciously decided against automatic PDF/A conversion because PDF/A does not support certain content and display formats. Manufacturers fear being held liable in the event of faulty or incomplete conversions. However, manual quality control of each individual document is hardly feasible in practice. Conversions often only occur when uploading to the ePA – a process that in many hospitals is carried out by staff in the clinic secretariats. While they have organizational expertise, they do not necessarily have medical expertise to assess whether, for example, an image report is displayed completely and correctly after conversion.

Hospital discharge letter

Conceptually, the hospital discharge letter 1.0.0 already exists as a developed Medical Information Object (MIO), developed by DKG, KBV, and mio42. In practice, this MIO is not yet usable in production. Hospitals therefore currently continue to upload discharge letters as PDF documents to the ePA. The ePA is also to be expanded to include the electronic medication plan soon.

Christian Schöps from the Albertinen Hospital in Hamburg emphasized: “The discharge letter remains the central communication instrument.” At the same time, he pointed out a structural deficit: “We cannot reliably track what has actually ended up in the ePA.” In the past, doctors from practices regularly criticized that they can rarely exchange data with hospitals. The electronic doctor's letter (eArztbrief) has been mandatory for practice doctors since July 2025. Statutory health insurance associations, such as Saxony's, had already pointed out that the ePA is not a substitute for sending doctor's letters via the KIM email service. After all, the ePA is managed by insured individuals, and the doctor's letter can therefore also be deleted by them.

eArztbrief and regulatory developments

At the DKG event, security and stability issues were primarily discussed in connection with the eArztbrief. A preliminary version of the Gematik specification for ePA 3.1 provides that eArztbriefe must again be uploaded as PDF documents in the future. It states “The uploading of DischargeLetterContainers into an ePA will be prevented. Primary systems must therefore upload eArtzbriefe as PDF/A”. The eArztbrief uses a container format (DischargeLetterContainer format), which allows embedding additional content and thus potentially creates attack surfaces for malware.

Similar considerations had already led shortly before the launch of the ePA to the fact that the possibility of uploading image files to the ePA was removed from the ePA after an expert opinion from the Fraunhofer SIT. Images in JPG, PNG, or TIFF formats are therefore converted into PDF files, which insured individuals can also try out themselves.

Objection rights and information obligations

Another point of discussion was the issue of objections. Hospitals are obliged to inform patients that documents – especially sensitive data – can be stored in the ePA. This duty to inform is clearly regulated by law, but its implementation in daily hospital routine is challenging. Esdar pointed out that while the legislator specifies information and documentation obligations, the concrete design is left to the hospitals.

According to Christian Schöps, objections to the storage of documents are rarely actively declared in the hospital. In his facility, this has only happened once so far: “Most patients don't even know they have an ePA.”

Usability for patients

Closely related to this is the question of actual use by patients. It became clear in the discussion that a significant portion of insured individuals practically cannot use the ePA or only very limitedly. Reasons include lack of end devices, low digital literacy, or complex health insurance apps.

Older or multimorbid patients in particular are often unable to actively manage their record or make specific settings regarding document visibility. The idea of a fully patient-managed record thus proves to be only partially realistic, at least currently.

Efforts for the telematics infrastructure

Lukas Schmidt-Russnak from the University Hospital Hamburg-Eppendorf pointed out that large hospitals today have more than ten different systems that need to be connected to the TI, such as hospital information systems, subsystems, portals, and additional services. “We are not talking about one connection, but about many parallel dependencies.” According to those involved, the size of the institution is crucial, as this determines the complexity and how many components are required.

It is particularly problematic that, in case of disruptions, it often remains unclear where the cause lies. Arne Beeck, responsible for the telematics area at Asklepios Service IT GmbH, picked up on an earlier statement by his colleague Andreas Hempel, who had spoken of “non-communicative error messages.”

Data protection, IT security, and limited resources

Data protection and security issues also played a role. At the event, it was also recalled that hospitals should conduct data protection impact assessments to systematically evaluate risks. Furthermore, training materials, procedural instructions, and service agreements with the works council and the like should be provided.

The participants agreed that the ePA can only function in hospitals if it is largely automated, especially regarding the correct filling of metadata, which is currently not the case. Every additional manual step – conversion, signature, or verification – reduces user acceptance. The further success of the ePA will therefore depend crucially on whether it is possible to gradually transform the current document-centric launch reality into stable, automated, and practical processes.

(mack)