GeDIG draft law: ePA to become digital entry point to healthcare system

Contents

With the planned Act on Data and Digital Innovation in Healthcare (Gesetz für Daten und digitale Innovation im Gesundheitswesen, GeDIG), the Federal Ministry of Health wants to significantly enhance the electronic patient record (elektronische Patientenakte, ePA). According to a draft circulated by heise online, insured individuals will not only be able to manage health data via the ePA apps in the future, but will also be more easily directed to outpatient care. This includes a standardized initial assessment and appointment booking.

The direction is not entirely surprising. Federal Minister of Health Nina Warken (CDU) had already announced in February 2026 that the ePA should become “attractive for all insured persons” and the “central hub”. Digital initial assessment, referrals, and appointment scheduling should converge there. The draft mentions “technical preparations for the planned primary care concept.” The plan is that patients will generally first visit a general practitioner's office and, if necessary, be specifically referred to specialists from there, preferably with an appointment within a specified period.

The core of the initiative is a new “digital entry into care.” Health insurance companies are to offer their insured people their own functional area in the ePA no later than February 1, 2028. Through this, patients will be directed nationwide to a “nationwide, standardized initial assessment by the appointment service centers of the statutory health insurance physicians' associations” and can then, if necessary, book a treatment appointment directly. The ministry speaks in the draft of “user-friendly, digital pathways into outpatient care.”

Providers of digital appointment booking platforms such as Doctolib must prepare for stricter requirements according to the draft. The Federal Associations of Statutory Health Insurance Physicians and the GKV-Spitzenverband are to agree on requirements for such platforms. This includes, among other things, data protection, information security, accessibility, and non-discriminatory access. Commercial third-party use of the appointment booking process and appointment allocation based on payments or remuneration interests are to be expressly excluded. From September 1, 2029, contract physicians will be obliged to issue, retrieve, and transmit referrals digitally via the telematics infrastructure (TI). The draft speaks of significant efficiency gains and savings.

EUDI Wallet and Co.

A prerequisite for this is the digital identity of the insured person. Insured individuals can create a Health ID using their electronic ID card with a PIN or their electronic health card with a PIN. It has been repeatedly criticized that citizens can no longer reset their ID card PIN online. For secure identification, health insurance companies are also to offer insured persons the eID card introduced in 2021 and corresponding electronic residence permits. According to current plans, the EUDI Wallet will also be offered as a secure identification method from January 1, 2027 – provided the technical and organizational prerequisites are met. From December 1, 2028, it will then serve in healthcare “in the same way as the electronic health card” for authentication and as proof of insurance.

Furthermore, in the future, more data in healthcare is to be used for care, research, and innovation. To implement the European Health Data Space, the draft includes, among other things, a “unique research identifier” as a “unique identifier.” This will allow data from different sources to be linked and discrepancies to be technically resolved.

“Extensive further use of data” for health insurance companies

At the same time, the ministry wants to give health insurance companies more leeway for new data-driven applications: Thanks to a new experimental clause, they can establish real-world laboratories with the approval of a supervisory authority, where the “innovative use of personal data” can be temporarily tested. In addition, social data is to be anonymized in such a way that it can no longer be assigned to any specific or identifiable natural person; consequently, it will no longer be subject to the special provisions on social data protection and may subsequently be further processed or transmitted to third parties as far as this is necessary for the fulfillment of statutory tasks.

By expanding the much-discussed Paragraph 25b, the ministry is extending a regulation that was already introduced with the Health Data Utilization Act (GDNG) of 2024. With the consent of the insured persons, it is also possible to include ePA data in evaluations. Especially with regard to § 25b, there have recently been repeated debates about legal uncertainty and data protection. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has already offered support in practical implementation. With her new sandbox “ReguLab,” she wants to accompany data protection issues at an early stage. The first call for tenders is expressly aimed at health and long-term care insurance funds.

Developing AI

The law is intended to clarify “that the development of AI models and AI systems in the healthcare sector is also covered within the scope of permitted data processing for medical, rehabilitation, and nursing research.” This would allow AI models or complete AI systems to be developed from this. This could include applications for diagnostic support, such as evaluating X-ray images, systems for therapy recommendations, AI for evaluating patient data, and general decision support systems for doctors.

In the past, it has been repeatedly doubted whether health insurance companies are adequately informing their insured persons about the plans. For example, most insured persons do not know that ePA data is to be transferred to the Federal Institute for Drugs and Medical Devices this year – unless they object. So far, there seems to have been no information from the health insurance companies, even though it is already possible to object to data transfer at some health insurance companies.

More powers for Gematik for TI stability

Furthermore, Gematik is to receive more powers, which has been planned for years, in order to improve the operational stability of the telematics infrastructure. To this end, it will be able to centrally tender, bundle, operate, or have operated components and services in the future. “With the new regulation [...] the Gesellschaft für Telematik is to successively take on a steering role as a so-called provider. In particular for components, services, and applications that form the backbone of digital healthcare, the steering of selected service providers and strong enforcement competence of the Gesellschaft für Telematik are essential,” the draft states.

In addition, it will be allowed to enforce operational obligations directly against the actual responsible operators. In the event of disruptions and security problems, Gematik would receive additional rights of intervention. It will be able to request information, issue binding orders, and in individual cases, initiate measures for hazard prevention and fault clearance itself.

(mack)