Ärztetag calls for stricter rules for AI and cloud use in healthcare

Contents

The 130th Ärztetag passed further resolutions on digitalization, data protection, and artificial intelligence in healthcare. In addition to the already intensively discussed electronic patient record (ePA) and the planned law for data and digital innovation in healthcare (GeDIG), the delegates dealt particularly with the risks of data processing, autonomous AI systems, and the use of cloud-based infrastructures.

Ärztetag criticizes planned redefinition of anonymized data

The criticism of the European Commission's current plans was particularly strong. The background is the ongoing EU legislative procedure for the so-called Digital Omnibus, which data protectionists have already strongly criticized. According to the proponents of the main motion “Anonymity must be truly anonymous,” the definition of personal data is to be redefined. The plan is to consider data anonymized in the future once it has been anonymized, even if re-identification of the affected persons is possible or even likely after it has been passed on to third parties.

The delegates see this as a significant weakening of data protection. “Despite factually ineffective anonymization, such data will no longer be considered personal data in the future and will therefore no longer be protected by the GDPR,” the justification for the adopted resolution states. The Ärztetag warns that this could legitimize the use of medical treatment data.

“Without effective anonymization, the use of doctors' treatment data of patients, with and without artificial intelligence, loses all legitimacy,” the proponents explained. It is particularly critical that commercial data users would thus be factually absolved of their responsibility towards patients. Ethics Professor Rainer Mühlhoff had also criticized this in the past. The delegates around Berlin doctor Stefan Streit also see the medical confidentiality affected by the planned shift in definition. “It is questionable whether doctors can fulfill their duty of confidentiality to patients in patient care if they participate, even though it is clear that there is no actual personal protection,” the motion further states. “Regardless, this creates a serious loss of trust for the protected space of medical treatment,” the delegates explained.

In the also adopted resolution on “Protection against re-identification of anonymized/pseudonymized treatment data from the electronic patient record in the health data space,” the delegates also warned of new risks from AI-supported pattern recognition. According to the motion, just a few pieces of information, such as gender, age, postal code, and treatment days, could be sufficient to re-associate anonymized health data with individual persons. Calendar patterns from doctor's appointments are considered particularly problematic by the proponents. With the use of AI, this also creates an “unpredictable AI risk” for the re-identification of medical data.

Doubts about cloud AI and autonomous AI agents

The development of autonomous AI systems was also critically discussed at the Ärztetag. In the resolution “Regulate digital AI agents before they are used in healthcare” (PDF), the proponents referred to scientific publications that have already documented cases where AI systems have resisted humans. The Ärztetag therefore calls for stricter regulatory requirements for independently acting AI applications in healthcare.

The doctors therefore call on the Federal Ministry of Health (BMG), Gematik, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), and the Federal Office for Information Security (BSI) to provide “a detailed description of the measures to be taken before digital AI agents are used in medical patient care.”

The delegates also expressed skepticism about “Confidential Computing” approaches in cloud infrastructures. In the resolution “Cloud-based artificial intelligence of medical treatment data – only on trusted infrastructure”, it is stated that from the perspective of IT experts, there is no longer any reliable basis for the assumption that secure and confidential AI operation can be permanently guaranteed on third-party cloud servers.

Therefore, non-European cloud locations are unsuitable for AI processing of treatment data. This also applies to European or German cloud offerings from US companies, as according to the motion, they could be compelled to “hand over data of non-US citizens abroad to US authorities.” Currently, some clinics and practices already use AI agent systems, partly with major hyperscalers such as AWS and Microsoft Azure.

Concern about resource consumption

“Resource consumption and costs of artificial intelligence application“ were also discussed. The Ärztetag pointed out that token counting creates new cost structures. In addition to classic license fees for medical applications, the electricity and water consumption of the server infrastructure will also have to be considered in the future.

Furthermore, a motion for review (PDF) on doctor's information before filling out the electronic patient record was referred to the board of the German Medical Association. The delegates expressed doubts that a simple notice in the waiting room would meet the legal requirements for informed patient consent. This also raises the question of who bears responsibility if it turns out that patients were not adequately informed afterward.

Other resolutions included the demand for practice-oriented digitalization, more interoperability and secure IT systems, the role of AI as a supporting tool in medical care, and the preservation of medical decision-making responsibility. Also criticized were the planned increased use of health data by health insurance companies, access to ePA data, digital control mechanisms in healthcare, and possible indirect digital compulsion for patients.

(mack)