Interview on the electronic patient file: "It works and it's very simple"

Health data from various systems used by doctors and other healthcare professionals is available in the "Helsi" digital medical record for around 28,000 patients. A patient portal has been set up with the Health Cloud from Salesforce, which provides patients with diagnostic documents and treatment data, among other things. There will also be push notifications, reminders, individual exercise plans and other services. If David-Ruben Thies, head of the Waldkliniken Eisenberg, has his way, this will work throughout Germany. Billions have already been wasted on state digitization. In an interview with heise online, Thies explains how he wants to turn heads. Heinz Ebensperger from Salesforce also explains the technology behind the Waldkliniken's digital patient file.

heise online: What was your motivation for an alternative to the current electronic patient file?

David-Ruben Thies: In 2004, politicians decided to introduce electronic patient records. Then the telematics infrastructure was set up in the association, which Gematik GmbH is currently working on. Gematik will soon be a public authority again as the "Digital Agency for Health" – after constant back and forth. For 20 years, the digitalization of the healthcare system has been fiddled with and billions have been wasted. To this day, we still don't have a standardized electronic patient file.

How did your decision come about?

Almost ten years ago, I went to California to look at customer relationship management (CRM). So I went to the university hospital in San Francisco and saw the Salesforce electronic patient record for the first time. It was no longer a CRM, but a complete digital patient file that also had the function of a patient portal. I thought that was very cool. It was stable and I thought to myself "Why can't we just do that in Germany?". After nine months, the time had come. I had received funding from the Free State of Thuringia – 1.2 million euros for customizing and the recognition of German data protection. At the end of the day, we received approval from the Thuringian State Data Protection Commissioner at the time. It worked for us. And why don't we simply fall back on proven standards that have been running stably elsewhere for more than 15 years? Copy-and-paste is sometimes easier than always doing everything from scratch.

My motivation behind this is actually, as always, not to complain that something isn't working somewhere, but to show that "Hey guys, it works and it's really easy".

You just mentioned the patient portal for your patients. What does this mean for hospitals?

With the Hospital Future Act, every hospital should be able to offer a portal. There are various systems. It remains to be seen whether they are interoperable. If everyone has their own app that can't communicate with other systems, patients will have to download a new app for every clinic and every practice. It is therefore important that such applications work across systems. It makes no sense for each service provider to cook their own soup.

A patient cannot upload their documents to a different app every time. What poor elderly person has an overview of their 70 years? Nobody. That's why I asked myself what it's actually like to use a digital patient file that also has other appointment management functions.

Now the federal legislator has recently said that the digital patient file will be built by the respective health insurance company. How does that help me if I have the data from my health insurance company? Even if I upload all the data, it still doesn't work. Why doesn't it all run automatically and in the end I just decide when who can access which data and which not? With a central data pool, AI could also be used to evaluate all data, provided patients have given their prior consent.

To this day, I cannot understand the separation between digital patient records and patient portals that has been made in Germany at this point. My vision is to start one or model regions as the next step.

"Nothing has happened for 20 years"

Won't you then be competing with the state initiative?

I'm totally relaxed about it now: If someone doesn't get something right for 20 years, I don't see them getting it right in the next two years. Every week there are various reports on the Gematik portals that something is not working again or a specification is faulty. This delays everything. Doctors, patients and other service providers are only connected to the telematics infrastructure to avoid sanctions. Unfortunately, they do not yet have any real benefit from it.

Which data formats can currently be uploaded to the Waldkliniken patient file?

It is not yet possible to upload such data formats to the patient portal. With the current expansion, we are planning to upload PDFs and possibly X-ray images, not individual values. Implementation is planned by the end of 2024.

What is behind the electronic patient file at the Waldkliniken?

Heinz Ebensperger: The Business Process Engine behind it, a no-code or low-code platform with which missing processes can be easily adapted. This continues to work well at the Waldkliniken. State requirements are already included. In this area, compliance with regulations and requirements is important, among other things, and we are talking about health information that is particularly relevant to data protection. We have to meet certain requirements to be allowed to offer such services at all. The data is then available in the Health Cloud. The MuleSoft environment is used as an integration platform that fills the cloud with external data from various sources - such as hospital information systems, ERP, CRM systems and others - depending on the customer's requirements. However, the Gematik specifications cannot be implemented with low-code.

Is the digital patient record from Salesforce interoperable? And if so, with which standards?

Heinz Ebensperger: Salesforce offers an interoperable solution that can be integrated into existing structures and applications using common standards such as SOAP, REST and OData. Standards and APIs from the healthcare sector such as HL7 and FHIR are also supported.

Which encryption technologies are used?

This varies; among other things, we use the AES 256-bit method recommended by the German Federal Office for Information Security specifically for healthcare data, which supports various protocols. This encrypts data in real time.

How do you ensure resilience?

We currently use Hyperforce, as we call the environment – with data centers in the Frankfurt region and with corresponding availability zones behind them. There are currently three instances.

The C5 certificate for processing health data in the cloud, probably too?

In addition to various other audits and certifications, Salesforce also has the C5 certificate, which is audited every six months. Health data requires special attention, the technical control options are defined by the respective controller, in accordance with the respective requirements, also in coordination with the responsible data protection authority, and then implemented accordingly.

The customer decides which data is processed. In some places, data protection is a double-edged sword: on the one hand, we have data minimalism, on the other hand, certain data must be transmitted. The Health Data Utilization Act has made some changes in this respect. However, we are flexible to be able to react to future regulations.

(mack)