"Electronic patient file for all" initially in model regions

Contents

A lot of money has been invested for 20 years and nothing has happened for 20 years, summarized Federal Health Minister Karl Lauterbach at an event on the "electronic patient file for all" (ePA für alle). Originally, this was supposed to change from January 2025, but now this will initially only apply to selected regions – namely the digital health model region of Hamburg and the Central, Upper and Lower Franconia region.

"They have around 1.5 million insured people in their regions and 150 service provider organizations each, and that's where the rollout and introduction will begin," explained Sebastian Zilch, sub-department head for Gematik, e-health and telematics infrastructure at the Federal Ministry of Health (BMG). Four weeks later – if everything goes according to plan – the rest of the population will receive their ePAs. People who object and privately insured persons will be exempt. The private health insurance companies want to get an idea of the situation first.

Electronic patient file since 2021

People with statutory health insurance must register for the current version of the electronic patient file, which has been offered by statutory health insurance providers since 2021. This now works via the online ID function of the ID card, among other things. Doctors can enter and read data in the ePA via their practice and hospital administration systems, and pharmacies will also be given limited access to information from the medication list in future. Health insurance companies, on the other hand, will only be allowed to enter data.

According to Susanne Ozegowski, responsible for Department 5, Digitalization and Innovation in Healthcare, the electronic patient file would strengthen the "rights of patients". They would no longer have to fight for access to their reports and laboratory results. It would also reduce the workload for doctors and patients. Ozegowski also estimates that half a million insured persons would no longer have to be hospitalized due to drug intolerances because of the ePA. Zilch explained that the ministry intends to provide detailed information on the advantages of the ePA. To this end, nine reasons for an ePA have been developed in cooperation with the advertising agency Fischerappelt. In response to the question as to whether insured persons will be adequately informed about faults relating to the TI in future, Zilch replied: "We will be happy to take this on board. Lessons have been learned from the mistakes made with e-prescriptions.

Filling the ePA

According to Ozegowski, there are many options for filling the ePA. If you have the time, you can take a photo of your Leitz folder with findings and upload it to the ePA as a PDF. Health insurance companies can upload up to ten documents to the ePA on request. It has been explicitly decided that doctors do not have to "upload historical data", as this would probably have kept medical practices busy for a long time. In the case of stigmatizing illnesses such as mental diagnoses, doctors must ask separately whether a report of findings should be visible in the ePA. With the medication list, however, it is the case that individual pieces of information cannot be hidden. And medication can of course reveal a lot about findings, including stigmatizing ones.

The medication list should be automatically filled with data from the e-prescription server and be visible to all doctors – unless the patient does not want this. Only recently, patient representatives have criticized the fact that individual entries from the medication list cannot be hidden from certain doctors. This means that the dentist could see what the psychotherapist has prescribed – unless patients prohibit access to a particular doctor. With the new patient file, it will be necessary to insert the electronic health card in order to write data to the ePA. Insured persons could delete doctor's letters, for example. According to Ozegowski, patients cannot delete or edit individual data within the medication list.

With the ePA, it is precisely defined which persons or institutions have read and write access. Doctors can enter data via hospital or practice management systems, pharmacies via pharmacy management systems. Health insurance companies may only enter data, but not access it. Ozegwoski answered the question of whether data from the database can also be de-anonymized again, for example to recall medication, in the negative. According to Ozegowski, the Health Data Utilization Act and the much-discussed paragraph 25b have created "another way" in which health insurance companies can also issue warnings based on their billing data as soon as undesirable interactions could occur. At the end of 2023, Ozegowski already described it as "failure to provide assistance" if health insurance companies do not issue a warning.

When asked about the criticism from Deutsche Aidshilfe regarding the electronic patient file for all, Federal Health Minister Karl Lauterbach replied: "We are taking this very seriously" and the problems are "very solvable". According to Lauterbach, the ePA has been specially designed so that all diagnoses that confirm HIV positivity can be hidden. It should also be possible to exclude individual doctors from accessing the ePA. At the same time, he emphasized that it is important to know the "long-term consequences of taking these drugs for neurodegenerative diseases". The Federal Minister of Health left unanswered the question of why the EPR is being switched to "opt-out" in the first place and why it is necessary to object to the application.

Research data

For Lauterbach, it is clear that too little data is available for research without a comprehensive EPR. It is therefore planned that the data from the EPR and other systems such as medical registers will flow to the Health Research Data Center. This is located at the Federal Institute for Drugs and Medical Devices. To date, access to the data has been restricted and limited to basic and healthcare research. In the future, however, every natural person is to have access; the decisive factor is the purpose of the research. As a first step, data from the cancer registries will be transferred to the FDZ Gesundheit. According to Ozegowski, all of this will only take place in the "secure data processing environment". The data in the FDZ is stored in a high-security architecture, explained Ozegowski, in an isolated zone separate from the Internet. Only anonymized and aggregated data would leave this environment.

According to Ozegowski, the data is split into two parts before it flows from the ePA to the FDZ: firstly, the health insurance number "in encrypted form", which is transmitted to the trust center at the Robert Koch Institute. This allows the data to be assigned to other data. The pseudonymized data is sent to the FDZ Gesundheit. The health insurance number is also not passed on, but a "work number", an alphanumeric code. According to Ozegowski, this will create a "unique research data room" in Germany, which will contain data from the ePA as well as mortality data, for example. The security concept is to be published in the coming weeks. If there is new data, it will have to be matched. The FDZ does not know which data set comes from which patient. Ozegowski then returned to the goals of the Federal Ministry of Health, such as ensuring that at least 80 percent of people with statutory health insurance have an ePA next year. Two years later, it is planned that 80 percent of laboratory results will be available in the ePA and by 2026, the goal is to have implemented 300 research applications.

ChatGPT as a doctor

Lauterbach hopes to achieve better treatment results by evaluating data. Systems like ChatGPT would change medicine: AI could determine values and then explain everything. GPT4 is already "like a very strong high school student". In two years' time, GPT-4 will be at the level of a scientist. In addition, the AI is getting smarter and smarter through conversations, so there is "no end in sight". Strokes will then be predicted by the AI, the digital attending physician.

Lauterbach once again referred to Alphafold. "Alphafold 2 can even display the altered proteins in metabolic function, so to speak," said Lauterbach. He is currently working on similar projects with the Israeli government as part of the German Israeli Health Forum for Artificial Intelligence (GHIF-AI). Lauterbach also wants to promote pharmaceutical research with the Medical Research Act and make Germany a "world champion in research".

What happens if data is stolen?

After Lauterbach had explained in detail how data could benefit the healthcare system, further questions were asked about data security and possible acceptance problems following a data leak. According to Lauterbach, the data is "technically speaking encapsulated". Criminals would therefore have to steal data "patient by patient". The pseudonymized data would also remain "encapsulated" in the trusted environment. There will never be an announcement: "The German data is out. That's not possible because it doesn't exist, the German data". According to the President of the Federal Office for Information Security (BSI), Claudia Plattner, there are defense methods depending on the type of attack. DDoS attacks "we normally manage well". In the national cyber defense center, larger attacks are handled together with the police and service providers. Although this is "not perfect, it is quite well positioned".

Background noise of attacks

Plattner has confidence in the concept for the electronic patient file. One of the reasons she gave for this was that users and institutions always have to identify themselves with two factors, and that the system has different layers and each user has different rights. According to Plattner, colleagues are "on their toes every week" to check that implementation is taking place in such a way "that we can say [...] with a clear conscience: We have now [...] done everything humanly possible to ensure that this is appropriately safe". Even if the thought pains Plattner, "of course there is no such thing as one hundred percent security". However, the average hospital still has to learn "that the X-ray machine, which is still running on the Windows XP machine, should perhaps not necessarily be connected to the central network without protection," says Plattner.

When asked about the level of security when logging into the electronic patient file and possible unauthorized access to it, Plattner replied that she was more concerned about other scenarios. For example, counterfeit ePA apps or "antediluvian primary systems". The BSI has published a study on this. Certification of the apps could provide a remedy. When asked how the BSI ensures that all hardware used is located in Europe, Plattner replied that this is provided for under the General Data Protection Regulation. When asked about the conversion of the ePA into a new security architecture to use research data, Plattner explained that the people at the BSI "really went over it with a toothbrush [...]".

(mack)