Whether psychiatric diagnoses or lifestyle (drinking and smoking behavior), patient data contains highly sensitive information and is therefore subject to special legal protection. This data is increasingly available in electronic form due to digitalization in the health sector. This has the potential to improve medical care on an individual and societal level, as networked data allows for more efficient therapies and is also a valuable “raw material” for research. At the same time, however, the requirements for data protection and data security are increasing continually to prevent misusage. An overview of what medical practices and clinics should consider when dealing with patient data.

What is patient data?

Patient data is all personal data collected, processed and stored in medical practices, whether in physical or electronic form. One distinguishes between two types of patient data:

  • Master data
    • First and last name
    • Gender
    • Date of birth
    • Address
    • Telephone number
    • Health insurance status and insurance number
    • Doctor-specific patient number
  • Treatment data
    • Diagnoses
    • Results of examinations
    • Therapy measures

Who is the owner of the patient’s file at the doctor’s?

Doctors have no way of avoiding collecting patient data, as their professional code of conduct requires them to keep a written patient record. The original of this patient file always belongs to the doctor or the respective medical institution. Patients, however, have the right to inspect their patient file and receive a copy.

Who has access to patient data?

Access to patient data is primarily restricted to the respective healthcare providers and the patients themselves. In most cases, the transfer of data to third parties requires the explicit consent of patients. This also applies to the transmission of findings to other doctors. Payers, such as health insurance companies, and various government agencies may have access to patient data even without explicit consent.

Which legal bases need to be observed when dealing with patient data?

The handling of patient data by physicians is regulated in the USA and within the EU by several laws, some of which are independent of each other. The most important provisions include:

EU: General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) has been in effect in the EU since 25 May 2018. Pursuant to Article 9 of the GDPR, patient data is subject to strict protection as a special category of personal data. Doctors are required to take appropriate data security measures and inform patients about how and for what purpose they store and process personal data. European data protection law, however, allows the use of personal data for research purposes under certain conditions. The exchange of patient data between different EU states is also to be promoted in future in compliance with the GDPR provisions.

For this purpose, the EU Commission presented a first draft for a European Health Data Space (EHDS) on 3 May 2022. Cross-border eHealth services are to be gradually introduced in 25 EU Member States by 2025. The first stage involves providing brief versions of digital patient records and cross-border electronic prescriptions; later, according to the EU Commission’s plans, medical image data and laboratory results are also to be made available throughout the EU. The EHDS furthermore aims to create a coherent framework for the use of health data for research purposes.

USA: Healthcare Insurance Portability and Accountability Act (HIPAA)

The most important US law regulating the handling of protected health data is the so-called Healthcare Insurance Portability and Accountability Act (HIPAA). It was adopted in 1996 and has been revised and supplemented several times since then. HIPAA contains regulations to protect health information, especially when it is collected electronically. The law, however, reaches beyond pure data protection aspects; it also contains, among other things, administrative requirements for healthcare service providers and authorities as well as specifications for the interoperability of data.

Important regulations of HIPAA in the area of data protection are:

  • Privacy Rule: The Privacy Rule confers certain powers and rights on patients with regard to their patient data. This includes, among other matters, the confidentiality of medical staff (medical confidentiality). Patients are entitled to co-determine how their patient data is used and shared. They are also entitled to receive a copy of their patient data.
  • Security Rule: The Security Rule prescribes standards to protect digital patient data from unauthorized access. Health facilities are required to take security precautions in three key areas: administrative, physical and technical.
  • Breach Notification Rule: Should breaches of patient data protection occur (e.g. through hacker attacks), those institutions affected are required to notify the patients concerned and the authorities.

USA Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act was enacted in 2009 and aimed to promote the switch to digital data collection systems in health facilities. The HITECH Act further strengthened data protection requirements and tightened liability rules in the event of any breaches. The HITECH Act also forms the basis for the introduction of Electronic Health Records (EHS).

USA 21st Century Cures Act

The 21st Century Cures Act is a package of legislation enacted in 2016 with several focal points. The “information blocking and interoperability rules” contain important regulations on the handling of patient data. The HIPAA Privacy Rule already entitled patients to receive a copy of their patient records. The 21st Century Cures Act further extends these rights: Healthcare service providers are required to provide the data in electronic form and withholding information (information blocking) involves the imposition of penalties (with a few exceptions). This regulation came into effect after a transitional period on 6 October 2022.

USA State regulations

Some states have their own state regulations in addition to HIPAA and HITECH, such as the Confidentiality Of Medical Information Act (CMIA) in California.

What are Electronic Health Records (EHR)?

Electronic Health Records (EHR) or Electronic Medical Records (EMR) are the digital version of the patient record. They contain information such as medical history, diagnoses, medication, treatments, vaccinations, allergies, laboratory results or radiological images as well as administrative data.

What advantages do EHRs offer?

EHRs enable important medical data to be made available more quickly and easily. This helps to save time and avoid unnecessary duplicate examinations. Therapy decisions are also made easier when doctors have immediate access to important information about the patient’s medical history especially in patients with complex clinical history. EHRs are also intended to facilitate the exchange of information between different service providers and in this way also relieve the administrative burden.

Are patients entitled to have access to their EHR?

Yes, patients are entitled to receive a copy of their digital medical record. Withholding information (information blocking) is not permitted, with a few exceptions. An exception would be, for example, that the privacy of another person is violated by certain information in the medical record. Healthcare service providers are required to verify the identity of their patients before issuing the EHR to prevent unauthorised access.

How are EHRs to be made available to patients?

Patients have been entitled to receive their EHR in electronic form since 6 October 2022. This includes, for example, a patient portal with secure access, secure transmission via e-mail, a data carrier (CD, USB stick) or direct transmission to a patient’s health app.

How quickly do EHRs need to be made available?

Normally, EHRs need to be submitted within a period of 30 days, but some states have different rules. Should data transmission not be possible within this period, healthcare service providers are then required to inform patients of this and subsequently have a further 30 days in which to provide the information.

Am I allowed to charge a fee for issuing the EHR?

Yes, healthcare service providers are generally allowed to charge a fee for issuing the EHR. The amount, however, should be reasonable and not exceed the actual costs incurred.

What are the consequences of digitalization in the health sector on the handling of patient data?

The Health Information Technology for Economic and Clinical Health (HITECH) Act has triggered a digitalization push in the health sector – with many benefits and simplifications for doctors and administrators. The Healthcare Insurance Portability and Accountability Act (HIPAA) has already fundamentally strengthened patients’ rights. The 21st Century Cures Act has provided patients with further rights to determine what happens to their data and who is entitled to obtain access.

These digitalization steps, together with the strengthened patients’ rights, present new challenges for healthcare institutions. For example, under the HITECH Act, medical practices and especially clinics are required to take stricter precautions to ensure IT security when handling patient data.

The increasing number of cyber-attacks in the health sector shows that such precautions are urgently needed. The Department of Health and Human Services’ (HHS) Office of Information Security reports that at least 560 healthcare facilities were victims of cyber attacks in 2020. In 2020, cyber attacks in the healthcare sector are expected to have caused US$7.13 million in damage, rising to US$9.23 million in 2021. All data breaches involving more than 500 patients are recorded by the US Department of Health & Human Resources (HHS) in a list that is available to the public. Affected institutions suffer, not least from considerable damage to their image.

How is patient data protected?

HIPAA and the HITECH Act require all healthcare institutions to protect digital patient data in an appropriate manner. The HIPAA Security Rule mandates security measures in three key areas:

  • Administrative security measures: This includes regular risk assessments, staff training, contingency plans, audits and ongoing evaluation of all measures.
  • Technical security measures: These measures serve to protect systems used for data storage and data transmission. They include access controls in the form of PIN codes, antivirus software, encryption tools and regular data backups.
  • Physical security measures: This is about protecting the hardware used to store and transmit digital health data. Offices and buildings require protection against theft or unauthorized access by means of security locks, access cards or security personnel, among other measures.
    The following checklist shows what doctors’ offices and other healthcare facilities should pay particular attention to.

5 steps in the protection of patients’ data

Step 1: Ensure discretion in the reception area

  • Is there sufficient separation between the registration area and the waiting area? Patients should be able to register discreetly and state the reasons for their visit without the possibility of being overheard by other patients waiting.
  • Are there markings or signs in the registration area to ensure people keep their distance?
  • Is the reception area continually staffed during opening hours? Patients and other visitors might otherwise have unobserved access to computer equipment or patient files.

Step 2: Secure treatment rooms and work areas

  • Are physical patient records securely stored in lockable cabinets?
  • Are screens, telephones etc. protected from view or access by unauthorized persons? EDP devices should be locked even if a person only leaves their workplace for a short time.
  • Do patient discussions take place discreetly behind closed doors?
  • Is it ensured that patients have no access to other patients’ files in the treatment rooms?

Step 3: Comply with data protection regulations

  • Is there a central register of all data processing activities that occur in the practice?
  • Is there a register of all technical and organizational measures taken by the practice to protect patient data?
  • Has a data protection officer been appointed? Every medical facility covered by the HIPAA Act requires a privacy officer.
  • Have all employees received instruction on data protection law on their first day of work at the latest? The obligation to comply with data protection regulations should be documented in writing for purposes of verification. Regular practical training is also recommended.
  • Are data processing contracts concluded with external service providers who might come into contact with patient data? Such contracts are required, for example, for installation or maintenance work on IT systems.

Step 4: Ensure the personal rights of patients

  • Is patient information on data protection made available for general viewing, for example on a notice board in the practice?
  • Are patients provided with a written consent form for the processing of personal data in the practice?
  • Are patients informed that the completion of a medical history form is voluntary?
  • Is it assured that patients have access to their medical records if they so wish?

Step 5: Ensure data security

  • Are PCs protected by screen locks and passwords, even if employees only leave their workplace for a short time?
  • Are virus protection programs and firewalls always kept up to date?
  • Are all IT programs and services up to date?
  • Are email correspondence, contact forms or online appointments securely encrypted?

Patient data in the conflict area between data protection and data use

There is great potential in the digitization of patient data to improve healthcare on an individual and societal level. At the same time, adequate precautions are required to protect this sensitive data and to safeguard patients’ rights. All healthcare providers should know and implement the basic requirements for data protection and data security – if only in their own interest.