How is data used in healthcare

Laws such as the Federal Data Protection Act and the Criminal Code make it unmistakably clear that data protection is particularly important for medical data.

In this article you can read why medical data require special protection, what the special features of medical data protection are and which data protection laws must be observed.

Data protection: Who is interested in your medical data

Collecting, processing and storing sensitive medical data entails significant risks, for example that you can no longer decide who has access to your data:

  • employer: Certain data in the hands of employers can abruptly ruin a hiring or career.
  • Insurance: If you have medical information and keep it from your insurance company, your insurance cover may expire. It is also possible that you will no longer receive any insurance cover at all. This means that you no longer have the option to hedge fundamental life risks - or only at a high price. Incidentally, this does not only affect you, but also your children if necessary!
  • partner: The fact that genetic data are relevant in paternity suits should not be new.
  • herself: It should be clear that most people who come back from a Caribbean trip with a venereal disease prefer not to disclose this to the public. Your informational self-determination can be endangered.
  • Also hacker have recognized the sensitivity of medical data and are blackmailing health insurances or hospitals from which they have stolen data.

Further examples of data protection violations:

  • Michael Schumacher's medical file was stolen.
  • Deutsche Bahn illegally kept medical files.
  • Staff illegally read medical records in the Tugce case.
  • The English health authority NHS loses 8 million patient records.

Special features of medical data

1. You cannot always decide on your own

In contrast to other sensitive data, with some medical data it is impossible to decide on your own whether and, if so, to which third party you want to allow access to which data: If you reveal your genetic data, you also reveal information about your relatives - with or against their will . After all, you share important genetic information with them.

2. Some don't want to know the dates

But it can also be desirable for the owner of the data not to know the medical details:

  • Psychological stress: You have to be able to deal with the diagnoses, which are not necessarily good. For example, knowing that you have a high chance of developing Alzheimer's can be a heavy burden. The joy of life until the onset of the disease (which may also never break out) can be dramatically influenced.
  • Medical consequences: Some diagnoses can lead you to unnecessary, expensive and dangerous examinations, in the worst case even therapies. Certainly not a source of joie de vivre either.

Of course, there are also risks that affect society rather than the individual. What happens if you choose your partner based on the genetic data set or adopt children based on this information? My genetic data set, for example, supposedly not only allows conclusions to be drawn about the color of the eyes ...

3. Data protection can endanger security

In one hospital, nurses were denied access to patient prescriptions for reasons of data protection. The night shift that checked these prescriptions could not detect a medication error. One patient died.

Security in the sense of IT security and security in the sense of safety can be contradicting protection goals.

4. Data protection can slow down progress

Data protection should not prevent us from learning from medical data in order to be able to make diagnoses at an early stage or to identify drugs and treatment methods that have to be selected specifically for a genetic disposition. Anyone who suffers from a previously incurable disease will understand how important this is.

This progress will only be possible if we have as many complete data sets as possible. But we will only achieve this if as many people as possible are ready to make them available. We also have to have systems, processes and standards in place to bring this data together and to guarantee data protection in the best possible way. Certainly not a triviality, because genetic data is difficult to anonymize.

Regulatory requirements for data protection

1. Overview of data protection laws

A large number of complementary, but also contradicting (more precisely, "overriding") regulations on data protection must be observed:

  1. At EU level
    • European Charter of Fundamental Rights
    • The EU GDPR has been in force since May 2018. It replaces the previous data protection directive 95/46 / EEC, which only became effective when it was implemented in national laws. In general, an EU regulation does not allow the national states to weaken or tighten requirements. In this case there are exceptions.
  2. At the federal level
  3. Church data protection laws (interesting that this parallel world exists, right?)
    • E.g. laws for institutions of the Protestant and Catholic Church
  4. At the state level, the state data protection laws
    • for public administration in the state and in municipalities
    • State hospital laws
    • State Registration Act, State Administration Act, ...
  5. Other “special laws” that take precedence over general laws
    • TeleMedia Act
    • Telecommunications Act
    • Health data protection, vaccination law
    • University Act
    • Police Act, Passport Act, Identity Card Act, Residence Act

In contrast to the rest of the legal system, data protection applies Not "What is not forbidden is allowed", rather "Only what is explicitly allowed is allowed".

2. Content of data protection laws

In terms of content, these laws usually deal with the following:

  1. Lawfulness of the data processing (compliance with the legal basis, need for consent, etc.)
  2. Principle of earmarking and the principle of guaranteeing the rights of data subjects, e.g. prohibition of profiling, prohibition of data collection in reserve, prohibition of automated individual decision-making
  3. The principle of necessity, i.e. the principle of data avoidance and data economy
  4. These principles also include transparency.
  5. Principle of clear responsibilities
  6. Principle of control
  7. Use of pseudonymized or anonymized data
  8. Obligation to protect data
  9. Data portability and the right to receive your data (now also part of the EU regulation)
  10. Right to the deletion of data (now also subject of the EU regulation)

The most important law in Germany is the Federal Data Protection Act BDSG. It pursues the principle of data economy and data avoidance. The BDSG demands that "to anonymize or pseudonymize personal data, as far as this is possible according to the intended use and does not require a disproportionate effort in relation to the intended protection purpose.

The BDSG even prohibits the collection, processing and use of personal data. Exceptions are only permitted if either other legal provisions allow or require this or if the person concerned has consented.

Often the only sensible and legally resilient procedure is to explicitly ask those affected (e.g. patients, customers) for their consent.

3. Further regulations and publications on data protection

For medical practices:

  • "The recommendations on medical confidentiality, data protection and data processing in the medical practice" of the German Medical Association (BÄK) from April 2014
  • New version of the technical system from 2008, also from the BÄK

For clinics

  • "Orientation aid for hospital information systems", published by the Conference of the Federal / State Data Protection Commissioners (published for the first time in 2011, revised in 2014). This publication requires the clinics to convert their administrative IT to the current risk situation and to technically implement data protection-compliant access rules.

For the health industry in general

  • "Annotated sample ADV contract for the health industry" from January 28, 2015, published by a working group in which, among others, the Society for Data Protection and Data Security (GDD) and the Professional Association of Data Protection Officers of Germany (BvD) were involved. It should help to meet the requirements of § 11 BDSG for the special case of sensitive medical data.

Industry-independent specifications and "best practices"

  • The family of standards in the ISO 27000 series describe the requirements for IT security management that includes data protection as one of the protection goals.
  • The same applies to the IT basic protection catalog of the Federal Office for Information Security (BSI).

For medical device manufacturers

In contrast to hospitals and medical practices, data protection laws only affect medical device manufacturers indirectly. The latter have to develop systems with which the operators can work in compliance with data protection regulations. With some apps, however, the medical device manufacturers themselves become operators. The following regulatory requirements apply to medical device manufacturers:

  • The MDR requires compliance with data protection, e.g. for clinical trials.
  • ISO 13485: 2016 requires that manufacturers guarantee the confidentiality of health information and implement the necessary methods.
  • ISO 13485: 2016 also requires that manufacturers meet all regulatory requirements (not only) for data protection.


Online articles