The Act to Accelerate the Digitalization of the Healthcare System (“Digital Act”) was announced on 26 March 2024. In Section 393 of the Fifth Social Insurance Code (“SGB V”) as amended, the Digital Act contains far-reaching regulations on the permissibility of cloud use in the healthcare sector, which will come into force on 1 July 2024. Accordingly, social and health data may only be processed by means of cloud computing if the requirements of Section 393 SGB V as amended are met.
Providers of cloud computing services or software-as-a-service in the life sciences sector may not be aware that they are also subject to the provisions of the Digital Act and which legal and technical requirements they must fulfil. The implementation of these requirements can involve a number of hurdles. However, it is essential in order to be able to (continue to) offer cloud services to healthcare providers (such as hospitals and doctors) and health and long-term care insurance companies from 1 July 2024.
Territorial restriction of processing
The new regulation in Section 393 (2) SGB V as amended significantly restricts the place of processing. Processing may only take place (i) in Germany, (ii) in a member state of the European Union, (iii) the European Economic Area and Switzerland or (iv) in a third country with an adequacy decision in accordance with Art. 45 GDPR. A further prerequisite for processing is that the data controller has an establishment in Germany.
This type of territorial restriction is nothing new to the German health data protection laws. Section 80 of the Tenth Social Insurance Code (“SGB X”) already contains a comparable restriction. Section 393 (1) SGB V as amended is now being added to the SGB V as a more specific standard and specifies the previous general provision of Section 80 SGB X for the use of cloud services in the healthcare sector.
Requirement of a branch office
If the processing of health and social data does not only take place in Germany, it must also be ensured that the processing organization also has an establishment branch in Germany. The term ‘establishment’ is not defined either in the Digital Act or in the explanatory memorandum to the Digital Act. When an establishment is present in an individual case must therefore be examined on the basis of principles established by the ECJ. In particular, it must be ensured that the processing also takes place in the context of the activities of the establishment.
New obligation for certification
According to Section 393 para. 3 no. 2 SGB V as amended, a current certificate for the data processing body must be available in accordance with the Cloud Computing Compliance Criteria Catalogue (also known as C5). The C5 criteria catalogue of the Federal Office for Information Security specifies minimum requirements for secure cloud computing. Software providers and service providers must check whether they fall under this certification obligation.
Service providers within the meaning of SGB V do not necessarily have to be C5 certified themselves. However, the C5 certification obligation usually applies to providers of cloud computing services or software-as-a-service.
Applicability within a corporate group
The new regulation can also lead to some pitfalls when applied to corporate groups. A distinction must be made here as to when an individual group company falls under the C5 testing obligation if it offers cloud computing services within the group or ‘passes through’ services from external providers to other group companies.
Affected processing activities
Lastly, it is particularly important for service providers within the meaning of SGB V to note which processing activities are covered by the provision in Section 393 SGB V as amended. There is no explicit provision on this in the Digital Act. As a result, Section 393 SGB V as amended will also apply, for example, if service providers not only provide standard services within the statutory health services, but also private medical services.
Conclusion
Section 393 SGB V as amended contains pitfalls for healthcare providers and health and long-term care insurance funds, as well as for providers of cloud computing services and software-as-a-service. It is therefore important to assess the applicability of the regulation and the exact scope of the C5 certification obligation based on the individual cloud service and its intended use.