Digitisation did not only enjoy great popularity as a topic in the 2021 German federal election campaign. The German federal government took it also as an opportunity for the hospital sector to set up the “Hospital Future Fund” in 2020 with a funding volume of up to 4.3 billion euros. The aim of this billion-euro funding is to connect the healthcare sector and thus improve patient care, for example by means of digital admission and discharge processes in hospitals or voice-based documentation. To be eligible for funding under the Hospital Future Fund a project must be compliant with data protection law.
This brings us to the core of the problem: How can digital (mostly cloud-based) projects in the hospital sector be implemented in compliance with the current data protection framework in Germany, consisting of federal and national laws?
The first question is which regulations apply under German national law. In this respect, it is not the project setup that matters, but the operator of the respective hospital. Depending on whether the hospital is state, private or church-operated, the respective national laws on data protection (being different for each of the 16 German Federal States) must be observed in addition to the federal laws in Germany. Depending on the institution in question, there can be additional data protection requirements, such as special national laws for psychiatric hospitals and/or specific federal obligations deriving from the German Social Code Book V (SGB V), the German Criminal Code (StGB) or – relating to IT security – the BSI Act. The fact that the hierarchies between the federal laws and the often highly fragmented national (state) laws are not harmonized in Germany does not exactly lead to legal certainty in this area.
Even with this simplified summary, it becomes clear that the data protection legal framework for hospitals in Germany is extremely complex.
However, the fragmented German legal federal and national framework is only the first hurdle that hospitals have to overcome when implementing digital projects. The second hurdle lurks in the specific legal requirements, which often simply no longer reflect the state of digitisation today.
An example for this is a cloud-based application for (privately operated) hospitals processing personal data: Based on the requirements of the General Data Protection Regulation (GDPR), the inclined data protection expert would think of requirements such as data processing agreements, third country transfer and standard contractual clauses. These data protection requirements are quite complex in themselves and in a constant state of development. The hospital in Germany will also have to deal with national law requirements. Although there are no specific requirements for cloud services in any federal state, there are differing regulations on the use of data processors (i.e. providers that process personal data on behalf of the hospital). Whereas Berlin has no national hospital law at all (consequence: the above outlined requirements according to the GDPR apply), Saxony requires the consent of the competent authority, while in Bavaria only another hospital must be used as a data processor. Practical question: Can an operator with hospitals in Berlin, Saxony and Bavaria even find a solution that complies with all data protection requirements within these national frameworks? The result here is currently more likely to be the following: try to avoid the biggest legal risks and then turn a blind eye and head in the direction of digitisation.
And it is precisely this consequence that comes with a considerable risk: without a comprehensible legal framework, the hospitals will develop their own – likewise divergent – data protection standards. Here, the German legislator is called upon to ensure through clear legal requirements that the politically desired digitisation of hospitals is based on the same level of data protection.
The German legislator most recently demonstrated during the COVID-19 pandemic that the legal data protection framework can be simplified: Thus, "only" the regulations of the German Federal Data Protection Act (BDSG) apply to cross-state care and health research instead of the numerous national regulations. The aim of the legislator was to avoid delays in research projects due to the fragmented national regulations. This is a welcome approach. The realisation that fragmented national data protection regulations can inhibit innovation due to their complexity and partial contradictions should also be taken as a basis for the digitisation of the hospital sector.
A uniform legal framework is needed to drive forward the digitisation of hospitals in Germany. This should contain clear requirements for the use of cloud-based services processing patient data. In this way, data protection can be transformed from a supposed obstacle to an enabler of digitisation: Strict but uniform data protection standards would not only increase the protection of healthcare data across hospitals in Germany. It would also act as an incentive for (international) providers of digital healthcare applications to set up their services for the German healthcare market in accordance with uniformly high standards.