Legal framework empowers patients

The changing nature of communication between patients, doctors, and healthcare facilities calls for a clear legal framework. Patient rights must be protected at all costs; at the same time, liability risks must be minimized.

Communication between doctors and patients has changed massively in the space of a few years. On the one hand, this affects the way in which findings and diagnoses are reported, to the point that medical communication training is now the subject of numerous continuing education courses.

On the other hand, there is a trend toward digitization not only of doctor-patient communication, but also of communication between private-practice doctors and hospitals, or between patients and healthcare facilities.

Although many of these processes are still in their infancy, the benefits of modernizing these interactions are obvious. In the collaborative field of healthcare, something like a master patient index can help to ensure that information relevant to treatment does not get lost because of a mismatch or misidentification. This minimizes the risks for individual patients, but also for the treating physicians.

The goal is to minimize the risk to the patients and the treating physicians.

Increase efficiency, eliminate sources of error

Using appropriate systems, such as a cross-enterprise patient record, prevents the loss of treatment-relevant information and helps to reduce human error to a minimum. This can be expected to produce positive effects in liability-related areas, but also in connection with compliance issues. Healthcare facilities that rely on manual data collection, analog record processing, or outdated technical systems will soon be facing more than just an efficiency problem—they will soon be more focused on themselves than on the patients.


Many laws, too little clarity

By accessing their patient record, the informed patient plays an increasingly active role in modern doctor-patient interactions. The laws already reflect this. For example, the Patient Rights Act lays out the treating party’s extensive duties to provide information (§ 630c of the German Civil Code (BGB)), the conditions for patient informed consent (§§ 630d and 630e BGB), the treating party’s documentation obligations (§ 630f BGB), and the patient’s right of access (§ 630g BGB), with regular and specific emphasis on electronic options. These principles are also reflected in the right of the individual to receive their own personal data, provided by them to a controller, in a structured, commonly used and machine-readable format, which is now part of Art. 20 (1) of the EU General Data Protection Regulation.

In addition, the “Act on secure digital communication and applications in the healthcare system (the E-Health Act)” paved the way for the electronic patient record (§ 291a, German Social Code (SGB) Book V), although one hopes that the current, rather basic plan developed by gematik (the Organization for Telematics Applications of the Health Card) will eventually be fleshed out. This may require additions to and/or partial revision of the E-Health Act.


Efficient consent management

Under the EU General Data Protection Regulation mentioned above, there is finally explicit affirmation that consent to the use of personal information—e.g. by “choosing technical settings for information society services”—can also be given electronically.

The fact that the EU General Data Protection Regulation also addresses consent granted for “multiple purposes” is of particular interest in this context. This means that it is possible to give many different statements of consent for individual purposes, or else a single consent for one individual purpose. This represents quite a considerable expansion of the informed consent triad commonly encountered in the past:

  • Consent to treatment
  • Consent to further handling of biomaterials (e.g. for transport to a biobank)
  • Consent to uniform data protection

Well-organized and reliable management of existing consents and potential changes made to them will therefore be essential in the future. This is the only way to control the risk of recourse.

Patients’ health information is always sensitive information, which, logically, is subject to a particularly rigorous protection regime. This means there is another need: If the patient is given the ability to access their patient record electronically, it is in the treating facility’s interest to log and document such access. Otherwise, it is much more difficult to identify and refute alleged violations of the applicable data protection laws or of the treatment contract that are in fact attributable to the fault of the patient.


Legal security is a must

This much is clear: Electronic communication between doctors, patients, and various healthcare facilities is already a reality. However, in view of the sensitive nature of the situation, the technical solutions used for this purpose must provide an exceptional degree of assurance that the requirements of medical and data protection laws and the individual’s right to privacy are met, and that liability risks are minimized in the process.