BKK WIRTSCHAFT UND FINANZEN and its long-term care insurance fund collect, process, store and use social data to fulfill their legal mandate. Here you will find an overview of the processing purposes and legal bases.

Identity of the person responsible

Responsible for data processing is the

BKK WIRTSCHAFT UND FINANZEN
Körperschaft des öffentlichen Rechts
Bahnhofstr. 19
34212 Melsungen

Phone: +49 561 51009 600
E-mail: info[at]bkk-wf.de

Postal address:
BKK WIRTSCHAFT UND FINANZEN
Head office
Bahnhofstraße 19
34212 Melsungen

Data Protection Officer

If you have any questions about the processing of your personal data, you can contact our data protection officer:

BKK WIRTSCHAFT UND FINANZEN
Data Protection Officer
Bahnhofstraße 19
34212 Melsungen

Telephone: +49 561 51009 600
E-mail: datenschutz[at]bkk-wf.de

What do we process your data for and on what legal basis?

As a provider of solidarity-based health and long-term care insurance, the BKK W&F has the task of maintaining, restoring or improving the health of its insured persons and providing assistance to those in need of long-term care who are dependent on solidarity-based support due to the severity of their need for care. Benefits and other expenses are financed by levying contributions from employers and members. In order to be able to perform these legally prescribed tasks, BKK W&F processes the necessary data. This data is collected from you on the basis of statutory obligations to cooperate (see, among other things, §§ 60 ff of the First Social Code (SGB I) or consent. BKK W&F also receives data from third parties (e.g. from your employer or service providers) in accordance with the Social Code. Failure to cooperate can lead to disadvantages for you in the granting of benefits (refusal or withdrawal of benefits).

For health insurance, the legal basis for data processing results from § 284 and § 288 SGB V and § 10 AAG, for long-term care insurance from § 94 and § 99 SGB XI. In addition, BKK W&F is also assigned tasks under other statutory provisions for which personal data must be processed. These include in particular

• Determination of the insurance relationship and membership, including the data required for the initiation of an insurance relationship
• Issuing the electronic health card
• Determination of the obligation to pay contributions and the contributions, their payment and payment
• Examination of the obligation to provide benefits and the provision of benefits to insured persons, including the requirements for benefit restrictions, determination of the co-payment status and implementation of the procedures for reimbursement of costs, repayment of contributions and determination of the limit on the burden
• Support for insured persons in the event of treatment errors
• Assumption of treatment costs for persons not subject to compulsory insurance in accordance with § 264 SGB V against reimbursement of costs
• Involvement of the medical service
• Invoicing with service providers, including checking the legality and plausibility of invoicing
• Monitoring compliance with the contractual and legal obligations of providers of medical aids
• Monitoring the economic efficiency of service provision
• Billing with other service providers
• Implementation of reimbursement and compensation claims against third parties
• Preparation, agreement and implementation of morbidity-oriented remuneration contracts
• Preparation and implementation of pilot projects, contracts for integrated forms of care and for the outpatient provision of highly specialized services, including the performance of efficiency and quality audits
• Implementation of risk structure compensation as well as the preparation and implementation of structured treatment programs, including the recruitment of insured persons to participate in them
• Conclusion and implementation of care rate agreements, remuneration agreements and service and quality agreements
• Advice on prevention and rehabilitation measures and advice on participation as well as care services and assistance
• Coordination of care assistance, care advice and performing tasks in the care support centers
• Implementation of discharge and sickness benefit case management
• Recruitment of members
• Compensation of employer expenses for illness and maternity
• Combating misconduct in the healthcare sector (Section 197a SGB V)
• Research project

In addition, BKK W&F processes data on the basis of express declarations of consent (Art. 6 para. 1a EU GDPR).

What data do we process?

We process the following categories of data:

1. 1. Personal data (e.g. address and communication data, date of birth, photograph)
   2. Data on membership and its initiation
   3. Data on the insurance relationship
   4. Contribution and payment data
   5. Service, care and billing data including health data (e.g. diagnoses, periods of incapacity for work)
   6. Data on the caregiver
   7. Data on the legal representative
   8. Data on elective tariffs and bonus programs
   9. Data from service providers and other contractual partners
   10. Data from employers and their tax advisors
   11. Data from interested parties
   12. Data from applications (you can find more information on this in the declaration in accordance with the Telecommunications and Telemedia Data Protection Act (TTDSG))

Who receives your data?

Data is regularly transferred within the framework of the statutory provisions to: Pension and accident insurance providers, the Federal Employment Agency, the Medical Service of the Health Insurance Fund, service providers, social welfare providers and, in the context of payment transactions, to financial institutions, employers and paying agents. In addition, data may only be transmitted in the individual cases specified by law in accordance with Sections 67d et seq. of SGB X (e.g. police authorities, local and municipal authorities, tax authorities).

BKK W&F may have its statutory tasks performed by another service provider, working groups or other service providers (in particular processors).

BKK W&F may use and process the lawfully collected and stored data of the data subjects for other purposes, provided that there is another legal basis for this under the German Social Security Code or the express consent of the data subject.

Order processing

BKK W&F transfers personal data or social data to service providers (processors) who work for BKK W&F in accordance with Section 80 SGB X or Section 62 BDSG in compliance with the legal requirements.

To give you a better overview, we provide you with a corresponding list in which the categories of recipients and the purpose of the assignment are named.

How long do we store your data?

The data is stored for the performance of tasks and for the duration of the statutory retention periods (e.g. Section 110a SGB IV, Section 304 SGB V, Section 84 SGB X, Section 107 SGB XI) and then deleted.

What rights do you have?

• Right to information about processed data (Art. 15 EU GDPR in conjunction with Section 83 SGB X)
• Right to rectification of inaccurate data (Art. 16 EU GDPR in conjunction with Section 84 SGB X)
• Right to erasure (Art. 17 EU GDPR in conjunction with Section 84 SGB X)
• Right to restriction of processing (Art. 18 EU GDPR in conjunction with Section 84 SGB X)
• Right to object (Art. 21 EU GDPR in conjunction with Section 84 SGB X)
• Right to data portability (Art. 20 EU GDPR)

In the case of data processing based on consent, you have the right to withdraw this consent at any time with effect for the future.

Automated individual case decision

In some processes, decisions are made based exclusively on automated processing. According to Section 31a SGB X, this is permitted and is only carried out by us if your request can be fully complied with. If your request cannot be complied with in full, processing will be carried out personally by our customer advisors. This takes into account the requirements of Art. 22 GDPR.

Right of appeal

As a data subject, you have the right to contact the competent supervisory authorities responsible for BKK W&F:

1. The Federal Commissioner for Data Protection and Freedom of Information
   Graurheindorferstraße 153, 53117 Bonn
   Phone: +49 228 997799-0
   poststelle[at]bfdi.bund.de
2. Federal Social Security Office
   Friedrich-Ebert-Allee 38
   53113 Bonn
   Phone: +49 228-619-0
   poststelle[at]bas.bund.de

For further information, please refer to the data protection declaration in accordance with the Telecommunications Telemedia Data Protection Act and the separate data protection information on electronic patient records.

The following information provides a simple overview of what happens to your personal data when you visit our website.

Privacy policy ePA e-prescription TI-M app version 3.4.0 from 16.12.2025

1 General information

1.1 Preliminary remarks

1.2 Name and address of the person responsible

1.3 Contact details of the data protection officer of the controller

1.4 Responsible data protection supervisory authority

1.5 Responsible legal supervision

1.6 General information on data processing

1.7 Provider of the ePA app

1.8 Integration of third parties

1.9 Data collection of information when downloading the ePA app

1.10 Data processing within the European Union

1.11 Your rights as a data subject

1.12 Automated decision making

2 Registration, identification and authentication

2.1 Overview

2.2 Registration and identification

2.3 Authentication (login)

2.3.1 Authentication via health ID

2.3.2 Authentication using an electronic health card

2.4 Scope of data processing

2.5 Legal basis for data processing

2.6 Purpose of data processing

2.7 Duration of storage and deletion of data

3 Application electronic patient file (ePA)

3.1 Description and scope of data processing

3.2 Authorization of persons representing

3.3 Legal basis for data processing

3.4 Purpose of data processing

3.5 Duration of storage and deletion of data

3.6 Rights of objection in connection with the electronic patient file

3.7 Information on the electronic patient file (ePA) in accordance with Section 343 (1a) SGBV

4 E-prescription application

4.1 Description and scope of data processing

4.2 Legal basis for data processing

4.3 Communication between pharmacies and insured persons via the ePA app

4.4 Card functions

4.5 Purpose of data processing

4.6 Duration of storage

4.7 Revocation options for the use of the e-prescription application

5 TI-Messenger (TI-M) application

5.1 Description and scope of data processing

5.2 Legal basis for data processing

5.3 Purpose of data processing

5.4 Duration of storage

5.5 Content of the chat communication

6 jumps to the organ donation register and the National Health Portal

7 Collecting data for an error report

7.1 Automatically transmitted data

7.2 Manually transmitted data

7.3 Legal basis for data processing

7.4 Purpose of data processing

7.5 Duration of storage

8 Support for questions about the ePA app

8.1 Description and scope of data processing

8.2 Chatbot

8.3 Transaction processing system

8.4 Legal basis for data processing

8.5 Purpose of data processing

8.6 Duration of storage

1 General information

1.1 Preliminary remarks

The BKK W&F ePA is the BKK WIRTSCHAFT UND FINANZEN app that you can use to access your electronic patient file (ePA) and other functions. The insured person can choose between the following applications or jumps in the ePA app:

– Use of the electronic patient file (ePA)

– E-prescription application

– TI-Messenger (TI-M) application

– Jump to organ donation register (OGR)

– Jump to gesund.bund

With these functions, the ePA app is a central component of digitalization in the healthcare sector and is intended to improve medical care by enabling relevant health data to be stored and shared securely and clearly.

The ePA app and its applications are made available to all our insured persons for voluntary use. This document contains important information on data processing when using the ePA app.

The specifications for the functions of the ePA app are drawn up by the National Agency for Digital Medicine (gematik GmbH) under the legal supervision of the Federal Ministry of Health (BMG) and in consultation with the Federal Office for Information Security (BSI) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

These requirements are implemented under strict security conditions and both the development process itself, the program code and the operation of the solution are checked by independent, certified and accredited bodies as part of an approval process and continuous audits.

A safety report is required for each approval, which checks both technical and functional suitability.

Notes on language rules

In the interests of better readability and a simplified processing procedure, the gender-equitable approach was ensured by the uniform use of the formulations:

– “Insured”

– “Representative”

replaced. The use of these terms always refers to all genders without restriction.

Compatible end devices and operating systems

The ePA app is intended for use on mobile devices (e.g. smartphones) and stationary devices (e.g. PCs, laptops). In the remainder of this document, the application is referred to as the mobile ePA app on mobile devices and the desktop ePA app on stationary devices. If the term ePA app is used without further specification, it refers to both variants.

The mobile ePA app is available for the iOS and Android operating systems. The desktop ePA app can be used on Windows, macOS and Linux operating systems.

1.2 Name and address of the person responsible

The controller within the meaning of Sections 341 para. 4 sentence 1, 307 para. 4 SGB V in conjunction with Art. 4 no. 7 of the General Data Protection Regulation is the:

BKK WIRTSCHAFT & FINANZEN

Central
Bahnhofstraße 19
34212 Melsungen

(Postal address)

Phone: +49 561 51009-600
Fax: +49 561 51009-610
E-mail: info@bkk-wf.de

1.3 Contact details of the data protection officer of the controller

BKK WIRTSCHAFT UND FINANZEN
Data Protection Officer
Bahnhofstraße 19
34212 Melsungen

Phone: +49 561 51009 600
E-mail: datenschutz@bkk-wf.de

1.4 Responsible data protection supervisory authority

The Federal Commissioner for Data Protection and Freedom of Information
Graurheindorferstraße 153
53117 Bonn
Telephone: +49 (0)228 997799-0
E-mail: poststelle@bfdi.bund.de

1.5 Responsible legal supervision

Federal Social Security Office
Friedrich-Ebert-Allee 38
53113 Bonn
Phone: +49 (0)228-619-0

1.6 General information on data processing

We process the personal data of our insured persons insofar as this is necessary for the provision and use of a functional ePA app and its various applications. The use of the ePA app and its applications is voluntary for our insured persons. They will not suffer any disadvantage if they decide not to use the ePA app.

1.7 Provider of the ePA app

The ePA app and all associated applications (ePA, TI messenger, e-prescription) are offered to you by your BKK WIRTSCHAFT & FINANZEN. The health insurance company works together with industry partners who develop and operate the ePA app. They must comply with the basic requirements of gematik GmbH and undergo a strict approval procedure. This ensures the security of your data.

1.8 Integration of third parties

As part of the provision of services, it may be necessary for external contractors and their subcontractors to have access to personal data. These are carefully selected taking into account data protection requirements and are obliged to fulfill all relevant legal requirements – in particular in accordance with the General Data Protection Regulation (GDPR) – as well as the product-specific requirements of the respective health insurance company. To ensure data protection-compliant processing, a data processing agreement (DPA) is concluded with all service providers in accordance with Art. 28 GDPR. The processing of the data is explained below.

1.9 Data collection of information when downloading the ePA app

Depending on the version, the ePA app can be downloaded via the Apple, Google and Microsoft stores or via the website epaclient.de. When you download the app, the necessary information is sent to the Apple, Google or Microsoft store you have selected. This may involve personal data. Responsibility for data processing lies exclusively with the respective Apple, Google or Microsoft stores.

1.10 Data processing within the European Union

The data of our insured persons is generally processed within the European Union on German servers in data centers in Germany. Possible deviations from this are listed separately in the individual chapters (see chapters 3.1, 4.4, 5.1).

1.11 Your rights as a data subject

You have the right to:

• Information about the data processed about you,
• Revocation of declarations of consent

and under certain legal conditions to

• Correction of incorrect data,
• Deletion of data,
• Restriction of the processing of the data,
• Data portability,
• Objection to the processing.

Our insured persons also have the right to lodge a complaint about the processing of personal data with the supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of their personal data is unlawful. A list with the contact details of all data protection officers in Germany is available at the following link:

To exercise your rights, you can contact your BKK WIRTSCHAFT & FINANZEN either in writing, by e-mail, via the BKK W&F OGS online office or using the contact form on the website.

1.12 Automated decision making

In principle, we do not use any processing operations that are based on automated decision-making including profiling in accordance with Art. 22 GDPR.

2 Registration, identification and authentication

2.1 Overview

In order to use the ePA app, personal registration, secure identification and ongoing authentication are generally required. These multi-stage procedures serve to clearly establish the identity of the person using the app and to secure access to sensitive health data. The personal data collected in this process is processed to fulfill legal requirements in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with the provisions of the Fifth Book of the German Social Code (SGB V), in particular Sections 291a and 336 ff. of SGB V, and taking into account the requirements for the protection of particularly sensitive health data in accordance with Art. 9 GDPR.

2.2 Registration and identification

Registration is the first step in which insured persons enter their personal data to create a user account in the application. This typically includes details such as name, date of birth, health insurance number and email address. Registration enables individual assignment of app use to the respective person and lays the foundation for all further functions.

Identification is the process of clearly establishing the identity of the insured person. This is particularly important for applications that process sensitive health data. Legally prescribed procedures are used for secure identification, for example the use of the electronic health card with PIN or the online ID function of the ID card. Identification ensures that only authorized persons have access to their personal health data.

The insured person can manage their personal data for their user account via the profile (profile picture icon).

You must agree to the following documents when you register as an insured person for the first time:

• Declaration of consent to the IAM (consent to the use of the IAM)
• Terms of use of the IAM

2.3 Authentication (login)

Authentication refers to the verification of the insured person’s access authorization when registering or logging in to the application. Secure procedures are used, such as passwords, PINs, biometric features (e.g. fingerprint or facial recognition) or multi-factor authentication. Authentication protects the data from unauthorized access and ensures that only authorized insured persons can access the protected information.

2.3.1 Authentication via health ID

To access the applications in the ePA app (i.e. to log in), the insured person is authenticated via the so-called GesundheitsID – the digital identity in the healthcare system. This procedure ensures secure and data protection-compliant authentication in the healthcare sector.

The prerequisite for using the HealthID is the prior creation of a user account through registration and identification in the ePA app. This ensures that only authorized insured persons receive a digital identity that can then be used for authentication.

The processing of personal data in the context of authentication via HealthID serves the sole purpose of ensuring the authorized use of digital health services. This ensures that only the legitimately insured person has access to their health data.

Insured persons can use the Health ID to access the applications within the ePA app. These include

• Application electronic patient file (ePA)
• E-prescription application
• TI Messenger application
• Jump off and authentication on the organ donation register

2.3.2 Authentication using an electronic health card

As part of the continuous development of the security and usage processes for accessing the electronic patient record (EPR) application, an alternative access option is offered in addition to authentication using the Health ID on the desktop EPR app: authentication using the electronic health card (eHC) and the corresponding personal identification number (PIN).

This alternative authentication method does not require prior registration or separate identification of the insured person. No user account is created; it is therefore a “guest access” (login without a user account). Authentication takes place directly via the data on the electronic health card, including the PIN.

The range of functions when using authentication via eGK and PIN is limited and is restricted exclusively to access to the electronic patient file (ePA). It is not possible to use other digital health applications via this access method.

Scope of the processed data

The following personal data is processed as part of authentication using the eHC and PIN:

• Personal PIN
• Health insurance number
• Access number

This data is stored temporarily during the authentication process and is used exclusively to verify authorization to use the ePA.

The aforementioned data will only be stored for as long as is necessary to fulfill the purpose of authentication. After successful verification and discontinuation of the purpose, the data will be deleted immediately.

2.4 Scope of data processing

A standardized procedure for registration, identification and authentication is required to use the ePA app. The aim of these processes is to establish the identity of the insured person in a legally secure manner and to set up and manage a digital identity. This is the only way to ensure that only authorized persons have access to the electronic patient file and thus to particularly sensitive health data.

The following data is processed:

– Health insurance number

– Number of active electronic health cards (The number of active eHCs assigned to the identified insured person in the eHC system. A card is considered active in the eHC system if it is neither blocked nor logically deleted. As a rule, only one eHC is active at any one time).

– Type of insured person (e.g. member, family insured, pensioner)

– Start and end of insurance relationship

– E-mail address

– Surname, first name

– Date of birth of the insured person

– Title

– Name affix

– Prefix (e.g.: “von”, “de”, “van”)

– Gender

– VIP – License plate

– IdentDataTime: (time stamp for the completed identification of the insured person)

– Protection class for identification (with or without eGK)

– Identification procedure (e.g. in the branch or Postident)

– ICSSN

– If applicable, the ID number of the identity card, residence permit, eID card or passport,

– depending on the authentication method used

– a pseudonym when using the online ID function. The first time the provider used retrieves all the ID card data available to us for matching and generates a pseudonym. Each subsequent time, the comparison is carried out using the pseudonym generated by the provider

– the eGK certificate when using the electronic health card

– is NfcEgk (This value indicates whether the eHC designated in the call is equipped for “Near Field Communication” (NFC)).

– istPinBriefVersandt (This value indicates whether a PIN letter has been sent for the eGK specified in the call).

– pinBriefVersandDatum (time at which the PIN letter was reported to KAMS (card application management system)).

– Data on the devices used, including device model, name of the device

2.5 Legal basis for data processing

The legal basis for registration, identification and authentication (login) is § 306 Para. 2 No. 2 lit. a SGB V, § 291 Para. 8 SGB V, in conjunction with the guideline of the GKV-Spitzenverband on measures to protect the social data of insured persons from unauthorized access in accordance with § 217f Para. 4b SGB V.

Data processing is carried out on the basis of Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. h GDPR in conjunction with the relevant provisions of SGB V, in particular Sections 291a and 336 ff. of SGB V.

2.6 Purpose of data processing

The processing of personal data in the context of registration, identification and authentication serves the following purposes in the healthcare sector:

• Legally secure identification of the insured person to create and use a digital identity in accordance with legal requirements, in particular to use the electronic patient file (ePA), the e-prescription and other digital health applications.
• Ensuring access only by authorized persons and protection of particularly sensitive health data in accordance with Art. 9 GDPR
• Prevention of identity and data misuse through the use of strong authentication procedures and certified identity checks.

2.7 Duration of storage and deletion of data

The personal data processed as part of the registration, identification and authentication process is collected and stored exclusively for the purposes for which it is required. The data will be deleted in accordance with the applicable data protection regulations, in particular in accordance with Art. 5 para. 1 lit. e GDPR and the special legal regulations of the German Social Security Code Fifth Book (SGB V), as soon as the respective processing purpose no longer applies and there are no legal obligations to retain the data.

The digital identity is deleted in the following cases:

• Deletion by the insured person: Insured persons have the option of deleting their user account completely at any time via the ePA app.
• Deletion by the health insurance fund or ombudsman’s office on behalf of the insured person: The health insurance fund can arrange for the user account to be deleted on the basis of a documented written request from the insured person. In this case, the data will also be deleted completely.
• Deletion in the event of a change of health insurer: The digital identity remains in place for 90 days after the change of insurer before it is deleted.
• Deletion in the event of death: The death of the insured person does not automatically lead to the immediate deletion of the stored personal data. This data remains stored for a period of 10 years, unless there is a legal obligation or a justified request for deletion by the community of heirs or authorized representative.

All personal data stored in this context will be completely and irrevocably deleted. Authentication using a digital identity (health ID) on the ePA app and its applications is then no longer possible.

The uninstallation or deletion of individual digital applications (e.g. the ePA app) does not automatically lead to the deletion of the digital identity. This remains in place unless a separate deletion is requested.

3 Application electronic patient file (ePA)

3.1 Description and scope of data processing

The electronic patient file “ePA” is made available to our insured persons as an application within the ePA app. We create an individual electronic patient file (ePA) used exclusively by our insured person, which our insured person can manage and use independently and autonomously. The prerequisite for using the ePA application is prior consent to the terms of use. An insured person can add one or more representative persons to their ePA, see section 3.2.

The following personal data of our insured person is used to provide the ePA:

– Health insurance number

– Surname, first name

– Date of birth of the insured person

– Start and end of insurance relationship

– IdentDataTime (time stamp for the completed identification of the insured person)

– Protection class for identification (with or without eGK)

– Identification procedure (e.g. in the branch or Postident)

– Title

– Name affix

– Prefix (e.g.: “von”, “de”, “van”)

– Gender

– depending on the authentication method used:

– a pseudonym when using the online ID function. The provider used retrieves all of the ID card data available to us for the first time and generates a pseudonym. Each subsequent time, the comparison is carried out using the pseudonym generated by the provider.

– the eGK certificate when using the electronic health card

– isNfcEgk (This value indicates whether the eHC designated in the call is equipped for “Near Field Communication” (NFC)).

– istPinBriefVersandt (This value indicates whether a PIN letter has been sent for the eGK specified in the call).

– pinBriefVersandDatum (time at which the PIN letter was reported to KAMS (card application management system)).

Note for Android devices:

The ePA app offers a document scan function with which physical documents can be captured and processed using the device camera. On Android, this function is based on the Google ML Kit service. Separate consent to the supplementary terms of use is therefore required for use under Android. The scanned content is processed exclusively locally on your device; no document content is transmitted to Google or third parties. However, Google may collect technical usage data (e.g. device information, performance data) for stability and error analysis, without reference to the scanned documents.

3.2 Authorization of persons representing

Insured persons can authorize one or more representatives for their patient file. The representative uses their health insurance fund’s own ePA app to act as a representative. The name, e-mail address and insurance number (KVNR) are entered and saved during setup. If the representative acts as a proxy in the patient file, all technically possible actions can be carried out instead of the insured person.

Representing persons cannot set up any other representing persons for the represented patient file and cannot object to the patient file for the insured person as a whole.

Data processing takes place as described in section 3.1 for representation within the ePA.

3.3 Legal basis for data processing

If there is no objection to the ePA, the processing of personal data of our insured persons is carried out on the basis of the relevant legal obligation under Sections 342 para. 1, 344 para. 1 sentence 1 SGB V. The ePA is made available by law to all insured persons who have not objected (see Section 342 (1) sentence 2 SGB V).

3.4 Purpose of data processing

The purpose of the data processing is to provide the ePA in accordance with the legal requirements of SGB V. In this context, it is necessary to assign a specific ePA to our insured person.

3.5 Duration of storage and deletion of data

The health data stored in the electronic patient record (EPR) is generally stored for life, unless there is a legally prescribed or contractually agreed deletion period to the contrary (Section 342 (1) sentence 2 SGB V). This serves the purpose of continuous medical care and the traceability of medical treatment.

Administrative data related to the management of the ePA (e.g. access rights, insured person information, log data) will also be stored for life, insofar as this is necessary to fulfill the legal purposes. The storage takes place at least until:

• the death of the insured person (§ 344 Para. 6 SGB V),
• the objection to using the ePA (Section 342 para. 2 no. 1 lit. g SGB V),
• or a change of health insurance fund, provided there is no legal obligation to retain them (Section 284 (3) SGB V).

Certain data is subject to statutory retention periods, in particular in accordance with Section 309 (3) SGB V (e.g. ePA activity logs). Once these periods have expired, the data in question is deleted for a specific purpose.

3.6 Rights of objection in connection with the electronic patient file

Insured persons have various options for objecting to the use of the electronic patient file (EPR). These are based on the provisions of the fifth German Social Code (Sections 344 and 353 SGB V) and the General Data Protection Regulation (GDPR).

1. objection to the use of the ePA as a whole (Section 342 para. 2 no. 1 lit. g SGB V)

Use of the ePA is voluntary. Insured persons can object to the setting up or continued use of the ePA at any time. As a result of the objection, the EPC will be deactivated and all data stored in it will be deleted in accordance with the legal requirements. Further information on this can be found in section 3.5

2. objection to access by service providers (Section 342 para. 2 no. 1 lit. h SGB V)

Insured persons can deny individual service providers (e.g. doctors’ surgeries, pharmacies, hospitals) access to their ePA at any time. As a result, these service providers cannot (or can no longer) access their file – not even in the context of treatment.

3. objection to the discontinuation of benefit information by the health insurance fund (§ 342 Para. 2 No. 1 lit. g SGB V)

In accordance with Section 341 SGB V, statutory health insurance funds can automatically transfer information on services used to the electronic health record. Insured persons can object to this data transfer at any time. In this case, the health insurance fund is obliged not to transfer and store any further benefit information in the ePA. Data that has already been imported remains unaffected by the objection, but can be deleted manually by the insured person using the ePA app.

4. objection to participation in the digitally supported medication process (Section 342 para. 2a no. 1 lit. d SGB V)

Participation in the digitally supported medication process in accordance with Section 360 (2) SGB V enables the electronic medication list (e-prescription data, see point 5), the electronic medication plan and information on drug therapy safety to be provided within the ePA and managed by authorized service providers, such as medical practices.

Insured persons can object to this participation at any time. As a result, service providers will not be able to use and view any medication data from the ePA in everyday treatment. In addition, information on the electronic medication plan and information on drug therapy safety that has already been stored in the EMR will be deleted. Such information will not be stored again in the EPR for as long as the objection exists.

5. objection to the uploading of e-prescription data from the e-prescription service to the ePA (Section 342 para. 2a no. 1 lit. d SGB V)

Insured persons can also object to the automated transfer of e-prescription data from the specialist e-prescription service to the ePA.

The consequence of such an objection is that no more prescription and dispensing data from e-prescriptions will be stored in the EPR. If corresponding data already exists in the EPR, it will be deleted. Such an objection automatically excludes participation in the digitally supported medication process (see point 4).

Insured persons have various options for exercising their rights of objection in connection with the electronic patient record (ePA). These rights can be exercised either independently via the ePA application or with the help of their health insurance fund or ombudsman’s office (Sections 342 (2) No. 1 lit. s, t and 342a SGB V).

3.7 Information on the electronic patient file (ePA) in accordance with Section 343 (1a) SGBV

The National Association of Statutory Health Insurance Funds fulfills the legal requirement according to § 343 para. 3 SGB V to provide information on the electronic patient file (ePA) and provides corresponding information material according to § 343 para. 1a SGB V at www.bkk-wf.de/datenschutz .

4 E-prescription application

4.1 Description and scope of data processing

The insured person can use the e-prescription application in the ePA app to retrieve all electronic prescriptions issued by doctors and dentists via the e-prescription specialist service. The specialist e-prescription service is a central server in gematik’s telematics infrastructure for running the specialist e-prescription application. In addition, the insured person can view further content such as medication and instructions for taking medication and communicate with the pharmacy. The prerequisite for using the e-prescription application is prior agreement to the terms of use and consent to data processing. The data mentioned in section 2 and the following data will be processed:

– Health insurance number

– Surname, first name

– Prefix (e.g.: “von”, “de”, “van”)

– Title

– Name affix

– Date of birth of the insured person

– depending on the authentication method used:

– a pseudonym when using the online ID function. The provider used retrieves all of the ID card data available to us for the first time and generates a pseudonym. Each subsequent time, the comparison is carried out using the pseudonym generated by the provider.

– the eGK certificate when using the electronic health card

– VIP – License plate

– Location data

– Information on prescribed and dispensed e-prescriptions and e-prescriptions

4.2 Legal basis for data processing

The legal basis for the use of the e-prescription application is the consent of our insured person in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with §§ Sections 360 para. 10, 361 para. 2 no. 3, 361a para. 2 SGB V.

4.3 Communication between pharmacies and insured persons via the ePA app

It is possible to exchange messages between pharmacies and insured persons. The messages are archived via the specialist e-prescription service. The ePA app retrieves the messages from the e-prescription service and saves them locally on the device. The exchange of messages is earmarked for the purpose of redeeming an e-prescription. E-prescriptions, regardless of whether they have been redeemed or not, are deleted from the specialist service after 100 days at the latest. This also deletes the earmarked message exchange.

4.4 Card functions

When using the pharmacy search, your search criteria (e.g. addresses or location data) are transmitted to a so-called FHIR directory service. The FHIR directory service is a technical service that provides information on service providers such as pharmacies based on a standardized data format. The FHIR directory service then provides the app with a list of pharmacies that match the search criteria.

Note for Android devices:

With your consent, the app uses the Google Maps map service for the map view. The app then transfers your location (if you have approved this) and the locations of the pharmacies found to an interface of your operating system (Google Maps interface). This interface is part of the Google Play Services that are already installed on your device. The terms of use for Google Maps/Google Earth and the Google privacy policy apply to the use of Google Maps.

4.5 Purpose of data processing

The purpose of data processing is the use of the e-prescription application by the insured person to retrieve and redeem issued e-prescriptions and e-prescriptions.

4.6 Duration of storage

The insured person has the option of deleting prescriptions themselves, otherwise the prescriptions will be deleted by the specialist e-prescription service after 100 days (Section 360 (11) SGB V). It is then no longer possible to access the e-prescriptions via the ePA app.

Access to e-prescriptions is logged in the e-prescription service for three years in accordance with Section 309 SGB V and then automatically deleted. The log data is used exclusively for traceability and can be viewed via the e-prescription application, but cannot be exported. Local storage or downloading of the activity logs is currently not possible.

4.7 Revocation options for the use of the e-prescription application

The data processing described in section 4.1 is mandatory for the use of the e-prescription by the insured person. The granting of consent is voluntary and can be revoked at any time with effect for the future by removing the confirmation checkmark in the ePA app without any disadvantages arising from this (cf. Art. 7 para. 3 GDPR). The lawfulness of the processing carried out until the revocation remains unaffected. In the event of revocation, however, the use of the e-prescription application is no longer possible.

5 TI-Messenger (TI-M) application

5.1 Description and scope of data processing

After agreeing to the terms of use of the TI Messenger, the insured person can communicate with authorized parties (service providers, service provider institutions, payers) in the ePA app via the TI Messenger, provided that they also use a TI Messenger service and agree to a call invitation from the insured person. In addition, authorized parties can contact the insured person if they agree to communication.

Communication between the TI-Messenger in the ePA app and other TI-M participants:

Communication takes place via the TI messenger in the insured person’s ePA app and enables them to communicate with other TI-M services approved by gematik.

Communication between the TI-M services is end-to-end encrypted. The actors within TI-M are addressed via the TI-M address. In addition to the technical system checks that take place in the background, TI-M users should be able to decide for themselves who can invite them to new chat rooms. This allows the insured person to independently control the volume of chats.

Type of data:

BKK WIRTSCHAFT & FINANZEN collects and processes personal data of the insured person for the initial setup and subsequent administration of the TI Messenger. This data is listed below:

1. data listed in chapter 2 and 3.1
2. Additional data that must be processed each time the TI Messenger is used
   1. E-mail address of the insured person
   2. Additional registration address
   3. TI-M address
   4. Internal device ID
   5. Version of the operating system
   6. Time of access
   7. IP address
   8. Health insurance number
3. Content of the chat communication

The processing of the content of the chat communication differs depending on which parties were involved in the chat. As the provider of the TI Messenger, the health insurance company generally stores all chat communication content in encrypted form.

3. The insured person’s health insurance company can only view chat content between the insured person and the health insurance company.
4. Protection statuses for protected and specially protected persons are taken into account and can only be viewed by authorized employees of the health insurance company.
5. The health insurance company has no way of viewing the chat content of conversations in which it is/was not involved, e.g. communication between insured persons and service providers without the involvement of the health insurance company.
6. Voluntary consent to data processing:
   1. For extended functions of the TI Messenger, the insured person can voluntarily consent to access to their microphone, location and/or camera.
   2. Push notification:

Insured persons can specify in their TI-M profile whether they wish to receive push notifications. The setting is switched off by default and must be activated both in the TI-Messenger application and in the smartphone’s operating system. The activation of this function is voluntary with the consent of the insured person and can be deactivated by the insured person at any time in the device settings. By giving their consent, the insured person authorizes the processing of data by the providers of the operating system of their end device (Google via the Firebase Cloud Messaging service or Apple). The purpose of the data processing is to deliver the push notifications.

Push tokens and technical metadata are used to provide the notifications. Push tokens are additional device identifiers (Google/Firebase Registration ID; Apple Device Token) in the form of pseudonymized device identifiers that are used exclusively to assign the push services. Furthermore, the application ID (ID of the TI-M application), event ID (identifies the matrix event), room ID (ID of the chat room) and number of unread messages of the user are processed for the push notification. It is not possible to draw conclusions about the person or personal data stored in the ePA app. When using the Google service, the information on data protection and security in Firebase for Firebase Cloud Messaging and the general Google privacy policy apply. The Apple Privacy Policy applies to the use of Apple Push Notification Services.

5.2 Legal basis for data processing

The legal basis for the provision of the TI messenger (= instant messaging service) is Section 342 (1) sentence 2, (2) no. 2 in conjunction with Section 284 (1) no. 20, (3) SGB V.

5.3 Purpose of data processing

The purpose of the data processing is the provision and voluntary use of the TI-M application by the insured person to participate in a secure, interoperable electronic instant messaging service. It is important to understand that any chat communication with other TI-M participants will result in automatic data processing to ensure the functionality of the service.

5.4 Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected and there are no longer any retention obligations. Insured persons also have the option of managing and deleting their data in TI Messenger themselves. The health insurance company can also set an automatic deletion period for inactive chats.

The exact procedure for deletion can be found under point 11 “Deletion in TI-M” in the terms of use.

5.5 Content of the chat communication

All content that you exchange via the TI-M chat communication – be it texts, images, documents or voice messages – is protected by end-to-end encryption to prevent third parties who are not participants in the chat from seeing this content. This includes, in particular, the responsible health insurance company and the IT service provider.

The insured person is responsible for the content that they share with other participants in a chat communication.

6 jumps to the organ donation register and the National Health Portal

In accordance with Section 342 (2) No. 3 SGB V in conjunction with Section 291 (8) SGB V. § Section 291 (8) SGB V, the ePA app contains a link to the website of the Organ Donation Register (OGR). If the insured person switches from the ePA app to the OGR, the health ID data for authentication is forwarded to the web portal to simplify registration. The Federal Center for Health Education is responsible for all content in the organ donor register.

The ePA app also contains a link to the National Health Portal (gesund.bund.de) in accordance with Section 342 (2) no. 1 r SGB V. The BMG is responsible for all content on gesund.bund.de.

7 Collecting data for an error report

We require the following information when an insured person reports a fault and the cause needs to be analyzed.

7.1 Automatically transmitted data

In the event of an error, a report is created for the ePA app and this is automatically sent to the responsible service provider.

This transmitted data is analyzed exclusively for troubleshooting purposes.

7.2 Manually transmitted data

A report is created for the ePA app in the event of an error. In addition to the automatically transmitted report, insured persons can send the following data manually to the responsible service provider.

The following information can also be transmitted to the responsible service provider in the event of an error. This transmitted data is analyzed exclusively for troubleshooting purposes.

7.3 Legal basis for data processing

The legal basis for data transmission in the event of an error is Sections 342 (1) sentence 2, 344 (1) sentence 1, 2 SGB V in conjunction with the legal bases of the data processing of the individual ePA app applications mentioned in this document.

7.4 Purpose of data processing

The purpose of data processing is to restore the functionality of the ePA app and its applications in the event of an error.

7.5 Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected and there are no longer any retention obligations. This is the case when the error has been identified and rectified.

8 Support for questions about the ePA app

8.1 Description and scope of data processing

The ePA app contains various contact channels that can be used by the insured person to contact BKK WIRTSCHAFT & FINANZEN electronically.

8.2 Chatbot

Questions about the ePA app can be answered via an automated chatbot. A chatbot is a digital assistant with which you can communicate by text or voice input. The chatbot gives insured persons access to standardized support processes and service content from the insured person helpdesk (VHD) as part of the ePA app. The basic functionality includes

a. answering questions about the ePA app,

b. the dialog for accepting faults with reference to existing faults and the option of registering for a fault by creating a ticket,

c. the option to switch to a live chat dialog,

d. the option to place a callback request and

e. the information function that no advice on the insurance relationship is provided here.

The data processed here is the verification data already stored by the insured person, as well as the data voluntarily entered by the insured person in the chatbot. Requests are logged in the chatbot. Contact data and documentation as a ticket are not recorded.

If a question about the ePA app cannot be answered in the chat with the chatbot or if the insured person requires other direct support – for example when reporting a fault – it is possible to request this ad hoc via a live chat or to specify a callback request.

8.3 Transaction processing system

All inquiries that cannot be resolved via the chatbot are recorded and documented for further processing with the help of a so-called case processing system. These inquiries are processed personally by the support staff. If the insured person wishes to be called back, an optional telephone number must be provided.

If necessary, a transaction processing number must also be specified on request by the insured person; this is generated automatically by the transaction processing system and given to the insured person.

If the reported issues cannot be answered using this option, an internal processing ticket is also created automatically. If necessary, this request is forwarded to a responsible employee and – if this option was selected by the insured person – a callback is initiated.

If an insured person makes use of the callback option, the data entered in the input screen will be transmitted to us and stored.

The following data must be entered by the insured person:

a. Name,

b. Affiliation to a fund,

c. E-mail address and

d. Telephone number.

8.4 Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR, as the data processing operations carried out in the course of establishing contact are necessary for the proper execution of the user contract with the insured person via the ePA app.

8.5 Purpose of data processing

The processing of personal data described in this section is carried out in order to be able to process contacts from insured persons and, as a result, to be able to execute the contract of use with the insured person via the ePA app.

8.6 Duration of storage

The data of our insured persons is generally processed within the European Union on German servers in data centers in Germany. Possible deviations from this are listed separately in the individual chapters (see chapters 3.1, 4.4, 5.1). The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected and there are no longer any retention obligations. This is the case if the health insurance company decides that this data should be deleted no later than three years after the process ticket is closed.

Mandatory information on the ePA app version 3.4.0 as of 12/16/2025

1 Introduction

1.1 Thematic overview

1.2 Terms used

2 The electronic patient file (ePA)

2.1 What is the ePA?

2.2 What benefits does the EPC have for my healthcare?

2.3 Who offers the ePA and who operates it?

2.4 Is the ePA mandatory?

2.5 How does the ePA app work?

3 The benefits of the electronic patient record (EPR)

3.1 What added value does the ePA offer me?

3.2 How do I achieve the greatest benefit with the ePA?

3.3 Are there any disadvantages if I delete data from the EPO?

3.4 Are there any disadvantages if I object to the EPC or deny individual service providers access to my EPC?

4 The electronic patient file (ePA) in detail

4.1 What can be stored in the EPC?

4.2 How is the ePA structured?

4.2.1 Data from service providers

4.2.2 Your data

4.2.3 Data from other providers

4.3 Who has access to the ePA?

4.4 Who must enter data in the ePA?

4.5 What data does my health insurance provider make available in the ePA?

5 Independent use of the electronic patient record (EPR) with the EPR app

5.1 What do I need to use the ePA independently?

5.2 What key functions does my health insurer’s ePA app offer me?

5.3 What other functions does my health insurance company’s ePA app offer me?

5.4 How do I activate the ePA app for my ePA?

5.5 How do I handle my health data securely in the ePA?

5.6 What measures must I take in the event of loss or suspected misuse of the eHC or the access data for the ePA app?

5.7 Can I delete the documents in the ePA or the entire file?

5.8 How do I keep track of who has changed something in my file?

5.9 How can I save data from a digital health application (DiGA) in the ePA?

5.10 What changes if I do not use the ePA app?

6 The use of the electronic patient record (EPR) by service providers

6.1 Who can access my ePA and when?

6.2 How long can a service provider institution access the EPC by default?

6.3 Which service providers may access which data in the EPC?

6.4 What data must the SHI-accredited healthcare providers and hospitals involved in my treatment enter in the EPR?

6.5 What data must the other service providers involved in my treatment enter?

6.6 What data will the service providers involved in my treatment enter in the EPR at my request?

6.7 Can I object to certain data being entered by service providers?

6.8 What data do the company doctors and the public health service involved in my treatment enter in the EPC?

6.9 What applies to the storage of particularly sensitive data, such as data on mental illness?

6.10 Who has to adapt my electronic medication plan and my emergency data (or patient summary file)?

6.11 What can I do to prevent service providers from seeing certain documents in the ePA (hiding documents)?

6.12 I do not want a service provider organization to be able to access my ePA (any more). What can I do?

7 The medical use cases of the electronic patient record (EPR)

7.1 What are medical use cases within the meaning of the ePA?

7.2 What medical use cases already exist?

7.3 What other medical use cases will the ePA support in the future?

7.4 Do I have to use the medical use cases of the EPC?

7.5 I do not want to use the electronic medication list of the ePA. What do I have to do?

7.6 Can I withdraw access to the medication list from individual healthcare providers?

8 Support with the use of the electronic patient file (ePA)

8.1 Where can I get support with using the EPC?

8.2 What exactly is the substitution function of the EPO?

8.3 How does the ombudsman’s office of my health insurance fund support me in using the ePA?

8.4 What options does the ombudsman’s office offer me in terms of access options for service providers?

9 Changing health insurer and the electronic patient file (ePA)

9.1 Can I simply take data stored in the ePA with me when I change health insurer?

9.2 Do I have to object to the use of the ePA again if I change health insurer?

10 The possibilities of objection in the context of the electronic patient record (EPR)

10.1 I do not want an EPA to be created for me. What do I have to do?

10.2 What objection options exist in connection with the ePA and individual access authorizations?

10.3 Will I have disadvantages with my healthcare if I object to the EPC as a whole or to individual functions?

10.4 What do I have to do if I no longer want the EPC?

10.5 I have objected to the EPA but would now like to have it after all. What do I have to do?

10.6 What happens to the EPA after my death?

11 Data protection and data security

11.1 How secure is the ePA?

11.2 How secure is my health insurer’s ePA app?

11.3 What data does the health insurance fund exchange with the ePA operator?

11.4 What rights do I have vis-à-vis my health insurance fund with regard to the data processing procedures of the ePA and the ePA apps?

11.5 What rights do I have if ePA data needs to be corrected?

11.6 Are all login procedures for using the ePA secure?

12 The use of electronic patient record (EPR) data for public benefit purposes

12.1 How is use regulated by law?

12.2 What does “use of data from the EPO for public benefit purposes” mean?

12.3 How is my personal data protected?

12.4 What do I have to do to provide my ePA data for public benefit purposes?

12.5 How is data provided and used?

12.6 Which bodies are involved in the use of data from the EPO for public interest purposes?

12.7 How can I object to the use of data for public interest purposes?

12.8 What happens to my data stored at the Research Data Center in the event of an objection?

12.9 When will the use of EPO data for public benefit purposes be introduced?

13 Next steps in the further development of the electronic patient record (EPR) and future possibilities

13.1 What are the next steps in the further development of the ePA?

13.2 What else is provided for by law in the ePA?

1 Introduction

This document informs you about the electronic patient file (ePA).

We would like to show you below what options the ePA offers you. Some of the functions presented are not available from the outset, but will be added to step by step. The current timetable for the introduction of the electronic patient record (EPR) is set out in full in section 13 Next steps in the further development of the electronic patient record (EPR) and future possibilities. Your health insurance fund will update this information text on an ongoing basis and will inform you in good time about new functions of the ePA and how to use them safely.

The introduction gives you an initial overview of the ePA and its possibilities. Further information can be found from section 3 onwards.

1.1 Thematic overview

The ePA is intended to improve medical care by enabling the secure and rapid exchange of health data between insured persons and service providers such as doctors’ surgeries, hospitals or pharmacies. You can find out more about this in section 3 The benefits of the electronic patient record (EPR)

Use of the ePA is voluntary. If you object to the ePA and do not use it, you will not be at a disadvantage. However, you will not be able to enjoy the benefits of the EPO. You can find more information on this in section 3.4 Will I be at a disadvantage if I object to the EPR or deny individual service providers access to my EPR?

You will automatically receive an ePA from your health insurance fund if you do not object to your health insurance fund. You can find more information about the electronic patient record, its benefits and the industry partner with whom your health insurance company works to provide the electronic patient record in section 2 The electronic patient record (EPR)

An objection to the electronic health record is possible at any time and will result in the deletion of the electronic health record and all the data stored in it. You can revoke your objection to your health insurance fund at any time. When you create a new ePA, it is initially empty and is filled in, for example, when your health insurance company transmits data on services used or when you are prescribed a medication. You also have other options to object when using an EPR, e.g. against access by individual service providers. You can find more information on the various objection options in section 10 The options for objecting to the electronic patient record (EPR)

The EPR is divided into different document types and categories that contain the data of service providers, health insurance companies, insured persons and others. You can find out more about this in section 4 The electronic patient record (EPR) in detail

The ePA app allows you to manage your ePA independently, delete or hide documents, grant or withdraw access authorizations and appoint deputies. You can find an overview of all the options in section 5 Independent use of the electronic patient record (EPR) with the EPR app

If you are unable or unwilling to use an ePA app, you can contact the ombudsman’s office of your health insurance fund, e.g. to control access to the ePA by individual service providers or to gain access to the log data of your ePA. Alternatively, you can also appoint a person you trust to represent you in connection with the ePA. You can find further information on the supported use of the EPR in section 8 Support in using the electronic patient record (EPR)

Some service provider facilities are obliged to enter certain data in the ePA if you do not object to this. Access authorizations and the duration of access vary depending on the type of service provider institution and the data stored. You can restrict or extend access to the ePA or individual documents. You can find out more about this in section 6 The use of the electronic patient record (EPR) by service providers

Among other things, the ePA can support certain medical use cases, e.g. the electronic medication list, the medication process or laboratory findings. The electronic medication list is available to you and your service providers with the introduction of the EPR. Further information can be found in section 7 The medical use cases of the electronic patient record (EPR)

If you change your health insurance provider, your new health insurance provider will automatically take over your ePA with all the data stored there. If you have objected to the use of the ePA with your previous health insurance provider, the objection will remain valid when you change health insurance provider. You can find out more about this in section 9 Changing health insurer and the electronic patient file (ePA)

To protect against unauthorized access and to ensure data integrity, the ePA uses encryption technologies and access controls, among other things. Detailed information can be found in section 11 Data protection and data security

The law stipulates that data stored in the ePA can be used for public interest purposes such as research. The data will only be made available if you do not object to this separately and the data recipients comply with the data protection regulations. The ePA replaces the direct personal reference based on name, date of birth etc. with a pseudonym. This conceals your identity from the data users. If you do not wish to make your data available for purposes in the public interest, you can separately object to this use of data by the ePA. Further information on this can be found in section 12 The use of electronic patient record (EPR) data for public benefit purposes. Information on the introduction date can be found in section 13 Next steps in the further development of the electronic patient record (EPR) and future possibilities.

Your health insurance company has been continuously developing the ePA in accordance with gematik’s specifications since its introduction. You can read more about this in section 13 Next steps in the further development of the electronic patient record (EPR) and future possibilities

1.2 Terms used

This document defines the electronic patient record (EPR ) as the entire digital infrastructure, i.e. all IT systems required to provide the EPR. The service providers involved in your treatment use their own IT systems to access the electronic patient record. These IT systems are not covered by the EPR.

The ePA app refers to the program that you use on your end device to access your ePA and the data stored in it. It may be a stand-alone app from your health insurance company that is only used for ePA access. However, your health insurance company may also have integrated the ePA app into its general service app (“health insurance app”). You can also use the ePA without the ePA app; see section 5.10 What changes if I don’t use the ePA app?

Service providers are all groups of people and facilities that provide healthcare services within the framework of statutory health insurance (SHI). This includes, for example, doctors, dentists, hospitals and pharmacies. The term also includes persons who work as assistants or in preparation for their profession with such persons.

Facilities in which service providers are active are referred to below as service provider facilities. These can be medical practices, pharmacies, hospitals, medical care centers (MVZ) and other healthcare facilities. However, individual organizational units such as the department of a hospital or a specific specialty within an MVZ can also constitute a separate service provider facility.

The ePA is gradually being linked to other digital healthcare applications. These are referred to below as medical use cases for the ePA . Priority is given to care processes that are important for a particularly large number of people. Further information on this can be found in section 7 The medical use cases of the electronic patient record (EPR)

2 The electronic patient file (ePA)

2.1 What is the ePA?

The ePA is your ^[1] personal, secure storage location for your health data. With the help of the ePA, you and authorized persons, such as the doctors treating you, can securely manage personal health and medical data digitally.

All persons with statutory health insurance receive an ePA. It is provided to you by your health insurance company. Whether you want to use the EPC or not is your voluntary decision. If you do not wish to use an EPC, you must object to your health insurance fund. Once you have objected to the ePA, you can revoke your objection at any time. Further information can be found in sections 10.1 I do not want an EPA to be created for me. What do I have to do? and 10.4 What do I have to do if I no longer want the EPC?

The ePA is provided as a contradiction-based file. This means that treating service providers, e.g. doctors, and service provider facilities, e.g. a hospital, are generally authorized to access your EPR. They are also legally obliged to store certain data in your EPR – unless you object to this. Further information on this can be found in section 6 The use of the electronic patient record (EPR) by service providers

2.2 What benefits does the EPC have for my healthcare?

Ideally, your ePA will accompany you for the rest of your life. It serves as a secure storage location for your health data and as an exchange platform between you and the service providers involved in your healthcare. The ePA is therefore your own personal digital health management system for your care.

The ePA also supports certain medical use cases that are defined by law. This is currently the electronic medication list. For this purpose, the ePA automatically saves all medications that you have been prescribed and received on the basis of an e-prescription. You can find more information on this in section 7 The medical use cases of the electronic patient record (EPR)

You can read more detailed information on the personal benefits of the electronic patient record (EPR) in section 3 The benefits of the electronic patient record (EPR)

2.3 Who offers the ePA and who operates it?

The ePA is offered to you by your health insurance company. The health insurance funds work together with industry partners who develop and operate the ePA technically. They must comply with the basic requirements of gematik GmbH (hereinafter referred to as gematik) and undergo a strict approval procedure with the ePA they have developed and the associated ePA app. This serves to ensure the security of your data.

Your BKK W&F works together with the company BITMARCK GmbH, Krupp-Straße 64, 45145 Essen, Germany, as the operator of the ePA, to provide you with the ePA. Neither your health insurance company nor the operator may or can access the data in the ePA. With the help of encryption technologies and certain organizational measures, your ePA is protected against unauthorized access.

2.4 Is the ePA mandatory?

Use of the ePA is voluntary. Your health insurance company will automatically provide you with an ePA. If you want to use an ePA, you do not have to do anything. If, on the other hand, you do not wish to have an EPC, you must object to your health insurance company providing you with one.

Co-insured children also receive an ePA. Once they reach the age of 15, they can use the ePA independently and on their own responsibility. Up to the age of 15, the legal guardians decide whether to provide an ePA or object to its provision.

You can find further information on objections in section 10 The options for objecting in the context of the electronic patient record (EPR)

2.5 How does the ePA app work?

To access your ePA via a suitable end device, you need a special app on your smartphone or computer. This will be provided to you by your health insurance provider. It can either be a stand-alone app that is only intended for managing your ePA. However, some health insurance companies also integrate this function into an existing service app, the health insurance app.

The ePA app establishes a connection via the Internet to the telematics infrastructure in which the actual ePA is located. The various service providers in the German healthcare system are or will be connected to this network.

The ePA app was developed and security-tested in accordance with gematik specifications. It allows you to use all ePA functions independently, e.g:

– Set, view, download or delete documents and data

– Manage access authorizations – for service providers, but also for company doctors or doctors from the public health service

– Appoint support persons for the use of the ePA (representatives)

Further information on this can be found in section 5 Independent use of the electronic patient record (EPR)

In principle, it is also possible to use the ePA and exercise your rights and entitlements without the ePA app. If you do not have a mobile device or PC/laptop or do not want to use your health insurance fund’s ePA app for other reasons, you can still benefit from the ePA in medical care. Further information can be found in sections 5.10 What changes if I do not use the ePA app? and 8 Support when using the electronic patient record (ePA)

3 The benefits of the electronic patient record (EPR)

3.1 What added value does the ePA offer me?

The advantage of using the ePA for you personally is that you can digitally store and view documents, findings or information about your treatment in a central location and pass them on to service providers such as doctors or hospitals. This digital data exchange, which you control and monitor, can help to improve your medical care.

By accessing relevant health data in your ePA, you help the doctors treating you and other service providers to make the best possible therapeutic decisions, avert adverse effects and avoid unnecessary treatment or stressful multiple examinations. Instead of a loose-leaf collection at home or scattered treatment documents in different practices, you and your treating doctors have all important documents securely available in one place.

The ePA digitizes many processes related to healthcare, making them simpler and safer. One example: by automatically transferring the data from your e-prescriptions, the ePA allows you to see at any time which medicines you are currently taking and which were prescribed to you in the past. Due to the complex interactions between medicines, this information is extremely important for your doctors and for the pharmacy. In particular, if you have to take several medicines, this knowledge can help to avoid undesirable effects.

In future, laboratory data can also be stored in the ePA in a structured form so that all important findings are available in one place. The ePA also contains references to important personal documents such as health care proxies, patient declarations and organ donor cards.

In addition to the direct benefit for your care, the data provided in the EPR is to be used for public welfare purposes in the future. It is important to note that all data from your EPR is pseudonymized for this purpose. They are therefore not directly attributable to you personally, but provide important information on healthcare provision in Germany and can help with the further development of our healthcare system. Further information can be found in section 12 The use of electronic patient record (EPR) data for public benefit purposes

3.2 How do I achieve the greatest benefit with the ePA?

Basically, the more complete your ePA is, the greater the added value for your care. If you are new to a practice or have to go to hospital, important information such as existing allergies or intolerances, previous laboratory values or previous drug treatment is available in the ePA. The diagnosis and your treatment can be specifically based on this information.

It is important that everyone involved in your treatment has access to the data in your ePA and can store up-to-date treatment data themselves. You must authorize them to do this before treatment begins. You can manage the authorizations either with the ePA app or by scanning your insurance card, the eGK, on site. For a complete ePA, you should exclude as few service providers as possible from accessing the ePA or individual documents in the ePA.

3.3 Are there any disadvantages if I delete data from the EPO?

If you delete data from your ePA, this data is no longer available in the ePA. The deletion takes effect immediately; it is not possible to restore it using the EPR. Accordingly, deleted data is not available to you or your service providers for your care. Only documents that your service providers, such as your practice or pharmacy, have already transferred from the ePA to their own system remain available to the service providers even if they are deleted.

You should therefore consider carefully whether to delete data from your electronic health record. You can hide documents that you do not want service providers to see in the EPR. You can find more information on this in section 6.11 What can I do to prevent service providers from seeing certain documents in the ePA (hiding documents)?

3.4 Are there any disadvantages if I object to the EPC or deny individual service providers access to my EPC?

Whether you decide against an electronic health record and file an objection or would like to have an electronic health record but do not want to grant a service provider any or full access to the electronic health record is entirely your decision. This will not result in any disadvantages for your healthcare. This will continue to be guaranteed by the established procedures. However, in this case you will not benefit from the advantages of the EPR in your medical treatment.

4 The electronic patient file (ePA) in detail

4.1 What can be stored in the EPC?

The service providers involved in your treatment may, in principle, store all information and data collected in the course of your healthcare, unless you object to this. This may include, for example, findings, diagnoses and treatment measures, doctor’s letters, prescriptions, electronic certificates of incapacity for work, etc. You can find a detailed list of what service providers may store in your EPR and under what conditions in section 6 The use of the electronic patient record (EPR) by service providers

You can also save personal health data yourself. This can be, for example, independently kept diabetes diaries or digitized findings from previous treatments that your doctors have provided you with, or your own records. This data must be saved as PDF/A documents in the ePA.

Your health insurance company will also automatically enter information on the benefits you have claimed in the ePA if you have not objected to this.

If you use a digital health application (DiGA), i.e. a health or medical app, you can also have this data stored in the ePA if you wish and the DiGA supports data storage in the ePA. In future, the ePA will also be able to support the transfer of data to activity trackers or smart watches, so-called wearables.

4.2 How is the ePA structured?

For better clarity, the data in the EPO is divided into the following document types and categories:

4.2.1 Data from service providers

– Findings, diagnoses, therapy measures carried out and planned, early detection examinations, treatment reports and other examination and treatment-related medical information, separated according to the following areas:

– GP practice

– Hospital

– Laboratory and human genetics

– Physiotherapy

– Psychotherapy

– Dermatology

– Urology/Gynecology

– Dentistry and oral and maxillofacial surgery

– Other specialist areas

– Other non-medical professions

– eMedication plan (electronic medication plan)

– ePatient summary file (data from the electronic emergency data record or the patient summary file)

– eDoctor’s letters (electronic doctor’s letters)

– eZahnbonusheft (electronic dental bonus booklet)

– eChild examination booklet (electronic examination booklet for children with data for the early detection of diseases in children)

– eMaternity pass (electronic maternity pass with data on medical care during pregnancy and after delivery)

– eVaccination documentation (electronic vaccination documentation)

– Information on storage locations and the existence of declarations on organ and tissue donation, health care proxies and living wills

– Data on nursing care

– E-prescription data (prescription data and information on their redemption)

– eAU (electronic certificates of incapacity for work)

– other medical data (e.g. data from participation in structured treatment programs (DMP))

– Medical treatment and rehabilitation data

– Copies of treatment documentation from service provider facilities (e.g. hospitals) in accordance with Section 630g BGB

– Explanations on organ and tissue donation

4.2.2 Your data

– Health data provided by you yourself

4.2.3 Data from other providers

– Data from digital health applications (DiGA)

– Data on services used (provided by your own health insurance company)

– Information on a specific health hazard, the risk of illness or the need for care or the existence of a vaccination indication in accordance with Section 25b SGB V (if your health insurance provider supports the procedure)

Note: The classification of the individual document types/categories is stipulated by law for both the ePA and the ePA apps of the health insurance funds. However, the document types and categories may be named differently in the ePA apps of the individual health insurance funds.

4.3 Who has access to the ePA?

You can access the ePA yourself if you use the ePA app. In addition, the groups of people listed below can use the ePA, either only to read out data or also to enter data, unless you actively object to this or have already objected to it:

– Service providers and service provider facilities
Detailed information on the access options of a service provider facility, the requirement for your consent and your options for objecting can be found in section 6 The use of the electronic patient record (EPR) by service providers

– Health insurance companies
Your health insurance company can store data on the services you have used in the ePA. It must also transmit information on individual health risks to the EPR and store it there, provided it evaluates the available data in accordance with Section 25b SGB V and the evaluation identifies a specific health risk, the specific risk of illness or need for care or the existence of an indication for vaccination. Your health insurance company also enters any medical documents you have sent to the health insurance company for digitization into the ePA.
Your health insurance company is not permitted by law to access the data stored in the ePA and has taken technical and organizational measures to prevent this.

– Telematics infrastructure (TI) applications
To provide automated support for your medical care, TI applications access your ePA for certain medical use cases defined by the legislator. This is done exclusively in accordance with gematik specifications. Further information on this can be found in section 7 The medical use cases of the electronic patient record (ePA)

– Persons you trust
You can also authorize persons you particularly trust to access the ePA. These are your so-called representatives. Your representative basically has the same access options as you, can grant or withdraw access to service providers and request the health insurance funds to provide data. However, your representative can neither delete your EPA nor appoint additional representatives or revoke representations. Further information on this can be found in section 8 Support in using the electronic patient record (EPR)

– ePA ombudsman’s office of your health insurance company
Every health insurance company has an ombudsman’s office for the ePA. One of the tasks of the ombudsman’s office is to support insured persons without access to a (mobile) device in exercising their rights. On your behalf, it can, for example, assert your objection to access to the ePA by individual service providers. Further information on this can be found in section 8 Support in using the electronic patient record (EPR)

– Digital health applications (DiGA) and digital care applications (DiPA)
If you use a DiGA or DiPA, this health data can also be transferred to your ePA. You can obtain further information on this from your health insurance provider and the manufacturer of your healthcare application. In a later expansion stage of the ePA, you can also grant a DiGA or DiPA permission to access the data in the ePA.

– In the future: Use of data for the public good
If you do not object to this separately, the ePA will automatically make your health data available in pseudonymized form for projects for the public good within the scope of the EU General Data Protection Regulation in a future expansion stage. This objection can be declared independently of a possible objection to the use of the ePA. The pseudonymization takes into account the protection of your personal data and is intended to minimize conclusions about you as a person. Further information on this can be found in section 12 The use of electronic patient record (EPR) data for public benefit purposes

4.4 Who must enter data in the ePA?

The ePA lives from the fact that as much personal health data as possible is stored in it – only then does it develop its full added value for you and your healthcare providers.

In addition to the data that you set yourself, the data collected during your treatments by doctors or in the hospital and entered into the ePA is, of course, crucial. The doctors and physicians as well as dentists and hospitals involved in your care are obliged (in accordance with §§ 347 and 348 SGB V), to enter certain data into your ePA, unless you have objected to this.

Other service providers, e.g. in the area of therapeutic products (physiotherapy, occupational therapy, podiatry, speech therapy, nutritional therapy) or in home or inpatient care, can enter data in the ePA (in accordance with Section 349 SGB V).

In addition, an automatic transfer of data to the EPR is provided for the medical use cases of the EPR (in accordance with Section 342 (2a), (2b), (2c) SGB V). Further information on this can be found in section 7 The medical use cases of the electronic patient record (ePA)

For more information on what information should be entered in the electronic patient record (EPR) as part of your treatment, please refer to section 6 Use of the electronic patient record (EPR) by service providers

4.5 What data does my health insurance provider make available in the ePA?

You are entitled to the automatic provision of data on the statutory health insurance benefits you have claimed from your health insurance fund. Due to fixed processes and billing checks by the health insurance companies, the provision of this data may be considerably delayed. Information on costs is not included in the data provided by the health insurance companies.

In addition to the data on benefits claimed, your health insurance company must also enter data on personal health risks in the EPR if it evaluates the data available to it accordingly. This information may relate to health risks, the risk of illness or need for care and the existence of a vaccination indication. If you do not wish your health insurance company to use your data in this way, you can object to this in accordance with Section 25b SGB V.

You also have the option of having paper documents digitized by your health insurance company and uploaded to the ePA. This service includes up to ten paper doctor’s letters or documents on findings, diagnoses, therapy measures carried out and planned, early detection examinations, treatment reports and other medical information relating to examinations and treatment. You can make use of this twice in 24 months. You can obtain further information on this from your health insurance company.

5 Independent use of the electronic patient record (EPR) with the EPR app

This section describes how to use the ePA independently using your health insurance provider’s ePA app.

5.1 What do I need to use the ePA independently?

In addition to the ePA app provided by your health insurance provider and tested in accordance with gematik specifications, you will need a suitable end device. This can be a smartphone or tablet computer, for example. The ePA app must be activated in order to use it. You can find more information on this in section 5.4 How do I activate the ePA app for my ePA?

You can also use the EPR without a suitable end device and a corresponding EPR app. You can find more information on this in section 8 Support when using the electronic patient record (EPR)

5.2 What key functions does my health insurer’s ePA app offer me?

The ePA app is created according to the specifications of the BSI and gematik. The specifications regulate, among other things, which functions the ePA app of your health insurance company must provide and how the stored data must be structured.

In principle, you are entitled to read, transmit, delete and hide all ePA data. To enable you to exercise this right independently, the ePA app of your health insurance company provides you with at least the following functions:

§ Post, view, download and delete documents

§ Issue and revoke objections to access by individual service provider facilities

§ Hide documents and make them visible

§ Hide and make visible the electronic medication list for individual service provider facilities

§ Create and withdraw substitutions

§ Check access to the ePA using the log data and download the log data

§ object to the provision of your data for the services you have used from your health insurance company or withdraw an objection you have made in this regard

§ Object to the use of the ePA, close the file completely and delete all data stored in the ePA

§ manage the ePA of another person as an authorized representative

In addition, the law stipulates that the following functions must be integrated into the ePA app, even if they are not directly related to the ePA:

§ Direct access from the ePA app to quality-assured health information on the national health portal “gesund.bund.de”

§ secure transmission of instant messages using the TI Messenger (TIM) to your health insurance company and – if possible – your service providers

§ Possibility to submit your organ donation declaration in the organ donation register

5.3 What other functions does my health insurance company’s ePA app offer me?

As your health insurance company’s ePA app is an individually programmed app, your health insurance company has the option of offering additional functions that are not directly related to the ePA.

Your health insurance provider can, for example, integrate functions for managing e-prescriptions into the ePA app. This allows you to manage e-prescriptions and, for example, assign your prescriptions to a pharmacy. For more information, please refer to the information provided by your health insurance provider on using the ePA app in conjunction with the e-prescription.

Your health insurance company can also offer you additional applications for voluntary use together with the ePA. You can make data from the ePA available to these applications. To do so, you must consent to the use of data by this application. Your health insurance fund may only process the data you provide for the stated purposes of the application. Access by the health insurance fund to your data stored in the ePA is still technically impossible. Your health insurer will inform you about the type of data processed in the application, the storage location and the access rights.

5.4 How do I activate the ePA app for my ePA?

After installation, your ePA app must be activated for your ePA as part of the first use. There are various ways to do this:

– Activation via your electronic health card (eGK) in conjunction with a mobile device (smartphone)
This activation is carried out using the contactless NFC interface of your eGK and the corresponding PIN, which you will receive from your health insurance company after successful identification. To activate the card, simply hold the eGK to your smartphone in a suitable way.

– Activation using the GesundheitsID
The GesundheitsID is your digital access to the healthcare system. It is created individually for you and contains your personal data, e.g. your name and health insurance number. The GesundheitsID is therefore your digital key that gives you access to online healthcare applications such as the ePA. The use of the GesundheitsID is specific to your health insurance fund. If you have any questions, please contact your health insurance provider.

– Activation using the eID function of the ID card, residence permit or eID card for EU citizens
Activation is similar to the procedure for the eGK and the mobile device. Instead of the eGK and PIN, you use the corresponding eID function of one of the cards mentioned.

For security reasons, the use of the ePA app is linked to the device you used to activate it. You can activate other devices for use with the ePA. The activated devices are stored centrally. A new end device must be activated for the first use with the ePA.

The individual procedures may differ in detail from ePA app to ePA app. You can obtain more information on this from your health insurance provider.

5.5 How do I handle my health data securely in the ePA?

To ensure the security of your ePA data, it is essential that you only use an ePA app approved by gematik that you have downloaded from a trustworthy source. Trusted sources are, for example, the Apple App Store for the iOS operating system and Google Play for Android. For the operating systems of other end devices (laptops or PCs), the stores of the operating system manufacturers (e.g. Microsoft or Apple) or the website of your health insurance company are the trusted sources. In this respect, health insurance companies are obliged to comply with data protection regulations, also with regard to transmission to third countries.

You should also always use your ePA app on end devices that are under your control. Access to the ePA via a public PC, e.g. in an Internet café, should therefore be avoided at all costs! In order to use the ePA securely from your own end device, you must also ensure that your respective end devices are protected. The relevant instructions that you need to follow for this can be found in the documentation for the ePA app. You should also follow the BSI’s recommendations on end device security. The BSI provides information on this on the Internet: https://www.bsi-fuer-buerger.de

5.6 What measures must I take in the event of loss or suspected misuse of the eHC or the access data for the ePA app?

Protecting access to the ePA is particularly important. In the event of loss or suspected misuse of the eHC or access to the ePA and the ePA app, these must be blocked by the health insurance company as quickly as possible to ensure the security of your data. The health insurance companies offer various blocking options for this (e.g. by telephone or online). You should therefore contact your health insurance fund immediately if you suspect misuse.

5.7 Can I delete the documents in the ePA or the entire file?

The principle of voluntariness also means that you have the right to delete the documents placed in the file yourself at any time.

When deleting data, please note that the deleted data will be irrevocably removed from the EPO. After deletion, the data is no longer available in the EPO. You will not be able to restore this data yourself later using the EPO. If you need this data again later, it must be made available in another way (e.g. via the service providers who provided this data). However, this is not possible in all cases: For example, the automatically transmitted e-prescription data can generally no longer be restored from another source once it has been deleted from the EPR.

Therefore, before deleting data, always check whether hiding data might be the better alternative. By hiding a document, it remains in the ePA but is no longer visible to service providers. You can find more information on this in section 6.11 What can I do to prevent service providers from seeing certain documents in the ePA (hiding documents)?

5.8 How do I keep track of who has changed something in my file?

The ePA records all processes in a log, e.g. accesses and changes by service providers or your representatives. If you use your health insurance provider’s ePA app, the contents of the log are displayed conveniently and uniformly.

5.9 How can I save data from a digital health application (DiGA) in the ePA?

Some DiGAs offer the option of transferring data to the EPR. In order for a DiGA to be able to save data in your ePA, you must make the appropriate authorizations in both applications. You must authorize the desired DiGA to save data in your health insurer’s ePA app. In the DiGA itself, you must give your consent for it to pass on data to the ePA. You can obtain further information about the relevant consents and settings in the DiGA from the DiGA manufacturer.

5.10 What changes if I do not use the ePA app?

Preliminary remark: In the event that you do not want to or cannot use the ePA app, you have the option of appointing a representative. This person can then also access your ePA with their own ePA app and manage it for you. You can read more about this in section 8.2 What exactly is the proxy function of the ePA? The ombudsman’s office of your health insurance fund also offers you further support options. You can find out more in section 8.3 How does my health insurance fund’s ombudsman’s office support me in using the ePA?

If you do not use the ePA app independently, this will have the following effects on the exercise of your rights as a data subject under data protection law:

– You have no way of independently accessing the data stored in your ePA, deleting data or restricting access authorizations to certain data. Your health insurance fund also has neither the legal authority nor the technical ability to read out the data in your electronic health record and make it available to you.

– You cannot store your own documents (e.g. previous medical reports) in the ePA. You must contact the service provider institution that has the relevant data and ask for it to be stored in the EPR.

– You can only grant access to the ePA for service provider facilities directly with the service providers using your eHC. If you would like to technically withdraw access to your EPC from a service provider (i.e. lodge an objection), you must contact the ombudsman’s office of your health insurance fund. You can read more about this in section 8.4 What options does the ombudsman’s office offer me with regard to the access options of service provider organizations?

– You cannot hide documents already stored in the ePA from service providers or make them visible to them. If a service provider institution enters data for you in the ePA, you can ask the institution to hide certain data. Hidden information is then available in your ePA, but other service provider institutions can neither see these documents nor use them from the ePA. In order to make a hidden document visible to other service providers again, it is necessary to use an ePA app. You can appoint a representative for this purpose, for example.

– The access duration of service providers cannot be customized; it corresponds to the legal requirements from

– Table 1.

6 The use of the electronic patient record (EPR) by service providers

6.1 Who can access my ePA and when?

Access from a service provider facility may only take place if this is actually necessary for the purposes of preventive health care or occupational medicine, for the assessment of employees’ fitness for work, medical diagnostics, care or treatment in the health or social sector or the administration of systems and services in the health or social sector. The access must be in the context of your visit or your use of a corresponding service.

When visiting a service provider (e.g. a doctor’s surgery), the link to the treatment and thus the access option can be established directly by presenting the eHC. Alternatively, you can also grant access authorization via the ePA app of your health insurance company independently of an on-site visit. By authorizing service provider facilities to access the ePA, you automatically consent to the processing of your personal data by the respective service provider facility in accordance with Section 353 SGB V.

Access can only be granted if you have not previously objected to this – in the ePA app, with the service providers or via the ombudsman’s office. You can find more information on this in section 10 The options for objecting to the electronic patient record (EPR)

For company doctors and public health service institutions, you must consent to their access to the ePA in advance. Without your consent, access by these institutions is not permitted. By presenting the eGK, you technically grant access to the ePA.

An access authorization always extends to the entire service provider facility or organizational unit. You therefore grant access to the entire medical staff of a service provider facility, e.g. a doctor’s practice, a medical care center or a hospital. If you object to access, you withdraw the authorizations from the entire facility or department accordingly.

For some service providers, the legislator has stipulated in accordance with Section 352 SGB V that they may only view certain information in your ePA. You cannot grant any authorization for access beyond these legally defined access rights. For example, a pharmacist may not view any data from your electronic dental bonus booklet. Table 2 provides a complete overview of the access authorizations

Every service provider is legally obliged to log who has accessed which data in your EPC and when. Access by the service provider institution is stored in the EPR in a traceable manner. The service provider institution must in turn log which person working for the institution has accessed the data.

6.2 How long can a service provider institution access the EPC by default?

By default, a service provider facility can only be accessed within a certain period of time after your visit or treatment. The duration depends on the type of service provider. The ePA will extend the access period accordingly if you use healthcare services again and the eHC needs to be read in as a result. The following

Table 1 contains the respective duration.

With the help of your health insurance company’s ePA app, you can control the access duration of individual service provider facilities yourself. You can choose between access for at least one day and an unlimited duration.

Table 1: Access duration of the service providers

6.3 Which service providers may access which data in the EPC?

Which service providers may access which data under the aforementioned conditions is regulated in detail by law (in accordance with Section 352 SGB V). We have summarized these regulations for you in Table 2 below. Please note that data that your health insurance company enters into the ePA regarding individual health risks cannot yet be shared with service providers via the ePA due to the current lack of legal regulations.

The table shows the maximum permitted access authorizations for all users of an EPA. Granting authorizations beyond this is not permitted and is technically prevented. By contradicting or hiding documents and document categories, you can restrict authorizations at any time and extend them again within the specified framework. You therefore have precise control over which service provider institution may access which data in the ePA. You can find more information on this in sections 6.11 What can I do to prevent service providers from seeing certain documents in the ePA (hiding documents)? and 6.12 I don’t want a service provider to be able to access my ePA (any more). What can I do?

Table 2: Legal requirements for access by service providers

Legend:
x Right fully available
(x) Right only applies to subsets of documents such as documents from a specific specialist group (e.g. physiotherapy documents)

Writing includes uploading, importing and updating documents in the EPR
Reading out includes reading, downloading, exporting and transferring to the service provider’s documentation (i.e. saving and using)
Deleting includes removing documents from the EPR

Example 1: The table below shows that doctors and staff in medical service provider facilities, for example, can write, read and delete all service provider data without any further restrictions in their authorization assignment.

Example 2: Pharmacists (and pharmacy staff) have write access to the electronic medication plan, electronic vaccination documentation, prescription data and dispensing information for prescriptions, i.e. they can create and update this data in your ePA, without any further restrictions in your authorization assignment. Authorized pharmacists and pharmacy staff have read-only access to all other documents.

Example 3: Healthcare facilities incl. staff, e.g. physiotherapy practices can read all data in the ePA, with the exception of vaccination documentation, if they have been granted the appropriate authorizations. They can write, change and delete findings, diagnoses, therapy measures carried out and planned, as well as treatment reports and other examination and treatment-related medical information from their respective therapeutic area (e.g. physiotherapy).

Important note: Read access (i.e. a cross in the “Read out” column) means that the data can be downloaded from the ePA and transferred to the treatment documentation of the respective service provider. Even if the authorization is withdrawn, data that service providers have transferred to their treatment documentation remains available to the previously authorized service provider facility. The reason for this is that they have downloaded the data from the EPR and created their own copy of the data. This is necessary from a legal point of view, as service providers must fully document their treatment medically in accordance with Section 630f BGB.

6.4 What data must the SHI-accredited healthcare providers and hospitals involved in my treatment enter in the EPR?

The obligation to store certain data in the electronic health record by SHI-accredited service providers and hospitals is regulated by law.

In accordance with Sections 347 and 348 of the German Social Code, Book V, contracted medical service providers and hospitals are legally obliged to store the following data in the electronic health record even without your express request – provided that this data is collected and electronically processed as part of your current treatment and you have not expressly objected to the storage:

– Data to support medical use cases

– Data on laboratory findings

– Reports from diagnostic imaging

– Findings from invasive and non-invasive, surgical or conservative measures

– Electronic doctor’s letters or electronic discharge letters from hospitals

If the above-mentioned data was collected and electronically processed by service providers as part of preliminary treatment, this data can be entered into the EPR in accordance with Section 348 SGB V if this is necessary for the provision of care from their point of view. The service providers are obliged to inform you which data is stored in the EPR.

6.5 What data must the other service providers involved in my treatment enter?

The other service providers involved in your treatment, e.g. pharmacies, physiotherapy practices or care facilities, may also store data relating to your treatment in your EPC.

However, unlike panel doctors and hospitals, other service providers are not necessarily connected to the telematics infrastructure (TI). Without a TI connection, they have no way of accessing your ePA and are not obliged to store data in your ePA.

The other service providers may store the following data in the electronic health record – provided that this data is collected and processed in machine-readable form as part of your current treatment and you have not expressly objected to its storage:

– Data to support medical use cases

– Data on laboratory findings

– Reports from diagnostic imaging

– Findings from invasive and non-invasive, surgical or conservative measures

– Electronic doctor’s letters or electronic discharge letters from hospitals

It is only technically possible to store the above-mentioned data in the ePA if this is also permitted for the corresponding service provider institution. You can find more information on this in section 6.3 Which service providers may access which data in the EPR?

If the above-mentioned data was collected and electronically processed as part of pre-treatment, this data can also be entered in the EPR if this is necessary for the provision of care from the perspective of the respective service provider. In this case, you must be informed of this in advance.

6.6 What data will the service providers involved in my treatment enter in the EPR at my request?

In addition to the above-mentioned data, the healthcare provider must store further data in the EPR at your request in accordance with Sections 347-349 SGB V – provided that this data is collected and processed in machine-readable form as part of your current treatment. The service providers require your express consent for this, which must then be recorded in the treatment documentation. In addition, the service provider facility must be connected to the TI.

An overview of the data that can be entered in the EPR can be found in section 4.2.1 Data from service providers

The prerequisite for saving this data is that this is also permitted for the corresponding service provider institution. Further information can be found in section 6.3 Which service providers may access which data in the EPR?

In addition, at your request, a contract medical facility or hospital must store electronic copies of your treatment documentation in the ePA in accordance with Section 630g BGB.

6.7 Can I object to certain data being entered by service providers?

You have the right to object to the transfer of individual pieces of information. If you object to the transfer, the data may not be stored in the EPR. The service provider is obliged to document the objection. You can find more information on this in section 10 The options for objecting in the electronic patient record (EPR)

If you have objected to access to the EPR for certain service provider facilities, they will not be able to enter any data in the EPR, even if they are involved in your treatment. In this case, the data will be stored separately in the facility as before.

6.8 What data do the company doctors and the public health service involved in my treatment enter in the EPC?

In contrast to all other service providers, your explicit consent is required for company doctors and public health service providers to access the ePA. Technically, you grant access in the same way as in a doctor’s surgery or hospital: either using the ePA app from your health insurance provider or by presenting and scanning your eHC when visiting the relevant facility.

The company doctors involved in your treatment and the doctors of the public health service must store data to support the medical use cases of the electronic health record at your request if this data is collected and processed in machine-readable form as part of your current treatment. In addition, no other legal provisions may prevent the transmission. Further information on the medical use cases can be found in section 7 The medical use cases of the electronic patient record (EPR)

The following data is included:

– Data on findings, diagnoses, therapy measures carried out and planned, early detection examinations, treatment reports and other medical information relating to examinations and treatment

– electronic dental bonus booklet

– Electronic examination booklet for children

– Electronic maternity pass and data from the provision of midwife assistance

– Electronic vaccination documentation

– Data on nursing care

– Electronic certificate of incapacity for work (eAU)

6.9 What applies to the storage of particularly sensitive data, such as data on mental illness?

Before service providers enter data in the EPR that could lead to discrimination or stigmatization, such as data on mental illness, sexually transmitted diseases or abortions, they must inform you of your right to object to the entry. If you then declare your objection, this must be recorded by the service provider facility in its treatment documentation. The facility may then not transfer the relevant data to the EPR. You can read how you can make use of your objection in section 10 The options for objecting in the context of the electronic patient record (EPR)

If service providers intend to enter data from genetic tests within the meaning of the German Genetic Diagnostics Act (Gendiagnostikgesetz) in the ePA, your express prior consent in written or electronic form is required.

6.10 Who has to adapt my electronic medication plan and my emergency data (or patient summary file)?

If your electronic medication plan, your patient summary or your emergency-related data stored on the eHC changes and you store this data in the ePA, you are entitled to have the data updated if it changes as part of a current treatment. At your request, the service providers who have made the change to the data are obliged to store it in the ePA.

As long as this data is still on the eHC, the entitlement applies both to the data in the EPC and to the data on the eHC.

However, if you object to the storage of the data in the ePA, the service providers must delete the relevant data from the eHC. This serves to minimize health risks due to outdated data on the eHC.

Good to know: It is still possible to use the paper-based (nationally standardized) medication plan without an ePA.

6.11 What can I do to prevent service providers from seeing certain documents in the ePA (hiding documents)?

If you do not want service providers to be able to view particularly sensitive documents, you can hide these documents completely for all service providers. You can hide a single document or entire categories of documents.

If you hide documents completely, only you and your representatives have access to these documents, but not service providers or service provider organizations.

It may not be possible to conceal individual documents that have been saved as part of medical use cases for the EPR. This is particularly the case if the data as a whole is relevant for your medical care. You can find relevant information on this in section 7 The medical use cases of the electronic patient record (EPR)

Information on the possible impact of unavailable information on the benefits of the electronic patient record (EPR) can be found in section 3 The benefits of the electronic patient record (EPR)

6.12 I do not want a service provider organization to be able to access my ePA (any more). What can I do?

You can object to a service provider’s access to your ePA directly at the facility or using the ePA app. If you do not use the ePA app, you can also declare your objection to the ombudsman’s office of your health insurance fund. The ombudsman’s offices are obliged to enforce your objection technically. Once an objection has been made, the service provider is technically excluded from access. If you object to access directly on site without using the ePA app or the ombudsman’s office, this will not be technically implemented in the ePA and may only apply to the corresponding visit to the service provider facility.

Of course, you can revoke an objection at any time if you wish to grant a service provider access again at a later date. This can also be done either via the ePA app (e.g. directly with the service providers) or with the help of your health insurance fund’s ombudsman’s office.

Please note that an objection always completely excludes the service provider from accessing your ePA. If you only want to exclude certain information from access by all service provider organizations and use your health insurance fund’s ePA app, you can hide specific data. You can read more about this in section 6.11 What can I do to prevent service providers from seeing certain documents in the ePA (hiding documents)?

You can withdraw access to the ePA from public health service institutions, e.g. doctors in health authorities, company doctors, either by using the ePA app yourself or by declaring your objection to the ombudsman’s office.

7 The medical use cases of the electronic patient record (EPR)

7.1 What are medical use cases within the meaning of the ePA?

A medical use case is a legally defined process to support medical care (in accordance with Section 342 (2a-c) SGB V) that runs automatically and is supported by the ePA. For this purpose, the ePA automatically transfers data from other applications of the telematics infrastructure, e.g. from the e-prescription. In this way, the service providers involved in your treatment have immediate access to information that has already been collected by other parties as part of your healthcare.

7.2 What medical use cases already exist?

You can use the electronic medication list to support your treatment. The electronic medication list automatically contains all medicines prescribed via e-prescription and dispensed to you on the basis of the prescriptions. This information gives you and your healthcare providers a quick overview of your medication.

The digital medication process will be available to you in the future. The currently planned provision date can be found in section 13 Next steps in the further development of the electronic patient record (EPR) and future possibilities The digital medication process will build on the data in the electronic medication list and expand it to include data for checking the safety of your drug therapy (such as your body weight or information on your kidney function) as well as support for service providers in creating your electronic medication plan directly from the EPR. The digital medication process contributes to your health, for example, by helping you to avoid unwanted drug interactions. Your health insurance company will provide you with up-to-date information on all ePA use cases in good time.

7.3 What other medical use cases will the ePA support in the future?

The legislator is planning to support further medical use cases with the ePA. The details of the introduction, scope and use of future use cases are still being regulated by the Federal Ministry of Health. Your health insurance fund will inform you in good time. The planned provision dates can be found in section 13 Next steps in the further development of the electronic patient record (EPR) and future possibilities.

7.4 Do I have to use the medical use cases of the EPC?

As with the ePA itself, the decision is up to you: If you do not want data to be provided automatically in your ePA by a medical use case, you can object to the individual use case directly via your health insurance company’s ePA app. You can revoke your objection at any time.

You can find further information on objection options in section 10.2 What objection options exist in connection with the EPR and individual access authorizations?

7.5 I do not want to use the electronic medication list of the ePA. What do I have to do?

If you do not wish to use the electronic medication list of the ePA, you can object to this. There are two options:

§ You object to the medical use case itself. In this case, the ePA will continue to receive a medication list with information about all your prescribed and redeemed e-prescriptions, but it will no longer be possible for your healthcare providers to use this information. Only you yourself can still view the complete medication list with the ePA app.

§ You object to the entire data exchange between the e-prescription and the ePA. Any medication list that may already exist will then be deleted from the ePA. This data will also be irrevocably unavailable when the digital medication process is introduced. In the event that you later withdraw your revocation and then wish to use the digital medication process, medication prescriptions and dispensations will only be recorded from this point onwards.

You can revoke an objection at any time. You can find further information on objection options in section 10.2 What objection options exist in connection with the ePA and individual access authorizations?

7.6 Can I withdraw access to the medication list from individual healthcare providers?

If you do not want a specific healthcare provider to have access to your medication list, you can hide it using the ePA app. The service provider facility will then not see the information stored in your electronic medication list. All other service provider facilities with access to your ePA can still see the electronic medication list. The automatic transfer of prescribed medication and the transfer of e-prescriptions to your electronic medication list will also continue to take place.

If you want to grant the healthcare provider access to the medication list again, you can unhide it at any time using the ePA app.

8 Support with the use of the electronic patient file (ePA)

8.1 Where can I get support with using the EPC?

On the one hand, your health insurance company offers you the so-called representation function of the ePA. On the other hand, you can also contact the ombudsman’s office of your health insurance company. Both channels can be combined according to your needs.

8.2 What exactly is the substitution function of the EPO?

The law allows you to appoint representatives to manage your ePA via the ePA app provided by your health insurance fund. The authorized representative and the person being represented do not have to be insured with the same health insurance company.

Representations can also be set up via the ePA app of the person who is to represent you. In this case, you do not need your own end device or ePA app, but you must authorize the person authorized to represent you to access your ePA, e.g. by using your eGK and PIN on the end device of the person authorized to represent you. Please note, however, that an ePA app is required to revoke the authorization, which is possible at any time. It is not possible to withdraw this authorization via the ombudsman’s office.

Your representative has almost the same rights as you do. For example, they can lodge objections with authorized service providers (doctors’ surgeries, hospitals, pharmacies, etc.) and view the documents stored in your file. However, your representatives cannot appoint any other representatives and are not authorized to close the file.

It is important that you only assign this responsible task to people whom you trust completely and to whom you would also grant a power of attorney, for example. Unlike authorizations for service provider facilities, proxies cannot be assigned for a limited period of time from the outset and therefore do not expire. You must actively release your representative from the proxy via your health insurance fund’s ePA app. If necessary, your health insurance fund will explain the possibility and procedure for granting representation authorizations in more detail.

8.3 How does the ombudsman’s office of my health insurance fund support me in using the ePA?

The ombudsman’s office set up by your health insurance fund will advise you on all questions and problems relating to the use of the EPC. In particular, the ombudsman’s office will inform you about the application procedure, the procedure for providing the EPC and the objection procedure, as well as about your other rights and claims in connection with the EPC and how it works.

In addition, the ombudsman’s office also supports you in the actual use of the ePA. It accepts objections to the medical use cases of the ePA and to the access of individual authorized users and enforces them technically for you. The ombudsman’s office can also revoke objections that have been lodged. On request, the ombudsman’s office can also provide you with the log data of your EPC. You can also object to the ombudsman’s office using the data in your electronic health record for public benefit purposes (see section 12 The use of electronic health record (EHR) data for public benefit purposes).

8.4 What options does the ombudsman’s office offer me in terms of access options for service providers?

The ombudsman’s office can enforce your objections to access by service providers and handle their revocation. In this way, you have control over who can access your health data even without the ePA app.

To prevent access by a service provider organization, you can lodge an objection with the ombudsman’s office of your health insurance fund. You can also revoke this in the same way.

You can also use the revocation of access rights to revoke existing access rights before the access authorization expires, e.g. because you are ending treatment at a service provider facility and want to prevent further access to your EPA by the relevant facility.

9 Changing health insurer and the electronic patient file (ePA)

9.1 Can I simply take data stored in the ePA with me when I change health insurer?

The ePA is offered to you by your health insurance company. If you change health insurer, the data from the ePA will be transferred in encrypted form. The transfer of the ePA from your previous to your current health insurance company is done automatically without any action on your part. The authorizations and objections granted as well as the substitutions are also transferred.

If you have objected to your previous health insurance company providing data on the benefits you have claimed, this objection does not automatically continue to apply. If you still do not wish such data to be made available, you must object again to your new health insurance company. However, if you decide to have this data stored, you do not have to do anything when you change health insurer.

Please note that information from health insurance-specific applications in the ePA may not automatically be usable with the new health insurance company. If necessary, you should back up the relevant data yourself so that it is still available after you change health insurer. Your health insurance company will provide you with further information on transferring data when changing health insurance companies.

If you use the substitution function, your substitutes will be automatically informed of any change of operator in the event of a change of insurer. You can find more information on the substitution rules in section 8 Support when using the electronic patient record (EPR)

9.2 Do I have to object to the use of the ePA again if I change health insurer?

What applies to the file created also applies to the objection to a file: just like the file, the information that you have objected to the provision of the electronic health record is exchanged between the two health insurance funds involved. This means that your new health insurance fund will not automatically set up an electronic health record for you if you have objected to this with your previous health insurance fund. If you wish to receive an EPC from your new health insurance fund, you must revoke your objection to your new health insurance fund.

10 The possibilities of objection in the context of the electronic patient record (EPR)

10.1 I do not want an EPA to be created for me. What do I have to do?

As part of the introduction of the objection solution for the ePA, the legislator provides for an objection period of 6 weeks against the setting up of the ePA after you have received the relevant information from your health insurance fund. The same procedure also applies if you are contacting the statutory health insurance fund for the first time.

So if you do not want to have an EPA, you can object to the provision to your health insurance fund. You can obtain further information on the procedure from your health insurance fund.

10.2 What objection options exist in connection with the ePA and individual access authorizations?

Within the framework of the ePA, there are a large number of objection options that allow you to configure its use according to your needs. The following

Table 3 shows the objection options. You can revoke an objection at any time. The procedure used to object may differ from the revocation procedure. For example, you may have submitted an objection directly via the ePA app, but revoked it via the health insurance fund’s ombudsman’s office.

Using the ePA app, you have the option of explicitly objecting to access by individual service provider facilities. The objection can be made in the ePA app before or after the visit to the relevant service provider facility. An objection always relates to the entire file. Once an objection has been declared, it can be withdrawn at any time via the ePA app. If you do not use the ePA app, the other procedures listed in the table are available to you.

Table 3: Objection options in the context of EPO use

10.3 Will I have disadvantages with my healthcare if I object to the EPC as a whole or to individual functions?

If you decide not to use the ePA or some of its options, this will not have any disadvantages for your healthcare. Your healthcare will continue to be guaranteed by the established procedures. However, the aforementioned benefits of the EPR will not be available to you. You can find more information on this in section 3 The benefits of the electronic patient record (EPR)

10.4 What do I have to do if I no longer want the EPC?

In principle, you have the option at any time to close your ePA completely, i.e. to have it deleted. To do this, you must object to the use of the PPR to your health insurance fund. This objection to the use of the ePA must be made to your health insurance company in a suitable form. This can be done, for example, via the ePA app provided by your health insurance company or in writing, e.g. by letter. Please contact your health insurance company for the exact procedure.

The objection to an existing EPO results in its deletion. All contents of your file are affected by the deletion: all documents, authorizations granted and log entries. In this case, you are responsible for securing the documents stored in your file. If you want to keep certain documents even after your ePA has been closed, you must save them elsewhere.

If you use the ePA app provided by your health insurance provider to access the ePA, you also have the option of backing up the log data on your own end device. The application offers you a corresponding function for this purpose. In addition to backing up the documents, it also makes sense to back up the log data from a data protection perspective so that you can later see who had access to your file. The ombudsman’s office of your health insurance fund can also provide you with the logs in a suitable form. You can find more information on this in section 8.3 How does the ombudsman’s office of my health insurance fund support me in using the ePA?

Important to know: You must request or retrieve the logs before your objection to the use of the ePA becomes effective.

10.5 I have objected to the EPA but would now like to have it after all. What do I have to do?

You have the option of withdrawing your objection to the health insurance fund at any time. You can do this via your health insurance company’s ePA app, for example, or in writing. You can obtain more detailed information on the procedure from your health insurance fund if required.

10.6 What happens to the EPA after my death?

As the EPR is designed as a lifelong file, the legislator has also made provisions for the event of death. A health insurance company must delete the DPF within 12 months of becoming aware of the death of an insured person. Unless contrary legitimate interests of third parties are asserted and proven.

11 Data protection and data security

11.1 How secure is the ePA?

All ePA operators must undergo gematik’s approval procedure with the ePA they have developed. gematik checks the functionality and interoperability of the ePA on the basis of its published test criteria. Proof of security is provided in accordance with specifications developed with the involvement of the German Federal Office for Information Security (BSI).

The data in your file is always stored in encrypted form. If you or a service provider involved in your treatment have authorized access to the ePA, the ePA transmits the data in encrypted form to the relevant computer systems, e.g. your doctor’s surgery. Data processing in the ePA takes place in a security-tested and trustworthy technical environment at the highest level. Neither the operator nor the health insurance company have access to your data.

11.2 How secure is my health insurer’s ePA app?

In addition to the ePA itself, all ePA apps must also undergo gematik’s approval procedure. gematik also checks the functionality and interoperability of the ePA app on the basis of its published test criteria. Proof of security is provided in accordance with specifications developed with the involvement of the BSI.

The ePA app provided by your health insurance company is therefore security-tested to the highest standards. It can be installed on smartphones with Android or iOS operating systems as well as on desktop computers and laptops with current, suitable operating systems such as Windows, MacOS and, if necessary, Linux.

You are responsible for the security of your application environment (smartphone, PC hardware, operating system) in which the application is installed. You can find more information on this in section 5.5 How do I handle my health data securely in the ePA?

11.3 What data does the health insurance fund exchange with the ePA operator?

To set up your ePA, the health insurance fund and the respective industry partner exchange administrative personal information. In addition, your health insurance fund or the ePA operator will use your health insurance number to check whether an ePA already exists for you. There is no exchange of personal health data at this point.

If you change your health insurance fund, the ePA operator of your previous health insurance fund will transfer your ePA in encrypted form to the ePA operator of your new health insurance fund. If you have objected to the use of an electronic health record, the two health insurance companies will also exchange information about the objection via the electronic health record operator when you change health insurance companies.

11.4 What rights do I have vis-à-vis my health insurance fund with regard to the data processing procedures of the ePA and the ePA apps?

Your rights vis-à-vis the health insurance company arise from the statutory provisions of the General Data Protection Regulation (GDPR) and the social data protection provisions of the German Social Security Code. For the purposes of this regulation, the health insurance fund is the “controller”. As an insured person, you can assert the “rights of the data subject” under the GDPR against your health insurance fund. These include, in particular, that health insurance companies are obliged to inform insured persons about the collection of personal data (Art. 13 GDPR in conjunction with Section 82 SGB X and Art. 14 GDPR in conjunction with Section 82a SGB X). Insured persons also have the following rights:

– the right to information as to whether and, if so, for what purpose certain personal data is processed by the health insurance fund or its contractors (Art. 15 GDPR in conjunction with Section 83 SGB X)

– the right to rectification of inaccurate personal data (Art. 16 GDPR in conjunction with Section 84 SGB X)

– the right to erasure of personal data (Art. 17 GDPR in conjunction with Section 84 SGB X)

– the right to restriction of processing (Art. 18 GDPR in conjunction with Section 84 SGB X)

– the right to data portability (Art. 20 GDPR)

– the right to object (Art. 21 GDPR in conjunction with Section 84 SGB X)

It should be noted that the legislator has excluded these rights if their exercise cannot be guaranteed by the health insurance fund as the body responsible for data protection or can only be guaranteed by circumventing protection mechanisms, such as encryption or anonymization in particular. This restriction applies to the encrypted data stored in the electronic health record, as the health insurance fund, as the responsible body, has no technical access to this data. Accordingly, the health insurance fund cannot comply with requests for information or corrections from the insured person regarding the data stored in the electronic health record (e.g. doctor’s letters). An exception to this is data on services used, which your health insurance company makes available to you in the ePA. As this data is imported into your ePA from your health insurance fund’s billing data, you have the option of having this data corrected by the health insurance fund. To do this, you need confirmation of the correct diagnosis from the respective service provider. Your health insurance company will inform you about the details of the procedure.

However, the above rights are not excluded for data that is not encrypted, such as log data.

11.5 What rights do I have if ePA data needs to be corrected?

The health insurance fund provides you with an ePA app to independently exercise your rights within the meaning of the GDPR. However, you cannot use the ePA app to correct the data provided by your healthcare providers. If corrections to this data are necessary, please contact the respective service providers treating you.

You are authorized to read data from the electronic health record, save it in the electronic health record and delete it. You have the right to restrict access to data in the ePA or to remove this restriction and to grant or revoke authorizations. In addition, you can object to access to data in the ePA or must give your consent to the storage of particularly sensitive data (such as genome data). You can also, for example, process the following data yourself, i.e. change it and save it in your EPC:

– Health data that you have entered into the EPR yourself

– in future: Data on information from insured persons on the existence and storage location of:

– Explanations on organ and tissue donation

– Healthcare proxies or living wills

11.6 Are all login procedures for using the ePA secure?

There are basically the following registration procedures for the ePA:

– Registration with the health ID

– Registration with the electronic health card (eGK)

– Registration with the eID function of the ID card, residence permit or eID card for EU citizens

The use of the Health ID allows different levels of security for authentication. With the help of the eGK and PIN, you can achieve the highest possible level – just like with the ID card, residence permit or eID card for EU citizens, for example. Alternatively, you can also log in without a card and PIN. Although the security level of the login is lower than the level achievable with a card and PIN, it still guarantees an appropriately high level of protection.

The law also provides for the possibility of declaring to your health insurance company in individual cases, after receiving comprehensive information from your health insurance company about the special features of the procedure, that you wish to use a more convenient registration procedure with a possibly lower level of security. If you are considering this, please note the following information now. The health data stored in the ePA generally requires a high level of protection, as it is not possible to quantify the damage caused by loss or misuse. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) recommends refraining from lowering the security level if possible.

Your health insurance fund will provide you with comprehensive information about the options available, the potential risks and ways to avoid them.

12 The use of electronic patient record (EPR) data for public benefit purposes

12.1 How is use regulated by law?

Further use of the electronic patient record data, particularly for research purposes, should be possible from the time specified in section 13 Next steps in the further development of the electronic patient record (EPR) and future possibilities. The legal and technical framework conditions are currently being developed by the Federal Ministry of Health and gematik. The following information is therefore based exclusively on the legal basis in accordance with Section 363 SGB V.

12.2 What does “use of data from the EPO for public benefit purposes” mean?

The PPR data of as many people as possible in Germany can provide important insights for the future design of health and care provision. The provision of data from your PPR for public welfare purposes is voluntary. For example, you can use it to support healthcare research and contribute to improving the safety and quality of care, prevention and nursing care. Which purposes are considered to be in the public interest and who may use the data is determined by law. On this basis, the Research Data Center at the Federal Institute for Drugs and Medical Devices (BfArM) controls the further use of the data.

12.3 How is my personal data protected?

The ePA data is always made available in pseudonymized form for use for public welfare purposes. This means that the data cannot be traced back to you personally. All personally identifying data such as name, address and health insurance number are removed and replaced by a pseudonym. This pseudonym is used in the further data transmission instead of your personal identifying data. The pseudonymization is automated. The data transfer to the Research Data Center at the BfArM is documented in your ePA.

12.4 What do I have to do to provide my ePA data for public benefit purposes?

The legislator has determined that the data in the electronic health record (EHR) can be used automatically for public benefit purposes from the date specified in section 13 Next steps in the further development of the electronic health record (EHR) and future possibilities, unless you have objected to this use. If you want your EPR data to be used for public benefit purposes, you do not have to do anything.

You can find out how you can object to the disclosure of your ePA data for public interest purposes in whole or in part in section 12.7 How can I object to the use of data for public interest purposes?

12.5 How is data provided and used?

In order to make the data stored in your ePA usable for public welfare purposes, the ePA automatically determines which data is suitable. This is currently the data for the medical use case “digital medication process” in accordance with gematik specifications.

In the next step, all personal information is replaced by a pseudonym. You can find more information on this in section 12.3 How is my personal data protected?

The PPN transmits the delivery pseudonym and a work number to the trust center at the Robert Koch Institute (RKI). You can find more information on this in section 12.6 Which bodies are involved in the use of data from the EPR for public welfare purposes?

In addition, the ePA encrypts the pseudonymized data and the work number for the research data center and transfers them there. For documentation purposes, the EPC stores the fact that data was transmitted for public benefit purposes.

The trust center determines a so-called cross-period pseudonym from the work number and the delivery pseudonym and sends both to the research data center. With the help of these two codes, the Research Data Center can merge everything into one dataset without it being directly attributable to you personally. If you object to the use of your data for research purposes, your data can also be deleted by the Research Data Center.

Authorized users submit an application to the Research Data Center for the use of data as part of a usage project. The Research Data Center decides whether data use is permitted based on the criteria specified by law. For example, a project must serve specific purposes (see section 12.7 How can I object to the use of data for public benefit purposes? If the Research Data Center approves the application, it grants the relevant project access to the data. The sensitive health data will not be released, but can only be used in the secure processing environment of the Research Data Center. Only aggregated and anonymized data (i.e. data where the personal reference can no longer be assigned to a specific person or only with a disproportionate amount of time, cost and manpower) is released.

12.6 Which bodies are involved in the use of data from the EPO for public interest purposes?

As the provider of the ePA, your health insurance fund is the data controller under data protection law in connection with the ePA.

The Robert Koch Institute (RKI) operates the trust center according to § 303c SGB V and is the responsible body with regard to the mergeability of the pseudonyms.

The Federal Office for Drugs and Medical Devices (BfArM) operates the Research Data Center in accordance with Section 303d SGB V and receives the data provided by the ePA. The Research Data Center makes the data accessible to legally authorized users upon request. It must delete your pseudonymized data after 100 years or in the event of your objection.

12.7 How can I object to the use of data for public interest purposes?

If you do not wish to provide your data stored in the ePA for public interest purposes, you can object to its use. The objection can relate to the continued use of your data as a whole or only to the use of your data for specific purposes. You can exercise your objection via your health insurer’s ePA app or via the ombudsman’s office.

The option to object via the ombudsman’s office is already available to you today. The direct objection option via the EPR app is expected to be available to you from the date specified in section 13 Next steps in the further development of the electronic patient record (EPR) and future options.

If you only wish to make your ePA data available to projects with specific purposes, you have the option of exercising your objection accordingly. The legislator distinguishes between the following purposes (in accordance with Section 303e (2) SGB V):

– Performance of management tasks by the collective bargaining partners

– Improving the quality of care and improving safety standards in prevention, care and nursing

– Planning of service resources, e.g. hospital planning or care structure planning recommendations in accordance with Section 8a (4) SGB XI

– Scientific research on issues in the areas of health and care, analysis of healthcare provision and basic research in the field of life sciences

– Supporting political decision-making processes for the further development of statutory health and long-term care insurance

– Analyses of the effectiveness of cross-sectoral forms of care and the effectiveness of individual contracts between health and long-term care insurance funds

– Performing health reporting tasks, other federal reporting obligations under SGB V or SGB XI and official statistics as well as reporting obligations of the federal states

– Performing statutory tasks in the areas of public health and epidemiology

– Development, further development and monitoring of the safety of medicinal products, medical devices, examination and treatment methods, aids and remedies, digital health and care applications and artificial intelligence systems in healthcare, including the training, validation and testing of these systems

– Benefit assessment of medicinal products, medical devices, examination and treatment methods, aids and remedies as well as digital health and care applications, negotiation of reimbursement amounts or determination of maximum amounts and threshold values in accordance with Section 134 SGB V and agreement or determination of reimbursement amounts for medicinal products in accordance with Section 130b SGB V

Any objection made is documented in the ePA with the date and time.

Important to know: If you object to the use of ePA data for public benefit purposes with your health insurance fund before the planned introduction date and then change your health insurance fund, you must object again with your new health insurance fund. The health insurance companies cannot yet exchange your objection with each other during this period.

12.8 What happens to my data stored at the Research Data Center in the event of an objection?

If you object, the data that has already been transmitted to the Research Data Center will be deleted there. The deletion procedure is analogous to the data transfer and linking described in section 12.5 How is the data provided and used?

If you object to the use of the data for certain purposes, the data may no longer be used for these purposes. However, the data will continue to be stored in the Research Data Center for use for other purposes to which you have not objected.

The data transmitted prior to the objection and already used for specific projects may continue to be processed for these research projects. Your rights as a data subject under Articles 17, 18 and 21 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) are therefore excluded for these research projects. After completion of the specific projects, the data in the research data center will be deleted.

12.9 When will the use of EPO data for public benefit purposes be introduced?

At the earliest six weeks after the option to object to the use of the PPR data for public welfare purposes has been made available via the PPR app, your health insurance fund can provide the research data center with the relevant data for the first time.

13 Next steps in the further development of the electronic patient record (EPR) and future possibilities

13.1 What are the next steps in the further development of the ePA?

This section presents the measures currently planned for the further development of the ePA in healthcare together with the planned introduction dates.

13.2 What else is provided for by law in the ePA?

The ePA options listed below are provided for by law. However, unlike the functions described in the previous section, no date has yet been set for their introduction.

The legislator is also planning to include further medical use cases in the ePA, such as

– the inclusion of emergency-relevant information in a patient short file in the ePA or

– the storage of laboratory findings and laboratory data in a structured form.

In future, your ePA will also be able to transfer data to the digital health applications (DiGA) you use with your consent. This will allow you to use certain data from the ePA directly in the DiGA.

There are also plans for the ePA to be used by service providers in other EU countries, e.g. if you are on vacation there. The electronic patient file will be used to provide a quick overview of your important emergency data.

Another important point in the further development of the ePA into a digital health platform is the gradual conversion of document-based data into electronically processable data records. This will take place in accordance with the specifications of the Federal Ministry of Health. In this context, the legislator is also planning further refinements with regard to the control of access rights to the ePA through corresponding objection options at the level of individual data records.

^[1] If, for example, you are the legal guardian or have a power of attorney to provide comprehensive care for another person, you may be able to exercise the options listed in this document on behalf of the person receiving care.