3.6.57 Archive, registry

Goal and purpose

Archiving, microfilming and digitisation of medical records

Access to treatment records and business documents

Area of application

Description of the

Archiving, microfilming and digitisation of medical records by third parties (outsourcing)

In Section 7 (1) (1st half-sentence) GDSG NW, the legislation has generally given preference to the archiving, microfilming and digitisation of medical records within the hospital. This is primarily due to the fact that patient data does not leave the specially protected hospital area and additional data security risks can be avoided. However, if it is considered - for example from a business point of view - within the narrow limits of Section 7 (2) GDSG NW to have these measures carried out by private companies on the basis of contractual agreements, medical and health data protection regulations must always be observed. However, a transfer of functions (such as the transfer of the entire operation of a hospital archive) to third parties is ruled out. The legislator has only authorised the possibility of commissioned data processing in Section 7 (1) 2nd half-sentence GDSG NW.

The processing of patient data stored in medical records on behalf of third parties is subject to strict legal requirements:
- Pursuant to Section 7 (2) GDSG NW, it is only permissible if disruptions in the operational process cannot otherwise be avoided or if sub-processes of automatic data processing can be carried out considerably more cost-effectively as a result.
- According to paragraph 3 of this provision, the client (hospital) must ensure in particular that the contractor (company) complies with the data protection provisions of the Health Data Protection Act and medical confidentiality before awarding such a contract. This requires, for example, a thorough review of the data protection and data security situation at the contractor by the client, both before the conclusion of corresponding contracts and constantly during the term of the contract. The decisive factor is not the paper form, but the actual conditions on site.

The statutory provision of Section 7 (3) GDSG NW contains restrictive requirements for commissioned data processing in order to guarantee patients' right to informational self-determination.21 However, it is not clear from either the wording of the law or the official explanatory memorandum how the client is to fulfil these statutory obligations and therefore requires interpretation and concretisation taking into account the individual case.22 Contractual provisions obliging a contractor to comply with health data protection regulations are generally quite conceivable. However, if a private contractor does not herself belong to the group of persons obliged to maintain confidentiality or professional assistants in accordance with Section 203 (1) or (3) StGB, medical confidentiality in her area of business can neither be brought about by mere contractual agreements nor ensured in any other way. With regard to the provisions of the medical professional code of conduct on medical confidentiality, such contractual agreements would only meet with no serious data protection concerns if a declaration of release from confidentiality is obtained from the patients concerned in each individual case after prior clarification. By handing over medical records from the hospital to a private company for the purposes of archiving, microfilming and/or digitisation, those responsible in the hospital otherwise expose themselves to the risk of criminal liability for the violation of private secrets in accordance with Section 203 (1) or (3) StGB.23 By way of commissioned data processing by private third parties (companies), medical records may only be archived, microfilmed and/or digitised if they do not gain knowledge of the patient data. This could be achieved by anonymous or at least pseudonymous data processing, or alternatively by encrypting the data that enables personal identification.24 If this cannot be ensured, this form of outsourcing or external processing of the hospital's medical records must be avoided.

Irrespective of this, the use of data protection-friendly technologies in line with the latest technical developments must always be ensured when processing data on behalf of third parties. To summarise, it should therefore be noted that, in contrast to other regulations on commissioned data processing (see, for example, Section 11 DSG NW, Section 80 SGB X), legislation has only permitted the processing of patient data as commissioned data processing under very strict conditions, as it were only in exceptional cases (see Section 7 (2) GDSG NW). This special status of patient data is convincing in view of its particular sensitivity and the special confidentiality protection to which this data is generally subject.

Resources

Risks

Documentation

Responsibility and qualification

Notes and comments

Applicable documents

Literature

Terms

Attachments