Specifically, it is about the use of the health insurance number (KVNR) to clearly identify the insured in various applications within the telematics infrastructure (TI), including the TI messenger for communication between service providers and the insured, the electronic patient record or e-prescription. In principle, this is a “data protection-friendly solution”, according to Kelber in his annual report. However, a clear legal basis is required.
His authority has agreed with the Federal Ministry of Health (BMG) and Gematik that the most privacy-friendly solution is to calculate a non-recalculated matrix address from KVNR. Alternatively, a list of all insured would need to be created, which is not only questionable for data protection reasons, but also not required by law.
“But under data protection law, processing is only allowed on the basis of a clear statutory authority, which does not currently exist,” Kelber complained. In particular, from his point of view, the service providers’ treatment of KVNR as part of a voluntary application of TI cannot be classified under any of the case groups set out in § 18f of the SGB IV standard regulating the admissibility of treatment of the insurance number. SGB V also does not prescribe any special legal regulation for the use of KVNR for the purposes described.
The situation is tolerated for the time being
“In order to create a legally compatible and secure state, it is imperative to create a clear legal basis for treating KVNR within TI. However, since the possibilities to identify the insured do not represent any alternatives with regard to data protection friendliness, I have informed BMG that the beginning will tolerate the current situation, but in return I expect a corresponding legal basis to be created as soon as possible.
He sees another problem in the fact that private health insurance companies (PKV) should also use the unchanged part of KVNR for applications of TI – and for reports according to the Implant Register Act (IRegG). Consequently, they would need to be included in the clearing procedure where the health insurance companies exchange insured related information to exclude duplication. “However, there is no clear legal basis for this either. The Federal Department of Health shares this assessment and has assured me that a corresponding standard of power will be introduced in the next appropriate legislative process. I already have a draft for discussion, which now requires coordination between BMG, BMJ and myself. “
Encrypted push for e-prescriptions
From his point of view, another problem in connection with privately insured has already been solved: According to the Digital Supply and Care Modernization Act (DVPMG), it must be possible in the private health sector to store billing data in the central e-prescription storage. “One focus of my advice to Gematik is to restrict access to this billing data to third parties.”
As an example, Kelber mentions the app for the e-recipe, which Gematik not only specified, but also developed itself. This offers push notifications as an added feature. “Since this feature is managed through the platforms of the mobile operating system providers, intensive consultation was necessary here. From a technical point of view, I managed to convince Gematik to encrypt the content and also to hide metadata by sending blank messages.”