Digital legislation in the healthcare sector

Introduction

In view of increased life expectancy and the associated rise in (chronic) illnesses, the healthcare system is increasingly becoming the focus of social and economic considerations. With the challenges of an aging population, efficient, innovative and high-quality healthcare solutions are becoming increasingly important. This development ­poses major challenges for the healthcare system: From capacity bottlenecks and funding issues to the need for continuous innovation.

The digitalization of the healthcare sector is playing a ­central role in overcoming these challenges. It is making a significant contribution to increasing efficiency and has the potential to revolutionize patient care – be it through telemedicine, digital health applications, networked ­devices, data-supported therapy approaches or AI-supported analysis processes.

However, the ongoing development and integration of digital solutions is also accompanied by an increasing number of regulatory changes. Important digital laws that define the legal framework for the use of digital technologies in the healthcare sector also came into force in 2024. Our article will give you an overview of a selection of these current developments and their potential impact on digitalization in the healthcare sector.

Act to Accelerate the Digitalization of the Healthcare System

The Act to Accelerate the Digitalization of the Healthcare System (Gesetz zur Beschleunigung der Digitalisierung des Gesundheitswesens, in short: DigiG) came into force on 26 March 2024. The aim of the law is to simplify everyday treatment for doctors and patients with digital solutions.

One central component of the law is the establishment of the electronic patient record (elektronische Patientenakte, in short: ePA) for all, which must be provided by the social healthcare insurance companies for all insured persons from 15 January 2025. Anyone who does not want the ePA must actively object (opt-out rule). The ePA provides ­insured persons with a comprehensive and largely automatically generated overview of their medication. In combination with the further improved electronic prescription (e-prescription), this helps to avoid unwanted drug interactions and supports physicians in treating their ­patients.

The e-prescription is being continuously optimized, established as a standard in the supply of medication and made more accessible through the ePA app. Digital health applications (digitale Gesundheitsanwendungen, in short: DiGA) are being embedded more strongly in everyday healthcare and made more transparent. By expanding the DiGA range to include digital medical devices of higher risk classes (IIb), they can also be used for more complex treatment processes, such as telemonitoring.

In order to firmly anchor telemedicine in the healthcare system, previous volume restrictions have been removed. In addition, it is now possible to provide telemedicine from offices in the home. Assisted telemedicine enables easier access to medical care. Finally, structured treatment programs will be further developed digitally, interoperability will be improved, and cyber security will be ­increased.

European Health Data Space

The Commission’s draft for a European Health Data Space (EHDS), published on 3 May 2022, was adopted by the European Parliament on 24 April 2024. The European Health Data Space is intended to strengthen the networking of national healthcare systems within the EU through secure and efficient access to and exchange of health data. This is intended to optimize healthcare, research and infrastructure in the individual healthcare systems, and create a uniform legal framework for the development, marketing and use of electronic health record systems.

The EHDS allows patients to decide for themselves ­whether their health data can be viewed by healthcare professionals by means of an opt-out rule. This includes patient summaries, electronic prescriptions, medical images, and laboratory results. In addition, the regulation strengthens the data protection of sensitive information and supports data-based research under strict conditions.

AI Act

On 1 August 2024, the first comprehensive set of rules for AI came into force with the Regulation laying down harmonized rules on artificial intelligence (AI Act). The AI Act contains rules for the development, placing on the market and use of AI systems, and aims to strengthen society’s trust in AI systems without blocking the opportunities opened up by this technology.

Thus, AI systems are divided into four risk categories according to a risk-based approach: Unacceptable, high, low and minimal. AI systems with unacceptable risk, such as systems that manipulate human behavior, are banned. AI systems with high risk, such as systems that make decisions about people in areas sensitive to fundamental rights, must meet strict requirements for their use. By contrast, AI with certain risks, such as chatbots, and low-risk AI systems, will remain largely unregulated in order to maintain competitiveness in the EU.

The AI Act has far-reaching implications for the healthcare sector. The use of prohibited AI systems in the healthcare sector is likely to be rare, though. The prohibitions on manipulative and exploitative practices contained in the AI Act explicitly do not apply to lawful practices in the context of medical treatment. Examples here include the psychological treatment of a mental illness or physical ­rehabilitation, if these practices are carried out in accordance with applicable law and medical standards, for example with the express consent of the person concerned.

However, some systems fall into the high-risk category and are therefore strictly regulated. AI medical devices that are classified in Class IIa, IIb or III of the Medical Device Regulation (MDR) are automatically high-risk ­systems within the meaning of the AI Act. This includes, for example, X-ray devices in which an AI safety component is installed. In addition to these product-related high-risk systems (“embedded AI”), AI systems that are used in a high-risk area (“non-embedded AI”) also fall into the high-risk category. This is the case, for example, when AI systems regulate access to essential private and public services or AI systems that triage patients in emergency care or prioritize emergency calls.

Health Data Utilization Act

The Act on the Improved Use of Health Data (Gesetz zur verbesserten Nutzung von Gesundheitsdaten, in short: GDNG) came into force on 26 March 2024. It aims to make health data systematically usable for research while ensuring data protection. The GDNG has created a simplified way of using this data for non-profit purposes such as medical research and the improvement of healthcare services. As part of the GDNG, a decentralized infrastructure for health data will be established, which will be coordinated by a central body. This coordinating body will regulate access to the data and ensure that it is used in accordance with legal requirements.

NIS2 Implementation and Cybersecurity Strengthening Act

In January 2023, the Directive on measures for a high common level of cybersecurity (NIS2 Directive) came into force, which must be transposed into German law by 17 October 2024. The corresponding government draft of the NIS2 Implementation and Cybersecurity Strengthening Act (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, in short: NIS2UMSuCG) to implement the directive was adopted on 24 July 2024.

If a company falls under the NIS2UmscCG, it must meet numerous obligations, depending on whether it is an “important facility” (wichtige Einrichtungen), a “particularly important facility” (besonders wichtige Einrichtungen) or a “critical facility” (kritische Anlage). As the healthcare sector is listed as a “particularly important facility”, facilities in this sector are obliged to take all technical and organizational measures to protect their IT systems and processes that correspond to the current state of the art, and adequately take into account the risk of damage occurring as well as factors such as the size of the facility and potential security incidents.

In the event of a security incident, facilities must submit various reports to the BSI, including an initial report within 24 hours, a detailed report within 72 hours, and a final report. Compliance with the security requirements must be regularly demonstrated to the BSI. In the event of security deficiencies, the BSI can demand corrective measures from deployers of critical systems and particularly important facilities. In addition, all facilities are obliged to register with the BSI and provide relevant information.

Look ahead

Looking to a future in which digital health technologies will increasingly shape our everyday lives, it is crucial that operators in the healthcare sector – from start-ups to ­established companies – always pursue their business models with these regulatory requirements in mind. It ­remains to be seen how the interplay between technological progress and regulatory design will develop in the ­future. In any case, the legislator is not inactive. For example, the law on the reform of emergency care, which will further expand telemedical care, and a law to create a ­digital agency for healthcare, are expected in the near ­future.