Electronic patient file mandatory since January 15, 2025: A look at the legal framework

The digitalization of the healthcare system in Germany has reached a new milestone: on 15 January 2025, the electronic patient file (ePA) was made mandatory for those with statutory health insurance. This step is part of the German government’s comprehensive digitalization strategy and has far-reaching legal, data protection and practical implications for insured persons, service providers and health insurance companies. Find out more in our blog article.

Background and legal basis

The ePA is enshrined in law in the Patient Data Protection Act (PDSG), which came into force in 2020. The aim is to enable better networking in the healthcare system and improve the quality of care. From the end of 2024, the electronic health record will become standard, which means that all people with statutory health insurance will automatically receive an electronic health record unless they object (opt-out model).

The legal obligation to introduce the electronic health record goes hand in hand with extensive requirements for data protection and data security standards. The statutory health insurance funds are responsible for implementation and are creating the technical requirements together with gematik, the national agency for digital health applications.

What does the binding nature of the ePA mean?

From the cut-off date at the beginning of 2025, every person with statutory health insurance will have an ePA. It will be the central hub for digital communication between patients, doctors, pharmacies and other service providers. Insured persons will be able to view and manage diagnoses, treatment plans, medication overviews and other medical documents in their ePA.

From a legal point of view, however, the use of the ePA remains voluntary for insured persons. No one is forced to actively use the file or store data in it. However, insured persons must actively object if they do not wish to have an electronic health record created. This “opt-out” model is legally controversial, as it raises the question of informed consent and the autonomy of insured persons.

Data protection challenges

The use of the ePA poses considerable data protection challenges. According to the General Data Protection Regulation (GDPR), health data is considered particularly sensitive personal data.

The use of the ePA is based on the consent of the insured person, and they can control in detail which data is stored in the file and who can access it. Despite these control options, there is still criticism that the opt-out model potentially undermines the principle of data sovereignty. Data protectionists warn that many insured persons may not be sufficiently informed to make an informed decision.

Another legal area of conflict concerns the technical implementation. Legislation requires health insurance companies to comply with the highest security standards, in particular encryption and access controls. Violations of these standards can have consequences under both civil and criminal law.

Effects on doctors and other service providers

The ePA will also be mandatory for doctors and other service providers: from 2025, they must be able to upload medical documents to the ePA. This means not only adapting technical processes, but also complying with strict legal requirements, for example with regard to documentation obligations and liability.

The legal responsibility of service providers for the correct use of the EPR will play a central role. Errors when filling in the ePA or unauthorized access can have legal consequences. Further training and the creation of technical infrastructures are therefore essential.

OLG Hamburg zur Risikoklassifizerung von Medizinsoftware

The binding nature of the ePA from January 2025 marks a paradigm shift in the German healthcare system. It offers opportunities for more efficient and patient-centered care, but also raises considerable legal questions.

In particular, the tension between data protection, data sovereignty and technical feasibility remains a key point of discussion. It will be crucial for insured persons, service providers and health insurance companies to meet the new legal requirements in good time in order to take advantage of the opportunities offered by the ePA while minimizing legal risks.

The coming years will show how the electronic patient record proves itself in practice – and whether the legal framework is actually sufficient to maintain the balance between the benefits and protection of sensitive health data.

Part 1: Why biocompatibility and material science are so importantBiokompatibilität und Materialwissenschaft