Everything went according to plan: On January 15th, the "electronic health record for all" (elektronische Patientenakte; "ePA für alle ") officially launched in selected model regions throughout Germany. During this initial pilot phase, the systems are meticulously assessed in terms of their performance and reliability. Most Germans think the ePA is a valuable implementation to improve the overall health care infrastructure. It also significantly contributes to the digitization of the industry. However, doctors and medical personnel are not as ready as they are supposed to be. A wide gap between many technical requirements and the current state of the adoption is still dividing the industry. At the same time, a more straightforward solution is right in front of them.
The more accessible health data is, the smoother the communication between patients, doctors, hospitals, therapists, pharmacies, and insurance companies becomes, and the more effective the health care and treatment will be. Thus, the core idea of the ePA is simple: Every time a patient undergoes medical care, relevant documents like medication lists, diagnostics, lab results, doctor's letters, treatment measures, and emergency data are automatically transferred to the patient's electronic record. Vaccination and maternity information, dental records, children's examination booklets (U-Heft), sleep, migraine, and blood pressure diaries can also be stored.
Thanks to this detailed digital overview, unnecessary duplicate examinations and potential drug interactions can be avoided. Patients retain absolute data sovereignty, as they can upload and manage their documents via the ePA app and determine who can access the information and for how long, enter objections, and appoint a representative. Using the ePA is voluntary; everybody can opt out whenever they want.
The national rollout is scheduled for April, thus only a few months after the initial testing phase. This certainly is very ambitious—especially if you consider the Chaos Computer Club (CCC), which expressed significant concerns regarding data security. The CCC's security researchers claimed they could "effortlessly acquire valid electronic healthcare profession and practice IDs […] and access health data with these cards yet again."
Nevertheless, both the gematik GmbH, which has responded to the accusations in a statement and assured it will increase security, and the public are optimistic. According to a survey conducted by dpa and YouGov shortly before the launch, 79 percent of the participants consider such a digital record helpful; 70 percent assume that it will improve health care. Bitkom also came to a positive conclusion: 71 percent want to use the ePA in the future.
The ePA has a lot of promises to keep. However, three significant challenges might block its path to glory – at least for now:
The lack of a technological basis could grow into a massive problem since the ePA requires a particular environment consisting of several components and services. For instance, medical institutions must connect to the telematics infrastructure (TI). They need a connector that sets up a secure VPN to establish this connection. The connector is also linked to the practice management system and one or several e-health card terminals. The terminals serve as a means to sign the practice on the TI.
In addition, two kinds of cards are needed – both the electronic practice ID (elektronischer Praxisausweis – Security Module Card Type B (SMC-B)) and the electronic healthcare profession ID (elektronischer Heilberufsausweis (eHBA)). The SMC-B authenticates the practice via card terminal and connects it to the TI. With the eHBA, doctors verify themselves as approved healthcare professionals and hold the signature certificates. These allow doctors to digitally sign specific documents like electronic prescriptions or electronic certificates of incapacity with a qualified electronic signature (QES) since they are legally obliged to.
Imagine how medical personnel deal with it daily if you think this was a complicated read. Instead, the industry needs a simplified way to sign on the TI, verify medical personnel, and sign electronic documents.
Using terminals and multiple cards is inconvenient and risky, as important ID certificates are stored on the cards. The CCC has already shown what consequences this can have. In contrast to hardware-supported procedures, remote signatures could genuinely speed up medical processes.
Therefore, this method works without cards and aligns more with modern, digital everyday life. For example, medical personnel need a cell phone or an alternative authenticator, which takes over the declaration of intent when creating an e-prescription. In this case, the certificates are no longer stored on the cards themselves but in the highly secure environment of a trust service provider. The signature gets validated via two-factor authentication. Our recommendation: Germany should say goodbye to bulky old mechanics and switch to software-based signature and authentication procedures instead.
While we are at it, citizens should also be able to request and use the ePA more easily. The forced trip to an insurance company's office or post office and printing out forms should be a thing of the past. This means more straightforward identification and authentication are needed, such as a central identification platform and video- and AI-supported auto-ident procedures.