Since 01 January 2021, the time has come – the electronic patient record (ePA) is to offer all insured persons in Germany the voluntary opportunity to dispose their health data, findings, diagnoses, etc. in a self-determined manner via app. Gone are the days when findings were scattered and archived by different doctors, or measures were carried out twice because access to information was not possible.
The Patient Data Protection Act (PDSG) obliges the statutory health insurance funds to offer their policyholders the file on request from January 1, 2021. But there are hiccups in various places; the Federal Data Protection Commissioner, Ulrich Kelber, sent an open warning to the statutory health insurers as early as November 2020 that version 1.1 of the ePA was not DSGVO-compliant.
Bumpy start with significant limitations
One goal of the ePA is for insureds to be able to granularly determine which doctors, therapists or pharmacies can see which data. For example, if you don’t want your family doctor to know your neurologist’s diagnosis, you don’t share that data. However, this is exactly what is not possible in version 1.1 – it is neither possible to differentiate what should be released and what should not, nor is it possible to take the file with you when you change health insurers.
Health data with US providers?
Among other reasons, this is not possible because health insurers do not work with uniform standards. For example, the AOKs rely on an IBM solution, the TK on its own APP, and another group of statutory and private health insurers uses the Vivy app, which is also used for the health record (eGA). What all apps have in common is that they are proprietary applications: i.e., although the app is offered through the health insurers, the storage of the data lies with private companies. For patients, this means digital sovereignty is not there from the start, no matter what enhancement is added.
We have already written about the problematic dependence on US providers and it is surprising that such a sensitive area as the health sector is obviously not aware of this. But there also seem to be gaps in knowledge on the part of those who rely on the provider of the Vivy app. On the one hand, vivy is a Berlin provider that advertises that it hosts data on German servers. On the other hand, vivy has already been sharply criticised since 2018 for various security vulnerabilities in the software (by Netzpolitik.org, Deutschlandfunk, among others) and has shown little constructiveness in dealing with the criticism. Another point that suggests little awareness of sovereignty: the start-up Vivy of the same name is 70% owned by the private insurance company Allianz. One might think for oneself what interests an insurance company might have in promoting an app that collects patient data.
ePA and Open Source – was that an option?
At this point, the question also arises: Did they consider using Open Source for such a sensitive app? When doing research on vivy, a few entries turn up that indicate that it was considered – search results still exist that link to blog posts by vivy about incorporating open source, but the associated pages are no longer accessible and the blog itself no longer exists on the vivy website. There is also a hint that open source interfaces were used to link different areas to share information in the context of the health card. If you have any further information, please feel free to comment here.
Open Source for the entire health sector
In 2008 Luis Falcón started the amazing initiative GNU Health – initially as a project for health promotion and disease prevention in rural areas. The original name was Medical. Since then it has evolved into a health and hospital information system supported by a multidisciplinary international team. GNU Health is a project of GNU Solidario, a non-profit, non-governmental organization working in the fields of health and education with free software.
In 2016 GNU Health received a special award from the Open Source Awards OSBAR of the Open Source Business Alliance and in 2017 Kopano supported the project with a donation.
GNU Health could certainly provide important impulses to the debate around the ePA to anchor the topic of open source in the health sector and to create an equal and sovereign field of action for all.
GNU Health in Covid 19 times
The high social benefit of GNU Health’s commitment is especially evident in Covid-19 times: In Argentina, Open Source Software is already fully used for Covid-19 tracking. A clear statement from GNU Health goes to the Federal Data Protection Commissioner Ulrich Kelber and the German government:
“We welcome the clear warning from the German Federal Data Protection Commissioner, Ulrich Kelber, to not use the proprietary apps in their current version. The current approach to e-health is a waste of public money and resources – and a nightmare in terms of privacy. Only if we control the full software stack (and ideally hardware as well) we can grant as much privacy as possible. Public money should go into public, libre code – the Corona app was a good start. In countries like Argentina GNU Health is already used for full COVID-19 tracing – completely using free/libre software.
GNU Health currently develops a Personal Health Record Application together with the KDE project at https://invent.kde.org/pim/mygnuhealth/ . It is fully based on free/libre software and puts user privacy and -rights into the focus. The German government is welcome to support the project.“ (GNU Health, 2021)
Kopano is convinced of the high social impact GNU Health can make and we are happy to be able to contribute a small part in supporting and spreading the word. We would therefore like to repeat our own statement we made during the OSBA Awards:
“We think it is great how a strong open source project not only creates modern administration possibilities in structurally weak, poor regions, but also leads to a rethinking in terms of sustainability, openness and trust.
Support GNU Health too!”
Diskussion about ePA u. vivy (in german):