Federal Minister for Health, Karl Lauterbach
The BigBrotherAward 2024 in the category “Health” goes to
The Federal Minister of Health, Karl Lauterbach
for the European Health Data Space, EHDS for short, for which he shares responsibility, as well as for its implementation into national law, the Law for the Use of Health Data.
These two laws permit the processing of all of our most sensitive health data, such as visits to the general practitioner or hospital treatments, following mostly unspecified procedures and without the necessary precautions.
For a long time I have been a fan of Karl Lauterbach. After the less-than-capable health minister Jens Spahn, I was hoping – with some justification – for more competency. But when it comes to data protection in the realm of health, Mr. Lauterbach does not only seamlessly continue what his predecessor had started, he makes the latter’s unconstitutional plans for the so-called “secondary uses” of health data even worse.
So far, most of the discussions were centred on concerns about the nationwide introduction of the electronic patient files (German Elektronische Patientenakte, ePA). This ePA is only a small piece in the greater plan called “European Health Data Space”. Negotiations about the European EHDS law was completed under health minister Lauterbach, and will enter into force shortly. It envisions the complete digitalisation of the entire healthcare sector. This could be a good thing. But health data is not only supposed be used to improve diagnostics and treatments (known as “primary use”). The main goal is the use of health data for so-called “secondary uses”.
Good-bye to the Hippocratic Oath
What does that entail? A lot. Our data on treatments from general practitioners and hospitals shall be used for, among other things:
-
Activities in the “public” health interest, not excluding the possibility for private enterprises pursuing their own profits,
-
for the support of public bodies, leaving it completely vague what is meant by that,
-
for scientific research including the development of products and services, as well as training so-called artificial intelligence.
That may not sound overly dramatic to some people. But we have to be aware that these new laws will do away with a core tenet of the medical profession: medical confidentiality.
Almost 2000 years ago, Hippocrates swore himself and all physicians to secrecy, to foster a trusting relationship between the medical practitioner and the patient, which forms the basis for the best possible treatment. This trust will suffer if patient secrets are forwarded to third parties, as is stipulated in the EHDS, without sufficient protections. And if this trust is removed, sick people may decide not to see a physician in the first place.
Spahn’s Creation, Lauterbach’s Contribution
Politicians realised during the COVID pandemic, that health data is crucial for medical research, for health planning and for the development of new treatments. The EHDS is intended to pave the way for that. The national legislatures should now do everything that is necessary to protect patient confidentiality amidst this data usage. And this is where we meet health minister Lauterbach again. His law for the use of health data, implementing the EHDS, which entered into force in March 2024, will deliver our health data as prey to commercial and political interests.
Jens Spahn prepared the field for this quite well. During his term in office, provisions for a health data research centre, the FDZ, were passed, under the roof of the Federal Institute for Drugs and Medical Products (Bundesinstituts für Arzneimittel und Medizinprodukte, BfArM). It is intended to be the central collection and distribution point for health data. All billing data of the health insurers will be stored under a pseudonym, as well as the data of the electronic patient files, the ePA. This FDZ shall become fully operational as early as Autumn 2024. Among other things, there are plans to connect the cancer register’s pseudonymised data records with those of the FDZ. Further connections to the nationwide implant register and several other health data sources are planned as well.
All of this is, as indicated, pseudonymised. However, there are so many sensitive data points about the physical and mental health in these records, that only a little additional knowledge will make it easy to find out who received which treatment. This could be data about genetic conditions, mental disorders, or rare severe diseases. This re-identification would spell the end of the trusting relationship between doctors and patients.
Risks and side effects
The risks created by this are substantial:
-
data leaks could cause data to fall into the hands of address merchants
-
police can access the data and could use them for criminal investigations
-
health insurance companies and their professional associations will be granted access to the FDZ. For now, exclusively to “optimise” their premiums, or to suggest to their clients a more promising treatment – bypassing their practitioners. This is downright patronising.
And, painting a grim dystopian picture, some scenarios are even worse: Who can rule out that in the future, insurers or employers may infer from the data, for example, who had been treated for depression, or who has a specific genetic defect?
Equally long as the list of dubious possibilities is the list of the sins of missing precautions:
-
The approval of secondary uses is not regulated by an independent body, but by a special department of the Institute for Drugs and Medical Products, over which the Federal Ministry of Health has supervisory authority,
-
the approval process for who can access the data is lacking in transparency. Neither affected persons nor the public are informed about how the decision process for the applications works (information about the applications shall be made available in a general register).
-
Everyone can apply for access to the pseudonymised health data without having to provide any evidence of qualification or trustworthiness.
-
Any justification of how and for what purpose the data was used only needs to be provided after two years, in a generalised form.
-
A prohibition of requisition of data for criminal prosecution, as demanded by data privacy activists, had initially been planned, but was dropped by the political leadership.
-
Penalties for proven misuse of data are minimal: prohibition of further use of the data for at most two years. There is a theoretical possibility of criminal prosecution, but that would require that the affected persons learn about the misuse of their data.
-
The biggest outrage is that those affected by secondary use have no right to information about, and objection against the use. The only recourse possible is against the integration of the electronic patient file into the data research centre. Invoices of the statutory health insurance, however, will end up in the FDZ, regardless.
Under Spahn, pharmaceutical companies had been excluded from the FDZ. But Lauterbach has granted comprehensive access. They will only have to convince an employee of the Institute for Drugs and Medical Products that their valuation of the data could be useful. This opens the floodgates to wheeling and dealing. The state provides the infrastructure for providing the data. Profits will be made by the industry. The affected persons are neither informed, let alone asked for permission.
From AI to warfare agents
It inspires little confidence that the health ministry (Bundesministerium für Gesundheit, BMG) can perform its own analysis. I do not imply that this would have direct adverse consequences for individuals. But in any case, the BMG is being given a framework for non-transparent analysis of the data. Public scrutiny could prevent data misuse.
The requirements for the protection of the relationship between patient and medical professional has been discussed for years and there is – in theory – scientific consensus. This includes an effective pseudonymisation of all data, as well as transparency about who can use the data for which purposes. Affected persons must have the right to be informed and to object, criminal prosecutors must not gain access to the data. And there must be stiff fines for data misuse.
This is the only way to prevent rampant misuse, such as conducting inhumane research projects. So far there are no provisions against training AI models with my data in such a way that they will reproduce discrimination, against women, against persons with a certain disposition, against people living in precarious circumstances, whose specific needs are not sufficiently taken into account.
There are no provisions against the use of my data for military research for improving the efficacy of warfare agents. But this should be a matter of course for the legislator. The Charter of Fundamental Rights of the European Union and the German Constitution demand this unequivocally.
The health ministry also knows quite clearly that the implementation of the EHDS would be unconstitutional. But neither the ministry nor the parties of the federal parliament – including the Green Party – want to recognise this fact. There are pending lawsuits against the planned secondary uses of health data.
Independent of the decision of any courts: nobody should feel any impediment to seeing a doctor, if that seems necessary. The planned secondary uses have not yet started, and there is still time to stop them.
If health minister Lauterbach were really serious about the digitalisation of the healthcare sector in a manner that respected data protection, he should expedite the implementation of all necessary protective measures. As of today, that does not seem to be on his agenda. He should, indeed he must do this. This is why he is a worthy recipient of the BigBrotherAward 2024 in the “Health” category.
Congratulations, Minister for Health, Dr. Karl Lauterbach.