Data security, HIPAA, and German data security laws.

From: Radiologische Gemeinschaftspraxis (praxis@pruenergang.de)
Date: 01/14/03 

From: Radiologische Gemeinschaftspraxis <praxis@pruenergang.de>
Date: Tue, 14 Jan 2003 13:39:37 +0000
To: schumm@gmx.net

Hi all,

we are having a hard time with our equipment vendors in terms of data
security because in Germany it is not allowed to leave patient data with
a third party, whether it is by remote maintenance or because a server
is located at a third party. In the former, a workaround is to control
the remote access to one's clinic from the clinic's side, in the latter,
the data needs to be encrypted on the server.I do have the feeling,
though, that these German requirements are not of much interest to the
global players.

I have talked to all of our vendors. Some of them stated that their
equipment is HIPAA compliant.
Is there a site listing concisely the data security issues according to
HIPAA? Apparently HIPAA does not meet German standards here.

In one case, when adressing this issue to one of our vendors, I got the
following answer:

> Now, regarding the fact that no third party is allowed to view sensitive
> patient data, this is simply something we can not commit to. There are a
> lot of [vendor] equipment, all of them do store patient private data. And we
> know that when we download for example patient images, the process is that
> the patient's name and social security number are removed. But all
> equipments are not capable of doing so.
> Hence, if we sign a statement saying that we won't have access to any
> patient confidential data, we face a major risk of being prosecuted. And
> this is what we try to handle in the current Security Policy. We just try
> to be as compliant as we can with the current laws, and we try to find the
> most convenient solution for us and our customers. Now, if our customers
> are not happy with this, we won't go further, for [vendor] is not ready yet to
> sign such a statement.

In my opinion, this is not acceptable. After all, the doctor is
responsible for his patient data, no one else.

To find out whether this is a German or a general problem, I am strongly
interested in the data security laws in the United States and how they
are reinforced. Furthermore, which (practical) means are being taken to
ensure data security in the clinics?

Here are the German data security requirements for patient data and
their ramifications in more detail (I hope my translations of the
juristic terms are sufficient):

The particular protection of patient data results from a combination of
the data security laws with certain german laws: paragraph 203 StGB
(StPG=penal code; violation of private secrets), paragraph 97 StPO
(StPO=code of criminal procedure; confiscation-free items), paragraph 53
StPO (StPO=code of criminal procedure; testimony refusal right for
certain occupation groups). paragraph 203 StGB plays a central role
(betrayal of secrets).

The most important sections from paragraph 203 StGB:

1) The person who unauthorizedly discloses an external secret, namely a
secret that belongs to the personal sphere, or a company secret, or a
business secret, that has been entrusted to him or become known to him
as a
        1. physician,dentist,vet, pharmacist, or member of another type
of healing profession that requires a vocational training regulated by
the state
will be punished with a prison sentence up to a year or a fine.
(3) ... Persons who are occupied at or in training at those named in
section 1 and sentence 1 are treated equal to those. Persons who
obtained secrets from a deceased person entrusted to such secrets or
from his legacy, are treated equal to those named in section 1 and
sentence 1 and 2.
(4) Sections 1-3 also apply when the offender unauthorizedly disclosed
the external secret after the death of the person involved.

((1) self explanatory)
((3) such as techs, interns, secretaries, typists, receptionists, ...)
((4) e.g. when a physician discloses patient data from a patient that
has died)

The physicians and administrative staff have to protect patient data
against those that are not authorized according to paragraph 203 StGB.
When a physician allows an external company to access a menial patient
list, he commits a disclosure of external secrets according to paragraph
203 StGB, and a breach of the legal requirement concerning confidential
medical communication according to paragraph 9 of the professional code
of conduct. Disclosing the fact that a patient has received treatment or
has been hospitalized is already a breach of the legal requirement
concerning confidential medical communication.

Staff of an external maintenance company cannot be included into the
legal requirement concerning confidential medical communication by
contract, and thus this is not a solution of the problem. According to a
verdict of the Higher Regional Court Duesseldorf only the persons named
in paragraph 203 StGB, section 1 and sentence 1 can violate the legal
requirement concerning confidential medical communication, or - vice
versa - preserve it. Only the professional aides or persons in training
are treated as equal (paragraph 203 StGB, section 3). When a staff
member of a third party company receives such informations and discloses
them, he only commits a breach against the data security law.

When patient data is being stored externally from the medical care
provider (i.e. at a third party company), they are not subject to the
special protection by the legal requirement concerning confidential
medical communication and paragraph 203 StGB. Furthermore, patient data
that are not in medical custody, is not subject to the paragraphs 53 and
97 of StPO, i.e. they could, e.g. within the scope of investigations by
a state attorney, be confiscated. By the same token the data are without
protection, when insolvency proceedings are opened over the third party
company, the third party company relocates abroad, etc.

Thus, the physician may not surrender patient data to third parties, not
even by remote maintenance.

When patient data needs to be transmitted within the scope of remote
maintenance, they must be anonymized through strong encryption
algorithms. Currently, no standard solutions exist for medical data
processing, this is due to the fact that the phsysician or medical
institution incurs a penalty, not the third party company.

Currently, the only semilegal method to grant remote access to third
parties is to leave the control to open (& close!) the connection for
the engineer with the clinic, hospital etc.

Thanks,

Alexander

Relevant Pages