DMEA 2024: You will find us in Hall 4.2 | Booth D-114. Arrange a meeting with us here .

The GDNG: What the law means for clinics and researchers

Clarity at last on the handling of health data: The German Bundestag has passed the Health Data Utilization Act (GDNG). Researchers, doctors and hospitals now have legal certainty regarding the handling of their patients' data. What the GDNG means for clinics and science: we take a look at the key points.

What is the Health Data Utilization Act, GDNG for short?

The GDNG regulates the handling of health data for research. Researchers should be able to use the pseudonymized data of people with statutory health insurance in an unbureaucratic manner.

The Health Data Usage Act is part of a legislative package The aim of this legislative package is to digitize the healthcare sector and make Germany attractive again for researchers in an international comparison.

The full text of the draft law.

The six key points of the GDNG

With the adoption of the GDNG at the end of 2023, the Ministry of Health has defined six objectives as the core of the law - two more than in the first draft of the GDNG. For doctors, researchers and companies in the healthcare sector, this means a legally secure framework for handling the health data of people with statutory health insurance.

Goal 1: Easier access to health data

What problem is the legislator tackling with this?

In the decentralized German healthcare system, researchers currently find it difficult firstly to find and secondly to use data sources. Article 1, §3 GDNG on the "Data Access and Coordination Office for Health Data" is intended to make access to data considerably easier. Until now, access to research data has mainly been available to those who have generated the data themselves.

How does the law solve this problem?

In the central press release on the GDNG, the Ministry of Health states: "A central data access and coordination point for the use of health data will reduce bureaucratic hurdles and facilitate access for research. For the first time, it will be possible to link pseudonymized health data from different data sources. The access point will act as a central point of contact for data users."

What does this mean for the healthcare sector?

The reduction of bureaucracy in relation to access to medical data marks a trend reversal in the healthcare sector. Instead of preventing the use of data with data protection arguments as before, it is now a matter of using data in accordance with the law. In our view, this step is essential in order to sustainably promote and accelerate medical progress in Germany. For clinics, doctors and researchers, this aspect creates an unprecedented opportunity:

  • Improved research efficiency: Easier access to medical data enables researchers to carry out their projects more efficiently and in a more targeted manner. Medical research should therefore make faster and more informed progress.
  • Innovation in treatment: linking pseudonymized data offers immense opportunities. It opens up new avenues in medical treatment and therefore better healthcare overall.
  • Clear structures and responsibilities: The central office for the nationwide decentralized storage of health data designates clear contact persons and responsibilities.

Goal 2: Uniform data protection standards for transnational research projects

What problem is the legislator tackling with this?

Data protection regulations differ in detail from region to region. This causes ambiguity and uncertainty among researchers and medical institutions. The legislator has responded to this with Article 1, Section 5 GDNG on "Data protection supervision in transnational health research projects".

How does the law solve this problem?

In its central press release on the GDNG, the Ministry of Health writes: "The lead data protection oversight for transnational research projects will be extended to all health data. Data protection supervision for transnational research projects in the healthcare sector can be coordinated by a state data protection officer."

What does this mean for the healthcare sector?

A central point of contact and coordinator for cross-state research should make it much easier for the entire medical sector to handle data. We therefore expressly welcome the regulation.

  • Clear regulations: Harmonization across federal states sets uniform national standards and thus a uniform legal framework.
  • Improved cooperation: Establishing a central point of contact simplifies communication and cooperation between different healthcare facilities and research groups.
  • Efficient use of data: Cross-border coordination should speed up the exchange of data and enable access to more relevant data.
  • Increased safety: A clear legal framework increases safety in medical practice and research, which ultimately benefits patients.
Dr. Caroline Grau - Geschäftsführerin von Telepaxx Medical Data.

"In our view, there is a need for greater clarity and cross-border standardization in the area of patient data protection, as there are still state hospital laws that also regulate data protection aspects and conflict with the GDPR."

Dr. Caroline Grau, Managing Director Telepaxx Medical Data GmbH

Goal 3: Comprehensive access to health data

What problem is the legislator tackling with this?

Until now, it was mainly researchers and doctors at university hospitals who had access to structured data for research projects. Smaller private clinics and research-based companies have often been left behind. With Article 1, Section 4 GDNG, the legislator is expanding the circle of those entitled to access to "linking data from the Health Research Data Center with data from the clinical cancer registries of the federal states".

How does the law solve this problem?

The central press release on the Ministry of Health's website states: "The Health Research Data Center (FDZ) at the BfArM (Federal Institute for Drugs and Medical Devices) is being further developed. Eligibility to apply is no longer determined by who is applying, but for what purpose. The decisive factor is the purpose of use in the public interest. The FDZ can link pseudonymized data with cancer registry data and data from other legally regulated medical registries if this is necessary for the research purpose for which the application is made and the interests of the insured persons are sufficiently safeguarded."

What does this mean for the healthcare sector?

We believe it is right and forward-looking for researchers and doctors to have access to data for research purposes regardless of their respective institution. This step contributes to the equality of various players in the healthcare system and opens new doors for research and development of medical products and treatment options.

  • Democratization of access: Expanding access to health data for different stakeholders enables broader and more diverse research.
  • Orientation towards the common good: The focus is on the research project and its benefits for society - and no longer on the status of the applicant. This ensures a fairer use of health data for the benefit of patients.
  • Promoting innovation: Thanks to the expanded access to data, non-university and non-governmental clinics, doctors and researchers can now also access healthcare data more easily. This promotes competition and therefore innovation.

Goal 4: Access to health data via the EHR

What problem is the legislator tackling with this?

Hospitals, medical practices and insurance companies manage millions of patients' health data that have so far been inaccessible to researchers. The GDNG will give researchers access to this data in future via the EHR, which will be mandatory from 2025. The legislator regulates this in Article 1, Section 8 GDNG on the "Obligation to register; obligation to publish research results when processing health data in the public interest".

How does the law solve this problem?

The central press release from the Ministry of Health contains the following statement: "In future, an opt-out procedure will apply to the release of data from the EHR. This will make it easier to use treatment data for research purposes. Only data that has been reliably and automatically pseudonymized will be transmitted. A simple objection management system will be set up so that patients can decide whether to release their data to the FDZ for research or other purposes. Insured persons can also declare their objection to the ombudsman's offices of the health insurance funds if they do not use the EHR or cannot or do not wish to declare their objection digitally."

What does this mean for the healthcare sector

Article 1, §8 GDNG marks a turning point for clinics, doctors and researchers in the healthcare sector. Whereas previously explicit consent (opt-in) was required from patients, health data is now available for research purposes by default. The simple opt-out solution thus bridges the gap between individual data protection and research interests in the interests of the community.

  • Simple opt-out solution: Patients should be able to object to the use of their data. This option gives patients control over the use of their health data, should alleviate data protection concerns and at the same time increase patient understanding of data use in the healthcare sector.
  • Pseudonymization protects privacy: In addition to the right to object, the data used is also pseudonymized. This is a crucial step in protecting the privacy of the individual, while at the same time valuable data remains accessible for research.

Medical physics expert for radiology

Goal 5: Personalization of healthcare

What problem is the legislator tackling with this?

Until now, health insurance companies have not been allowed to actively approach their policyholders, even if they could deduce a potential risk to their health from their individual data. This changes with Article 1, Section 8 GDNG on the "Obligation to register; obligation to publish research results when processing health data in the public interest" and Section 9 GDNG "Penal provisions".

How does the law solve this problem?

The German Ministry of Health explains in the central GDNG press release: "Health and long-term care insurance funds may provide personalized information to their insured persons based on data already available to them if this serves to protect the individual health of the insured persons, for example for the safety of drug therapy, the detection of cancer and rare diseases or to prevent the need for long-term care."

What does this mean for the healthcare sector

We see this aspect as an opportunity to increase the efficiency and effectiveness of healthcare in Germany. The law thus lays the foundation for future-oriented, data-based medicine that focuses on personalized treatment methods.

  • Strengthening personalized medicine: We believe it makes sense for medicine to move more in the direction of personalized treatment approaches. This requires legal clarity for comprehensive data collection and analysis. Storing and making this health data available will be the central task for the healthcare sector.
  • Earlier disease detection and preventive measures: The law enables health risks to be identified earlier and targeted prevention strategies to be developed. This development should improve the well-being of society and individuals.
  • Relieving the burden on the healthcare system: We can already see today that our healthcare system is reaching its limits in many cases. By using a data-based preventive approach, serious illnesses can be mitigated or at best prevented and the burden on the healthcare system can be reduced.

Goal 6: Processing of health data

What problem is the legislator tackling with this?

Until now, it was not clearly regulated whether and how hospitals, for example, were allowed to use the personal health data they generated in-house for research purposes and share it with third parties. It was also unclear whether the anonymization of data constituted legally compliant further processing. The law now clearly regulates who can process the data under which conditions and for which purposes in a legally secure manner. This is explained in the four articles of Section 6 GDNG on the "Further processing of healthcare data for quality assurance, to promote patient safety and for research purposes"

How does the law solve this problem?

The Ministry of Health states the following in its GDNG press release: "Service providers and their networks will be enabled to use healthcare data available to them for research, quality assurance and patient safety. The use of healthcare data is subject to research confidentiality. Researchers may therefore only use and pass on health data as permitted by law. In the event of a breach of these confidentiality obligations, a criminal provision will apply in future."

Specifically, the law names three purposes for further processing:

  1. for quality assurance and the promotion of patient safety,
  2. medical, rehabilitative and nursing research, or
  3. for statistical purposes, including health reporting.

In addition, reference is made to the possibility of anonymizing health data in order to be able to transmit it to third parties for the three purposes mentioned above (Section 6 (3)).

digitales Patientenportal

What does this mean for the healthcare sector?

For the healthcare sector, this should mean that a new era of data-supported treatment and quality assurance is beginning, in which innovative technologies can be used safely and effectively for the benefit of patients.

  • Improved patient safety: The regulation now clearly defines how a hospital can, for example, check the AI-based software it uses to detect bone fractures for correct and incorrect results using its own validated data sets. This means that hospitals can now independently assess the reliability of their systems. Ultimately, this should significantly improve the quality of diagnosis and therefore patient safety.
  • Building trust: Such quality assurance processes strengthen the trust of both doctors and patients in new technologies. For example, doctors receive a clear picture of the strengths and limitations of AI systems and can intervene in a more targeted manner in critical cases.
  • Data processing by third parties: Medical institutions may process personal data generated by you under certain conditions, such as pseudonymization and anonymization, and also share it with third parties. This ensures legal certainty on the part of medical facilities and at the same time takes into account the data protection interests of patients.

Conclusion on the GDNG: Significant step for research and patient protection

The Health Data Utilization Act (GDNG) represents progress in medical research and practice for clinics and doctors. It offers legal security, facilitates access to health data and promotes innovative, personalized treatment methods.

At the same time, it strengthens data protection and supports more effective prevention strategies. Overall, this should strengthen the healthcare sector and increase patient protection.


Stay up to date

In our newsletter we inform you about news and events of Telepaxx Medical Data and offer information around the topic of Digital Health.

Other articles that may interest you.

DigitalRadar: How digital are German hospitals?

The first interim report of the DigitalRadar paints a sobering picture of the digitization of German hospitals. The KHZG-funded projects aim to change this. Find out more here.

10 Reasons for cloud solutions in hospitals: less IT effort and more data sovereignty

10 reasons for the cloud in hospitals

Discover five reasons why cloud technology is not only efficiency-enhancing for hospitals, but also indispensable for modern healthcare IT - at the latest with the DigiG. Read our argumentation guide.