New requirements for cloud computing services in the healthcare sector

The German Digital Act recently came into force with practically no broad-based media coverage, despite the fact that the legislative package has far-reaching implications inter alia for all cloud services in the healthcare sector.

A. What is the Digital Act?

The German Act to Accelerate the Digitalisation of the Healthcare Sector (Gesetz zur Beschleunigung der Digitalisierung des Gesundheitswesens, DigiG) (Digital Act) came into force on 26 March 2024.

The Digital Act introduces the electronic patient record (elektronische Patientenakte), refines electronic prescriptions (E-Rezepte) and establishes them as the binding standard, integrates digital health apps more closely into healthcare processes and removes restrictions on telemedicine, for example.

Other key amendments relate to interoperability and cyber security in the healthcare system. Cloud computing services are also explicitly regulated in this context. The most important requirements are found in the completely revised section 393 of Book V of the German Social Code (Sozialgesetzbuch, SGB) (also the “Code”), which has been applicable since 1 July 2024.

B. What is new for cloud computing services?

By introducing the new section 393 in Book V of the German Social Code, the legislators intend to expressly allow the processing of social security and health data using cloud computing services and, at the same time, to achieve legal certainty by clearly formulating requirements for the use of such services. In fact, the provisions create stricter legal requirements than before.

Apart from this, those involved in the social services and healthcare sectors continue to face a complex regulatory regime. Besides section 393 of Book V of the German Social Code, other rules and regulations also apply depending on the specific situation (use of cloud services by statutory health insurance providers, hospitals or other health service providers, etc.). These include Article 28 of the GDPR (data processing on behalf of a controller), section 203 of the German Criminal Code (Strafgesetzbuch, StGB) (professional secrecy), additional confidentiality requirements, for example under the law governing medical professionals, and restrictions under regional state law, such as restrictions for hospitals (see for instance the strict requirements governing the use of  processors in section 38 of the State Hospital Act of Mecklenburg-Western Pomerania (Landeskrankenhausgesetz Mecklenburg-Vorpommern) or section 7 of the Health Data Protection Act of North Rhine-Westphalia (Gesundheitsdatenschutzgesetz Nordrhein-Westfalen); this contrasts with other German states where the rules have recently become more liberal, such as Bavaria (see our past article) or Baden-Württemberg). As a result, it will still be necessary to review each individual case while considering the entire regulatory framework, possibly including an examination of whether individual aspects comply with constitutional and EU law.

I. Who and what is covered by the provisions?

According to section 393 (1) of Book V of the German Social Code, the provisions are targeted at the following entities:

• service providers in the statutory health insurance system
• the statutory health and nursing care insurance funds
• the processors processing data on their behalf (see Article 28 GDPR)

The Code defines “cloud computing services” as digital services that “enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations.” This matches the definition in Directive (EU) 2022/2555 (NIS2 Directive).

II. What are the requirements for IT security?

Apart from the general requirement that suitable state-of-the-art technical and organisational measures must be taken to ensure information security, the “data processing entity” will have to be able to present a BSI C5 auditors’ report (as defined by the Federal Office of Information Security, or BSI) for the software and hardware used to provide the cloud computing services. For more information on the BSI C5 auditors’ report, see the Federal Office of Information Security’s website.

The current BSI C5 auditors’ report can be replaced by a C5 type 1 auditors’ report until 30 June 2025. Apart from the C5 report, other certificates/auditors’ reports will generally be permitted provided they also certify that suitable state-of-the-art technical and organisational measures have been taken to ensure information security. Which certificates/reports are suitable is to be clarified in a statutory instrument to be issued by the German Federal Ministry of Health (Bundesministerium für Gesundheit), probably in the course of the year.

Incidentally, the Code is not clear as to whether the “data processing entity” required to obtain an auditors’ report means the service provider/health and nursing care insurance fund, their processors, or both.

Those affected should in any case check their own certifications and ensure that any processors have the necessary certificates/auditors’ reports.

III. What requirements apply to transfers of data to third countries?

The processing of social security and health data by cloud computing services is subject to territorial restrictions. It may only be carried out in the following areas: Germany, the European Union, EEA, Switzerland or a country for which an adequacy decision has been adopted in accordance with the GDPR (see section 393 (2) of Book V of the German Social Code).

For cloud computing services involving transfers of data to the US in particular, companies need to check whether the importer in the US is certified under the EU-US Data Privacy Framework (see our past article). Whether this rules out using the standard contractual clauses for transfers to third countries for which no adequacy decision exists (e.g. remote access for maintenance/support purposes) will have to be discussed on a case-by-case basis.

Moreover, the wording of the Code expressly requires that the “data processing body” have a branch in Germany. Whether this provision complies with EU law may need to be clarified.

C. What are the penalties for non-compliance?

Section 393 of Book V of the German Social Code does not impose any penalties. Consequently, failing to comply with it does not lead to any fines under Book V of the Code.

Despite this, it seems conceivable that infringements of section 393 could automatically trigger infringements of the GDPR. This would open the door to the GDPR’s framework of penalties.

A customer may also be able to bring contractual warranty claims against its contractor if the cloud computing service fails to meet the requirements of section 393 of Book V of the Social Code. Whatever the case, the supply chain should be examined for compliance with the new requirements.

In view of this, companies that operate cloud computing services to process social security and health data should review their own certificates and auditors’ reports. If these are missing, they should initiate the certification process or obtain the report straight away to avoid potential conflicts with contracting parties. This will involve checking the relevant contracts to identify who has to bear the costs or whether it will be possible to share the costs between several contracting parties.

For further information, please see the FAQs of the Federal Ministry of Health on the Digital Act (in German only).