On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific new requirements for the processing of health and social data using cloud-computing. We will also discuss whether the new rules may impact medical research and other projects that utilize cloud-computing for processing health data.
1. Scope and Background of Sec. 393 SGB V
The new Section 393 SGB V (Social Security Code – Book V) has been enacted with the recent “Digital Act” (see our earlier blog on the Digital Act). The title of Section 393 SGB V is “Cloud-Use in the Healthcare System“. Hence, it aims to impose specific requirements for healthcare service providers, statutory health insurances and their contract data processors when they process health data and social data using cloud-computing services. According to the German legislator, the provision aims at enabling the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.
The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilizes a tool that the healthcare providers or health insurance has developed on their own.
The term “cloud-computing service” is defined in the law as “a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations” (Section 384 Sentence 1 No. 5 SGB V). This reflects the corresponding definition of cloud-computing in Article 6 (30) of the NIS2-Directive (EU) 2022/2555 on cybersecurity measures. Services that fall under this definition include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
With regard to the terms “health data” and “data processing”, we refer to the corresponding provisions of the GDPR. As far as the new rule applies to “social data”, this term refers to a specific legal concept in Germany that applies to personal data that is intended to be processed by health and other social security insurances.
In terms of timing, the new Section 393 SGB V applies as from 1 July 2024 – without any transition or grace period or grandfathering rules.
2. Consequences for Healthcare Providers and Cloud Service Providers
Under Section 393 SGB V the processing of health data by using cloud-computing services is subject to special requirements. Intended to ensure data security, these requirements include that the data (a) may only be processed in certain geographical regions, (b) that technical and organizational measures are taken so that cloud service providers meet certain security requirements.
a) Geographical Requirements and Data Transfer Issues
Geographically, Section 393 SGB V requires that health and social data may only be processed
- In Germany,
- In an EU or EEA member state, or
- In a third country under an adequacy decision by the European Commission.
Moreover, the new rules require for all these cases that the data processing entity has a business establishment (“Niederlassung”) in Germany.
In conclusion, and in contrast to the requirements under the EU GDPR, Section 393 SGB V does not recognize the execution of the EU Standard Contractual Clauses (SCCs) or other means like Binding Corporate Rules as adequate guarantees for cloud-computing services when personal data is processed in a third country that is not subject to an adequacy decision by the European Commission.
b) Stricter Technical and Security Compliance Requirements
From a technical and organizational viewpoint, under Section 393 SGB V the processing of health and social data using cloud-computing services is subject to stricter requirements. As such, data processing using cloud-computing services need to be in compliance with these key conditions:
- Appropriate technical and organizational measures have to be implemented to ensure data security.
- A current C5 certificate is issued to the data processing entity with regard to the “C5 basic criteria” (see below) for the cloud systems and the technology used. The C5 (Cloud Computing Compliance Controls Catalogue) certificate is a cloud-computing standard developed by the German Federal Office for Information Security (“BSI“) to ensure cloud service providers meet specific security requirements. It outlines a comprehensive set of controls covering areas like data protection, incident management, and compliance with legal obligations.
- The cloud-computing customer (i.e., the healthcare providers and/or insurances) must implement the conditions and criteria specified in the C5 certificate test report that. The C5 standard expects a shared responsibility between the customers and the cloud-computing service provider.
Until 30 June 2025, a C5 Type 1 certificate is considered “current” under Section 393 (4) SGB V. Thereafter, a new C5 Type 2 certificate is required. Certifications meeting equivalent security levels to BSI C5 may also be acceptable if so specified in a government ordinance to be issued by the German Federal Ministry of Health.
With respect to healthcare providers and health insurance companies, there are also some further technical and organizational requirements which these persons and entities have to meet when using cloud-computing services. These partly depend on the type of healthcare provider or institution concerned.
3. Implications for Medical Research with Pharmaceuticals and Medical Devices
Whether the new Section 393 SGB V also impacts the data processing in medical research projects is not fully clear. From the black letter of the law, certain health data and some medical research projects could be subject to the new requirements of Section 393 SGB V.
A number of medical and clinical research projects typically process health data from patients that are or were treated under the statutory health system. These projects especially include non-interventional studies with pharmaceuticals, post-market clinical follow up (PMCF) investigations with medical devices as well as registry studies that focus on a particular product or disease. Generally, research that involves real-world-data or aims to generate real-world-data appears relevant hereunder. Even clinical trials regularly process data from regular medical treatments that are conducted in the statutory health system so that the health data falls under Section 393 SGB V.
Therefore, the question arises whether the processing of health data for such medical research projects by healthcare providers and sponsor companies and their data processors (e.g., CROs) is also subject to the new compliance requirements of Section 393 SGB V if they use cloud-computing. The answer to this question is not straightforward but rather case-facts-dependent and requires a careful analysis of the individual circumstances.
While the risk appears low that clinical trials with pharmaceuticals, medical devices and diagnostics will be impacted by Section 393 SGB V, the situation appears different for studies that collect real-world data like non-interventional studies, PMCF studies or product/disease registries. For these, there is a risk that they may be subject to the requirements of Section 393 SGB V.
Relevant aspects to make an assessment for the respective research projects include the type of study/research, the origin of the processed health data, the technologies used for data processing and the legal status of the person processing the data.
4. Final remarks
With the new Section 393 SGB V, Germany has enacted new compliance and security requirements for the processing of health data when using cloud-computing services. The new requirements apply to healthcare providers, health insurances and their data processors and cloud-computing service providers that offer services to these groups. In this blog post, we have described the new technical, organizational and compliance requirements.
The new rules may also impact certain medical research projects that process (real-world) health data by using cloud-computing services. Such projects can include non-interventional studies with pharmaceuticals, PMCF studies with medical devices or (product/disease-focused) registry studies. Therefore, pharmaceutical and medical device companies should also review the potential impact of the new rules on their research activities.
The Life Sciences Team of Covington & Burling LLP in Frankfurt (Germany) will continue monitoring the developments in this area and is well positioned to assist clients in navigating through the various ongoing and upcoming legislative projects.
***