What Requirements Must Operators of Video Consultation Hours Meet?
Standalone telemedicine is a relatively new practice in Germany. In fact, until 2018, exclusive remote medical consultations were not permitted. Since those restrictions were lifted, the digitization of medical care through virtual home visits had been progressing, though rather slowly, over the past year and a half. However, it has gathered much more interest and adoption has surged in the past several months due to the challenges in seeing patients that were brought about by the recent pandemic.
Today many healthcare professionals are looking to digital options to keep up with their patients’ care and while at the start just a few doctors were interested in telemedicine solutions, this is growing to the thousands. Paramount to being able to safely and confidently provide these remote services is ensuring that data protection and patient confidentiality are observed in the same way as onsite visits and within strict adherence to German privacy regulations. New requirements and new technologies also bring about the need to ensure they meet the standards for privacy set forth by the GDPR and also those put forth by the German supervisory authorities.
There is an expanding goal that further telemedicine services may be carried out via teleconsultations. Since October 2018 , in addition to doctors, psychotherapists, and dentists can now digitally consult a patient or colleague on various issues. For example, documents of findings may be electronically transmitted between doctors or a video conference which may include the patient. Because security and privacy are essential, only secure electronic and communication technologies may be used.
What Requirements Must Operators of Video Consultation Hours Meet?
Operators of video consultation hours, in which doctors, nurses or psychotherapists communicate with patients via online video connection, in Germany must now meet the requirements of the “Agreement on the requirements for the technical procedures for video consultation hours according to § 291g paragraph 4 SGB V” (Annex 31b to the BMV Ä) between the National Association of Statutory Health Insurance Funds (GKV-Spitzenverband) and the National Association of Statutory Health Insurance Physicians (KBV). This includes proof of the requirements for content, data protection and information security.
The KBV is the umbrella organization of the 17 associations of statutory health insurance physicians. It organizes area-wide, local outpatient health care and represents the interests of contract doctors and contract psychotherapists at the federal level. This certification is important because doctors or psychotherapists may only bill for services in the context of the video consultation if they have previously notified their Association of Statutory Health Insurance Physicians that they are using a certified video service provider.
New Certification for Telemedicine Requirements
Recent changes in the regulations for telehealth and teledoctor appointments in Germany mean that telemedicine companies who submitted their certifications by September 30, 2020 need to update their certifications when their current one expires. Any other providers who have not submitted for a recent certification must go through the updated certification process with a credentialed certification provider such as EuroPriSe.
Where Can Operators Obtain a Certification?
Under the current version of the above-mentioned agreement, EuroPriSe is the only certification body currently eligible for offering the updated required data protection certification services. EuroPriSe is not only prepared to certify web-based video consultation hours, but also corresponding apps. 2B Advice consulting team is pleased to be able to work with the EuroPriSe team to support clients who are looking for a current certification for telemedicine.
Precertification Process Checklist
In advance of the evaluation of your web-based video consultation hours (VCH) service according to EuroPriSe, here are the areas you should focus on:
- Does your VCH service provide for peer-2-peer connections? If you should deviate from the peer-2-peer procedure: Do you inform the communication partners hereof in a transparent manner?
- Do you ensure that all contents are end-2-end encrypted during the entire transfer process and that the implemented encryption is state of the art (BSI TR-02102)?
- Do you comply with the requirement that you may not be able to access and/or store the contents of the video consultation hours?
- Do you use meta data only for the procedures that are necessary to provide the VCH service and do you delete all meta data after three months at the very latest?
- Does the processing only take place in the European Economic Area (EEA)? If not: Is an adequacy decision by the European Commission in place for each third country in which relevant processing activities may take place?
- Do you have a sample contract for your customers readily available? Does it include a data processing agreement (DPA) that fully complies with Art. 28 GDPR?
- If you should make use of any sub-contractors: Is a signed DPA in place with each of them?
- Are any relevant IT security certifications (e.g., ISO/IEC 27001) in place?
- Have you recently commissioned a pen test regarding your VCH service and is a respective test report available?
- Are your records of processing activities for your activities as a processor (Art. 30(2) GDPR) current and complete?
- Do you have a Data Protection Officer (DPO) appointed?
- Is the privacy notice for your VCH service current and complete? Is a legal notice in place that is current and complete?
- Are website cookies and tracking tools utilized in a data protection compliant manner? Is a cookie banner in place (if required)?
- Are web forms GDPR compliant for gathering consent?
- Are social media plugins in compliance?
Additional requirements must be met if you want the certification to also cover corresponding apps.
How We Can Help
Explore Our Consulting Services
Certification & Training
We would like to briefly show you the differences between anonymized and pseudonymized data, and explain why you should deal with this topicSchrems II Decision: Impact on Cloud Migration & More
When are the digital business operations into the cloud, companies must take into account the relevant applicable data privacy rules.What Is Data Minimization? Principles of Data Minimization for GDPR
The aim of this article is to give you a clear understanding of the data minimization principle and practical advice on how to implement it.