On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific new requirements for the processing of health and social data using cloud-computing. We will also discuss whether the new rules may impact medical research and other projects that utilize cloud-computing for processing health data.

1. Scope and Background of Sec. 393 SGB V

The new Section 393 SGB V (Social Security Code – Book V) has been enacted with the recent “Digital Act” (see our earlier blog on the Digital Act). The title of Section 393 SGB V is “Cloud-Use in the Healthcare System“. Hence, it aims to impose specific requirements for healthcare service providers, statutory health insurances and their contract data processors when they process health data and social data using cloud-computing services. According to the German legislator, the provision aims at enabling the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.

The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilizes a tool that the healthcare providers or health insurance has developed on their own.

The term “cloud-computing service” is defined in the law as “a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations” (Section 384 Sentence 1 No. 5 SGB V). This reflects the corresponding definition of cloud-computing in Article 6 (30) of the NIS2-Directive (EU) 2022/2555 on cybersecurity measures. Services that fall under this definition include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

With regard to the terms “health data” and “data processing”, we refer to the corresponding provisions of the GDPR. As far as the new rule applies to “social data”, this term refers to a specific legal concept in Germany that applies to personal data that is intended to be processed by health and other social security insurances.

In terms of timing, the new Section 393 SGB V applies as from 1 July 2024 – without any transition or grace period or grandfathering rules.

2. Consequences for Healthcare Providers and Cloud Service Providers

Under Section 393 SGB V the processing of health data by using cloud-computing services is subject to special requirements. Intended to ensure data security, these requirements include that the data (a) may only be processed in certain geographical regions, (b) that technical and organizational measures are taken so that cloud service providers meet certain security requirements.

a) Geographical Requirements and Data Transfer Issues

Geographically, Section 393 SGB V requires that health and social data may only be processed

  • In Germany,
  • In an EU or EEA member state, or
  • In a third country under an adequacy decision by the European Commission.

Moreover, the new rules require for all these cases that the data processing entity has a business establishment (“Niederlassung”) in Germany.

In conclusion, and in contrast to the requirements under the EU GDPR, Section 393 SGB V does not recognize the execution of the EU Standard Contractual Clauses (SCCs) or other means like Binding Corporate Rules as adequate guarantees for cloud-computing services when personal data is processed in a third country that is not subject to an adequacy decision by the European Commission.

b) Stricter Technical and Security Compliance Requirements

From a technical and organizational viewpoint, under Section 393 SGB V the processing of health and social data using cloud-computing services is subject to stricter requirements. As such, data processing using cloud-computing services need to be in compliance with these key conditions:

  • Appropriate technical and organizational measures have to be implemented to ensure data security.
  • A current C5 certificate is issued to the data processing entity with regard to the “C5 basic criteria” (see below) for the cloud systems and the technology used. The C5 (Cloud Computing Compliance Controls Catalogue) certificate is a cloud-computing standard developed by the German Federal Office for Information Security (“BSI“) to ensure cloud service providers meet specific security requirements. It outlines a comprehensive set of controls covering areas like data protection, incident management, and compliance with legal obligations.
  • The cloud-computing customer (i.e., the healthcare providers and/or insurances) must implement the conditions and criteria specified in the C5 certificate test report that. The C5 standard expects a shared responsibility between the customers and the cloud-computing service provider.

Until 30 June 2025, a C5 Type 1 certificate is considered “current” under Section 393 (4) SGB V. Thereafter, a new C5 Type 2 certificate is required. Certifications meeting equivalent security levels to BSI C5 may also be acceptable if so specified in a government ordinance to be issued by the German Federal Ministry of Health.

With respect to healthcare providers and health insurance companies, there are also some further technical and organizational requirements which these persons and entities have to meet when using cloud-computing services. These partly depend on the type of healthcare provider or institution concerned.

3. Implications for Medical Research with Pharmaceuticals and Medical Devices

Whether the new Section 393 SGB V also impacts the data processing in medical research projects is not fully clear. From the black letter of the law, certain health data and some medical research projects could be subject to the new requirements of Section 393 SGB V.

A number of medical and clinical research projects typically process health data from patients that are or were treated under the statutory health system. These projects especially include non-interventional studies with pharmaceuticals, post-market clinical follow up (PMCF) investigations with medical devices as well as registry studies that focus on a particular product or disease. Generally, research that involves real-world-data or aims to generate real-world-data appears relevant hereunder. Even clinical trials regularly process data from regular medical treatments that are conducted in the statutory health system so that the health data falls under Section 393 SGB V.

Therefore, the question arises whether the processing of health data for such medical research projects by healthcare providers and sponsor companies and their data processors (e.g., CROs) is also subject to the new compliance requirements of Section 393 SGB V if they use cloud-computing. The answer to this question is not straightforward but rather case-facts-dependent and requires a careful analysis of the individual circumstances.

While the risk appears low that clinical trials with pharmaceuticals, medical devices and diagnostics will be impacted by Section 393 SGB V, the situation appears different for studies that collect real-world data like non-interventional studies, PMCF studies or product/disease registries. For these, there is a risk that they may be subject to the requirements of Section 393 SGB V.

Relevant aspects to make an assessment for the respective research projects include the type of study/research, the origin of the processed health data, the technologies used for data processing and the legal status of the person processing the data.

4. Final remarks

With the new Section 393 SGB V, Germany has enacted new compliance and security requirements for the processing of health data when using cloud-computing services. The new requirements apply to healthcare providers, health insurances and their data processors and cloud-computing service providers that offer services to these groups. In this blog post, we have described the new technical, organizational and compliance requirements.

The new rules may also impact certain medical research projects that process (real-world) health data by using cloud-computing services. Such projects can include non-interventional studies with pharmaceuticals, PMCF studies with medical devices or (product/disease-focused) registry studies. Therefore, pharmaceutical and medical device companies should also review the potential impact of the new rules on their research activities.

The Life Sciences Team of Covington & Burling LLP in Frankfurt (Germany) will continue monitoring the developments in this area and is well positioned to assist clients in navigating through the various ongoing and upcoming legislative projects.

***

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dr. Dr. Adem Koyuncu Dr. Dr. Adem Koyuncu

Adem is a life sciences industry advisor with more than 25 years of professional experience. He has a broad practice that cuts across regulatory, compliance, IP, privacy and liability matters. Adem also provides strategic advice. He knows the life sciences sector also from…

Adem is a life sciences industry advisor with more than 25 years of professional experience. He has a broad practice that cuts across regulatory, compliance, IP, privacy and liability matters. Adem also provides strategic advice. He knows the life sciences sector also from his earlier work in the pharmaceutical industry and as a medical doctor. He represents clients before courts and authorities and assists them in contract negotiations, investigations and transactions. For years, Adem is listed in various lawyer rankings.

See some Accolades from Clients and Surveys:

  • “Adem Koyuncu is one of the most intelligent lawyers I know.” (Legal 500 2023)
  • “He is one of the most detail-oriented and client-focused partners I have ever encountered.” (Client, Chambers 2021)
  • “Great professional and human competence, good team player.” (Client/Adverse Party, JUVE 2022)
  • “I find him to be one of the most pragmatic regulatory lawyers. He was a doctor before a lawyer, has been in-house, worked on lots of stuff that I have to handle in-house, which helps when getting advice. He is really good at saying it’s a complex situation and your best option is to do this.” (Chambers 2022)
  • “He always comes through with extremely helpful advice. He brings a unique understanding and experience to his practice as both a lawyer and medical doctor.” (Chambers 2021)
  • “He is an excellent dispute resolution lawyer and advises at the highest level, including, in particular, strategic advice.” (Legal 500 2023)
  • “He is very sharp and quick, while at the same time having a good sense of humor and nerves of steel. Very pleasant to work with.” (Legal 500 2022)
  • He is described as “versatile competent, reliable and high quality” (JUVE 2021) and “incredibly fast.” (JUVE 2018)
  • Provides advice at “an outstanding level.” (Legal 500 2015)
  • “Very strong negotiation skills.” (JUVE 2011)
  • Clients appreciate his “very broad knowledge and long-standing expertise” (JUVE 2021/22) and that “he is approachable, knowledgeable and really easy to talk to over the various issues. He is calm and has seen most problems before.” (Chambers 2020)
  • Peer lawyers described him as “highly competent” and a “very good and pleasant lawyer” (JUVE 2014) and as “the off-label-guru, substantively very good, creative.” (JUVE 2022)

Adem is the author of numerous publications (e.g., in leading books on pharma law, product liability and clinical trials) and frequent speaker at different events. As such, he will soon speak at following events:

Photo of Maximilian Aretz Maximilian Aretz

Maximilian Aretz is an associate in Covington’s Frankfurt office and a member of our Food, Drug and Device Practice. He advises clients on regulatory and compliance matters.

His advisory work covers all aspects of pharmaceutical and medical device regulation, clinical trials, advertising and…

Maximilian Aretz is an associate in Covington’s Frankfurt office and a member of our Food, Drug and Device Practice. He advises clients on regulatory and compliance matters.

His advisory work covers all aspects of pharmaceutical and medical device regulation, clinical trials, advertising and other regulatory aspects over the entire product lifecycle. In addition, he advises pharmaceutical companies on EU market access matters including the German AMNOG procedure. Furthermore, Maximilian provides legal advice on Freedom of Information Act (FOIA) cases, data protection laws and contractual matters. He represents clients before authorities and in court.

Maximilian received his law degree from the University of Marburg with a focus on medical and pharmaceutical law. He also obtained an LL.M. degree in Dispute Resolution from the University of Cape Town, South Africa.

He completed his legal clerkship at the Berlin Court of Appeals. During his clerkship, he has worked at the Berlin Public Prosecutor’s Office and at the German federal health agency Robert Koch Institute.