E-prescription: Lauterbach’s ambitions overshadowed by technical glitches
According to Minister of Health Karl Lauterbach, the digitization of the healthcare system should get a “turbo boost” with the e-prescription: In addition to the well-known processes, paper printouts (old-fashioned) and prescription apps (stylish) are coming now also use the health card.
Patients can use it to redeem electronic prescriptions in pharmacies. So far, there have been two ways to redeem an e-prescription: you either get a paper printout with a data matrix code that the pharmacy reads in with a scanner, or you pull out your smartphone with the official e-prescription app, which manages the prescriptions.
To authenticate yourself to the app, you had to hold your health card under an NFC-enabled smartphone and enter a six-digit PIN – not exactly customer-friendly.
All you need is a card
Everything has now been simplified. You don’t need an app, PIN or printout to pick up a prescription, just your health card. The doctor can issue prescriptions if the card has been inserted into the practice’s reader at least once in the current quarter. His prescriptions end up on a prescription server in the telematics infrastructure (TI) – a security network that is decoupled from the Internet for the exchange of health data.
To pick it up, you insert your health card into the reader of the pharmacy, which requests the prescription from the server and hands over the medication if the transmission is successful.
If everything goes smoothly, the new procedure has enormous advantages: Patients no longer have to remember a six-digit PIN and can simply send relatives or friends with the card to get their medicine. They no longer have to come to the practice for a follow-up prescription in the same quarter. In order to prevent misuse, however, you should inform your health insurance company immediately if your card is lost or stolen.
There are only a few disadvantages compared to the app and printout: In the case of collection with a card, the doctor cannot transmit any information on the intake. If a drug was prescribed “aut idem”, only the pharmacist can see whether substitution with a similar preparation is prohibited. And if several drugs are prescribed as alternatives, the pharmacist must ask the patient which drug he should dispense.
Display of system failure at the start
Everything could be so simple if the technology played along. Not all administration programs of the practices are prepared yet. In the systems that have already been prepared, the recipes can be uploaded to the TI server without any conversion or software updates.
But that only works if the telematics infrastructure works and the service for the e-prescriptions is running – but that’s exactly what was lacking on the opening weekend.
TI was already unavailable for several hours on Sunday, July 2nd, because the central routing of the TI service provider Arvato had failed. The routing worked again the following Monday, but the e-prescription service was disrupted until 10:30 a.m.
The doctors couldn’t load e-prescriptions onto the server and the pharmacies couldn’t call up prescriptions – and this at the beginning of a new quarter, when things are already hectic in the practices.
When we wanted to redeem an e-prescription with the health card on Monday afternoon, there were further delays: where the app or the paper printout are usually scanned in seconds, the pharmacy’s management system needed around five minutes to find the prescription stored on the server.
A few days later we were able to redeem e-prescriptions in several Berlin pharmacies without any problems.
Diverted health data
Difficulties were not only encountered with e-prescriptions: Doctors and pharmacies communicate within the TI via the KIM service (communication in medicine), a POP3 mail system. There was a serious configuration error here: On June 30, the software company Medatixx announced that a domain ID had been assigned twice in the central directory service for the KIM addresses (technically an LDAP directory), once to a doctor’s practice and once to the AOK Lower Saxony . As a result, since September 2022, a total of 116,466 electronic certificates of incapacity for work (eAU), which were addressed to the AOK, ended up at the doctor’s office instead – a large proportion of them from May to June.
According to Gematik, the reason for the misdirection of the eAUs is probably a faulty implementation in practice management systems from some manufacturers, so that it is probably not only the Medatixx software that is affected by the configuration problem. Therefore, other providers may also be informing their practices at the moment.
So far it is unclear who is responsible for the misconfiguration and why it has not been noticed for nine months. Until further notice, Medatixx recommended its customers in a warning message to print out the AU certificates as before and send them to the AOK by post. At the same time, the participants were reassured: There was no violation of data protection, because the doctor’s office is subject to medical professional secrecy. If you want to be sure that your sick note does not fall into the wrong hands, you prefer to use the paper form.
For nine months, more than one hundred thousand electronic sick notes ended up at a doctor’s office instead of at the AOK Lower Saxony.
Responsibility shunned
But Medatixx and the LDAP administrators deny any responsibility. The doctors who supposedly sent the eAUs to the AOK or who received them unintentionally should now have to pay for the botch.
Medatixx informed them: “In your role as the person responsible for the data, it is up to you to check whether you have any obligations arising from this incident now or later (in particular reporting obligations to authorities). In any case, you should inform your data protection officer about the incident inform you if you have ordered one. However, we ask for your understanding that we are not allowed to give you legal advice.”
While it used to be the responsibility of the insured person to inform the employer of the incapacity to work, with digitization the doctors are now responsible for the correct processing of the eAUs – even if they have no chance of noticing the error.
The mood of the doctors is in the basement anyway. At the last minute, the Federal Ministry of Health set flat rates for practice IT on July 1st, which regulates the reimbursement for the purchase of the necessary equipment for connection to the TI. This was preceded by months of negotiations between panel doctors and health insurance companies, which failed in April.
The new TI flat rate depends on the size of the practice: A practice with two doctors gets 238 euros per month. But to do this, it must use all existing TI services seamlessly. In the small print, the ministry writes: If at least two applications are missing or there is no connection to the TI, no TI flat rate will be paid. Below this, it lists the six services: emergency data management, medication plan, patient file, KIM, the eAU and – from January 1, 2024 – the e-prescription. The lump sum can already be reduced if an application is missing.
Missed controls
But even the best practice EDP is useless if the TI is not up to the requirements and fails in an emergency. While Minister of Health Lauterbach is increasing the pressure to sanction digitization on doctors, he is letting the operators of the TI continue to drag it on.
Gematik GmbH, as the top supervisory body for TI, is not liable for breakdowns like on the first weekend in July, nor for months of possible data protection violations like the misconfiguration of the KIM service. Lauterbach’s predecessor Jens Spahn dictated this in September 2020 in the Patient Data Protection Act (PDSG).
Instead, § 307 PDSG names doctors and practices as well as “providers of the access service” as responsible for data protection violations. Gematik lays down “conceptual and regulatory requirements, quality assurance measures and security measures”. However, it is not active on an “operational level” and is therefore not responsible for the processing of the data under data protection law, according to the explanations to the paragraph.
If Gematik had fulfilled its control obligations, it should have noticed the KIM disaster much earlier.
As long…