Praxismanagement

Patient Data Protection Act (PDSG): Everything you need to know

The Patient Data Protection Act (PDSG) created a legal framework that regulates the safe and responsible handling of health data. This article shows exactly what the PDSG is about, who is affected and what it means for patients, doctors, nurses and health insurance companies.

14.8.2025
Robert Adam
Reading time
output: Moderner Krankenhausflur mit Empfang und Pflanzen.

The most important things in brief

>What is the Patient Data Protection Act?

The Patient Data Protection Act (PDSG) is a German law to regulate the secure handling of digital health data. It came into force in October 2020 and forms the basis for the introduction of electronic health records. The law determines who has access to medical information and how data protection is reliably ensured.

>Which patient data is subject to data protection?

All information that allows conclusions to be drawn about the state of health, medical diagnoses, therapies or treatments is considered particularly worthy of protection. These include findings, medication plans, laboratory values and disease progression.

>When can patient data be shared without consent?

Disclosure without prior consent is only permitted in exceptional cases. This includes medical emergencies, legal reporting requirements or the billing of medical services. In all other cases, the express consent of the person concerned is required.

Practice
Type
Specialty
Location
Website
About the practice

Challenge

In this article, you'll read:

What is the Patient Data Protection Act (PDSG)?

The Patient Data Protection Act is a central law for the digitization of the German healthcare system.

It came into force in October 2020 and primarily regulates the handling of sensitive health data within electronic health record (ePA). The aim is to promote digital networking between doctors, pharmacies, hospitals and insured persons while ensuring high data protection standards.

A core component of the PDSG is the obligation of statutory health insurance companies to provide all insured persons with an electronic health record. This file stores medical information such as:

  • diagnoses
  • medication plans
  • Vaccination data

available digitally and centrally. But always under the patient's control.

The law also regulates which data may be stored, how it may be used and to whom it may be made available. It thus creates the legal framework for digital health applications and interfaces where data protection and IT security have top priority. Sanctions for data protection violations are also clearly defined.

The regulations of the Patient Data Protection Act in detail

The PDSG contains a variety of specific regulations that structure and secure the handling of digital health information. Here is an overview of the key aspects:

1. Introduction and expansion of electronic health records (ePA)

Since 2021, health insurance companies have had to offer their insured persons an ePA — in theory. In practice, however, we often see that many patients have never heard of it before. And even in practices, digital access is by no means smoothly implemented everywhere. However, electronic records are no longer a distant future. It was expanded step by step, with clearly defined expansion stages:

  • 2021: First basic functions (e.g. findings, vaccination certificate, doctor reports)
  • 2022: Integration of vaccination card, maternity pass, U-booklet and tooth bonus booklet
  • From 2025: An ePA of the type “ePA 3.0" has been set up automatically since January for all legally insured persons: unless they have objected. The nationwide rollout took place in April, and use in practices and clinics will be mandatory from October. At the same time, at the beginning of 2024, the E-prescription Compulsory introduction.

2. Patients' data sovereignty

A common misconception: Many believe that doctors can automatically see everything in the EPA. In fact, insured persons decide for themselves. However, they often don't even know this or barely use the options.

3. Data security and technical standards

Legislators impose strict requirements for IT security and encryption. The applications must be provided by Gematik GmbH (responsible for Telematics infrastructure) are approved. Accesses are made via the electronic health card (eGK) and PIN or via a secure app.

4. Digital health applications (DiGA)

The PDSG supports digital helpers such as Health apps or therapy counselor. These can be prescribed by doctors and billed by health insurance (provided that they have been checked and included in the DIGA directory).

5. Data for research

Since the PDSG, the voluntary release of anonymized EPA data for research purposes has been possible. This is intended to promote medical progress, even without individual traceability.

Since March 2024, the following applies: If there is no objection, pseudonymized EPA data may automatically go to the health data center for research purposes.

Important: Patients can object at any time in the app.

6. Clear responsibilities and sanctions

Health insurance companies and providers of digital services are required to provide data protection-compliant solutions. Violations of data protection requirements may result in severe fines.

Effects of the PDSG on all key players in the healthcare sector

The PDSG is not only changing the way health data is handled, but also the way many stakeholders in the healthcare sector work. Depending on the role, the law brings new opportunities, but also concrete requirements. Let's have a quick look:

Effects of the PDSG on insured persons

With the PDSG, a central, digital health record is available for patients for the first time: the ePA. They can:

  • View health data across locations
  • Decide individually on access rights
  • use digital applications such as health apps

The challenge: Many insured persons must first be “taken along” digitally. Data protection concerns and operating hurdles can slow down acceptance. The right to not participate (opt-out) remains important.

Effects of the PDSG on registered doctors and outpatient care

Practices and care services must modernize their IT infrastructure in order to be connected to the telematics infrastructure (TI). That means:

  • Access to ePA via practice software or mobile card reader
  • Time spent on documentation and data protection management
  • Benefits of sharing information and avoiding duplicate investigations

A common mistake is to simply “let the introduction of the ePA run its course”. Without a clear person responsible in the team, it often remains with the card reader, but not with real use. For small practices, the additional technical and organizational effort is noticeable, but is associated with efficiency gains in the long term.

Effects of PDSG on hospitals and inpatient care facilities

Hospitals benefit greatly from the structured, digital availability of patient data, particularly in the event of emergencies or transfers. However:

  • Do clinic ITs have to make complex integrations with ePA
  • Is data protection and access management costs increasing
  • Is there a need for investment in personnel and infrastructure

Inpatient care facilities also benefit when medication plans, diagnoses and preliminary findings are available digitally.

By the way: Care facilities must be connected to the telematics infrastructure by July 2025.

Effects of the PDSG on health insurance companies and payers

Statutory health insurance companies are organizationally at the center of the PDSG:

  • They must provide and provide technical support for the ePA.
  • They are responsible for providing information and support to insured persons.
  • They share responsibility for data security and access control.

The law means high investments for health insurance companies, but at the same time opens up the opportunity to improve supply quality and profitability through better data bases.

Effects of PDSG on pharmacists

Pharmacies are also integrated into TI. Using the electronic medication plan, they can identify interactions at an early stage and document recommendations. advantages:

  • Optimizing drug safety
  • Better communication with doctors and nurses
  • More responsibility for digital data handling

However, pharmacists must also ensure that they handle sensitive information in accordance with data protection regulations.

Effects of PDSG on digital health services (e.g. EPA provider, DIGA manufacturer)

For digital providers, the PDSG creates clear rules of the game, but also barriers to entry:

  • Only tested applications with proven security and data protection compliance are allowed into the supply.
  • Gematik certification is mandatory.
  • Interoperability with the ePA is a prerequisite for long-term market access.

This is demanding for start-ups, but it also offers planning security and trust among users. In the long term, this creates stable structures for digital innovation in healthcare.

Criticism and discussion about the PDSG

Despite its ambitious goals, the Patient Data Protection Act has also come under criticism since its introduction (both from experts and from the general public). The discussion revolves around the tension between digitization, data protection and practical implementation.

Here are the most important points of criticism:

  • Opt-out policy: Data protection associations criticize the fact that insured persons must actively object instead of voluntarily agreeing.
  • Technical hurdles: Many practices and institutions are struggling with expensive, complex IT requirements.
  • usability: What many underestimate: Even digitally savvy patients often fail due to the “registration in the app” hurdle or because no doctor has explained to them how the ePA works.
  • data control: The promised document control has often not yet been technically implemented.
  • Research & anonymity: The use of health data for research raises questions about true anonymization.
  • Lack of information from health insurance companies: Many insured persons do not even know that they already have an electronic health record. A point of criticism that consumer advocates such as vzbv also address. Health insurance companies have so far failed to adequately comply with their duty to provide information — neither technically nor in terms of content.

Leading practices into the future in a PDSG compliant and digital way

What we often see in practice: Many practices know in principle what they need to do to digitize — but not how to implement it simply and meaningfully.

With Nelly Start right here. Digital anamnesis, automated billing, factoring, document management and evaluation invitations are just as easy to implement as reminders via SMS or e-mail: And this is directly integrated into your practice management system.

If you want to know how the balancing act between automation, data protection and everyday life really works, Talk to us. We will show you what is easy to implement digitally and what is a stumbling block rather than progress in practice.

Common questions

Which data may be collected without consent?

Only certain health data regulated by law may be processed without the patient's consent. This includes, for example, billing for medical services, notifiable illnesses or acute emergencies that require rapid action. Explicit consent is required for all other purposes, in particular for storage in electronic health records.

Who can view patient data?

Only people who are directly involved in medical care are entitled to access. These include treating doctors, nurses or pharmacists, for example. In the case of electronic health records, the insured person himself decides to whom to release which information. Without such approval, the data remains protected.

What does patient data include?

Patient data includes all information that is collected or documented as part of medical treatment. These include diagnoses, laboratory findings, radiographs, medication plans, vaccinations or previous operations. This also includes information on allergies, pre-existing conditions and current health conditions.

Do relatives have the right to access files?

Relatives may not automatically view patient data. This requires either a written power of attorney or legal support. In the event of death, there may be a right to access the file, for example in the event of suspicion of a medical malpractice or to clarify questions of inheritance law, provided that the deceased person does not intend to the contrary.

Should electronic health records be rejected?

The decision for or against the use of electronic health records is individual. If you want to use digital access to health data, you can benefit significantly from this with good technical implementation. However, anyone who has concerns about data protection or potential security risks can refuse to use it without sacrificing medical treatment.

Photo of Robert Adam
Robert Adam

Author

Robert Adam runs SEO & blog marketing for tech startups and SMEs with his agency ClickFound. He is an expert in HealthTech and FinTech.

WebsiteLinkedInInstagramTwitterFacebook

Want to know more?

Get all the details - completely free and with no obligation.

Let's talk

You might also be interested in:

Patient hält Smartphone über ein Kartenterminal, um kontaktlos in einer Arztpraxis zu bezahlen.
20.10.2025
Finanzen

Card payment in a doctor's office: How it works, costs and options

Card payments have long been part of everyday life for most people — in supermarkets, restaurants or pharmacies. The demand for quick and convenient payment options is also increasing in medical practices. But how does card payment work in a doctor's office? Which means of payment are accepted and what are the costs?

continue reading

Anett Witke
Anett Witke
18.10.2025
Digitalisierung

AI in medical practice: Applications, opportunities and risks (2025)

Künstliche Intelligenz hält Einzug in Arztpraxen – von automatisierten Telefonassistenten über KI-gestützte Diagnosen bis zur Abrechnung. 2025 entscheidet nicht die Technik über den Erfolg, sondern der verantwortungsvolle Umgang mit ihr.

continue reading

Robert Adam
Robert Adam
Person hält eine Kreditkarte in der Hand und gibt Zahlungsdaten auf einem Laptop ein.
9.10.2025
Finanzen

New bank regulation for IBAN reconciliation

Important information: New bank regulation for IBAN reconciliation from October 9, 2025

continue reading

Redaktion
Redaktion