Stricter Cloud Data Regulations for Healthcare in Germany
On July 1, 2024, Germany implemented new regulations under Section 393 of the Social Security Code (SGB V) regarding the processing of health data in cloud-computing services. This legislation establishes a uniform standard for healthcare providers and statutory health insurances, which cover approximately 90% of the German population. The goal is to ensure secure use of cloud services in the healthcare sector while setting minimum technical standards for IT systems based on cloud-computing technology.
The new requirements apply to all data processing involving cloud-computing, regardless of whether the service is provided by an external vendor or developed internally by healthcare providers. The law defines cloud-computing services as digital services that allow on-demand management and remote access to shared computing resources. Health data, as well as social data defined under German law, fall under these new regulations, which take effect immediately without any transition period.
Under Section 393 SGB V, health and social data can only be processed within Germany, other EU or EEA member states, or third countries with an adequacy decision from the European Commission. Importantly, the law does not recognize Standard Contractual Clauses or Binding Corporate Rules as adequate guarantees for processing data in non-adequate third countries. Additionally, stricter technical and organizational measures are required, including obtaining a current C5 certification, which ensures compliance with security standards set by the German Federal Office for Information Security.
The implications of these new rules extend to medical research projects that involve the processing of health data. While clinical trials may face minimal impact, studies collecting real-world data, such as non-interventional studies and registry studies, may be subject to the new compliance requirements. As a result, pharmaceutical and medical device companies are advised to assess how these regulations may affect their research activities.
