Medical data processing in the practice
Patient data and health data
As a medical institution, we process special categories of personal data within the meaning of Art. 9 DSGVO (health data). The processing is carried out on the basis of:
- Art. 9 para. 2 lit. h DSGVO (health care or occupational medicine)
- Art. 6 para. 1 lit. c DSGVO (legal obligation)
- § 22 para. 1 no. 1 lit. b BDSG (health care, medical diagnostics)
The processing of your health data is necessary for medical care, diagnosis and treatment. We process only the data that is necessary for your medical care.
IT service provider and practice software
Doctago GbR – IT service provider
Our IT service provider for the practice IT is:
Doctago GbR
Am Airport 1
12529 Schönefeld
Phone: 03379 34 189 50
Email: info@doctago.de
Website: www.doctago.de
Doctago has been active in the healthcare sector since 2004 and, as a medatixx premium partner, supports medical institutions in the Berlin and Brandenburg regions with tailored IT solutions.
Data processing by Doctago:
- IT support and system maintenance of the practice IT
- Installation and support of the medatixx practice software
- Support of the practice hardware and medical technology
Data protection and security:
- A data processing agreement (DPA) pursuant to Art. 28 DSGVO has been concluded with Doctago
- All Doctago employees are bound to data secrecy and to medical confidentiality pursuant to § 203 StGB (professional secrecy holders)
- Doctago hosts its services exclusively on servers within the European Union
- Data transmission is SSL/TLS-encrypted
Doctago privacy policy: www.doctago.de/datenschutz
medatixx practice software – data security
For the administration of patient data, we use the practice software from medatixx, provided and supported by our IT service provider Doctago.
Two-tiered data storage:
- Treatment- and patient-related data is stored exclusively locally on the practice server and remains in the practice
- Public lists and catalogs (e.g. EBM master data, medication database, blank forms) are hosted in the Microsoft Azure cloud exclusively in Europe
Encryption and security:
- Data exchange: Generally encrypted via TLS protocol. When connecting external workstations, additional AES-256-bit packet encryption
- Data carriers: Servers, drives and hard disks are encrypted with Microsoft BitLocker
- Practice database: The data carrier with the database (incl. SQL server) is encrypted with BitLocker. Particularly security-relevant data (account data, passwords) is additionally stored with AES-256-bit encryption (Art. 32 DSGVO)
- Access protection: Password-protected access to the practice software with role and permission management for individual users
- Azure cloud: Access via TLS encryption, databases permanently encrypted through Transparent Data Encryption (TDE)
Data processing agreement: The DPA between medatixx and the practice governs the requirements from Art. 28 DSGVO. It also governs the obligation of all medatixx employees under the professional secrecy holder provision (§ 203 StGB). medatixx is a “contributor” in the professional practice obligation, for example during remote maintenance.
IT security consulting: medatixx advises on IT security pursuant to § 75b SGB V and the IT baseline protection (IT-Grundschutz) of the BSI (Federal Office for Information Security, Bundesamt für Sicherheit in der Informationstechnik).
Further information: medatixx.de/praxissoftware/datensicherheit
Health data processed
In our practice, we process the following categories of health data:
- Anamnesis and medical history
- Examination findings (neurological examinations)
- Diagnostic results (EEG, EMG, ultrasound, laboratory values)
- Treatment plans and treatment courses
- Medication plans and prescriptions
- Medical letters and referrals
Retention obligations for medical data
Patient files and health data are retained in accordance with the statutory provisions:
- Patient documents: 10 years after completion of treatment (§ 630f para. 3 BGB)
- X-ray images and examination data: 10 years after the recording (§ 85 para. 2 StrlSchG)
- EEG recordings: 10 years after the examination
- Laboratory results: 10 years after the examination
Automatic deletion: After the statutory retention obligations expire, all patient data is securely deleted.
Data disclosure in the medical field
Health data is only passed on to third parties in the following cases:
- With your explicit consent (e.g. referral to other physicians)
- In the case of a legal obligation (e.g. reporting obligation for certain diseases)
- For billing with health insurers (only billing-relevant data)
- In a medical emergency to ensure treatment
Confidentiality and data protection
Medical confidentiality
All employees of our practice are subject to medical confidentiality pursuant to § 203 StGB and are bound to data secrecy. This also applies to our processors (medatixx, Doctago), whose employees are likewise bound by § 203 StGB.
Technical and organizational measures
To protect your health data, we have implemented comprehensive technical and organizational measures pursuant to Art. 32 DSGVO:
- Encrypted data storage (BitLocker, AES-256) and transmission (TLS)
- Password-protected access with role and permission management
- Automatic screen lock at all workstations
- Regular data backups
- Destruction of data carriers and paper documents in accordance with DIN 66399
- Training of all employees in data protection and medical confidentiality
- IT security pursuant to § 75b SGB V and BSI IT baseline protection (IT-Grundschutz)
Your rights regarding health data
Your general rights as a data subject (information, correction, deletion, restriction, data portability, objection) are described in the privacy policy. For health data, the following additionally applies:
- Access to your patient file pursuant to § 630g BGB
- Transfer of your data to physicians providing further treatment at your request
Restrictions: These rights may be restricted by statutory retention obligations and medical necessities.