Amendment to the Bavarian Hospitals Act

The Bavarian state government is planning a major amendment to the Bavarian Hospitals Act to allow hospitals to outsource their IT to external service providers in future. Corresponding IT strategies can thus lead to increased IT professionalisation and cost savings in future.

Current legal situation

According to the sixth sentence of Article 27(4) of the Bavarian Hospitals Act, hospitals in the state have so far only been permitted to process patient data internally – on the hospital premises – or to have other hospitals process patient data, in the case of patient data required for more than merely administrative purposes when treating the patients. This rule has so far prevented Bavarian hospitals from having an IT infrastructure operated off their own premises by external service providers, which the GDPR and the 2017 amendment to the provision on the confidentiality obligation in section 203 of the German Criminal Code would already allow in principle. This applies in particular to the service portfolio of cloud service providers. In addition, since 1 January 2022, hospitals have had to take into account the requirements of section 75c German Social Code Vol. 5 in relation to IT security. Large hospitals in particular may also count as operators of critical infrastructure under the Act on the Federal Office for Information Security, and therefore section 8a of that Act applies.

Planned amendment

The Bavarian government’s Public Health Service Bill now contains the following amendment:

The aforementioned sixth sentence of Article 27(4) of the Bavarian Hospitals Act is to be deleted, paving the way for IT outsourcing by hospitals. This is what the explanatory memorandum to the Bill says:

“The repeal of the sixth sentence of Article 27(4) of the Bavarian Hospitals Act is intended to allow hospitals to also have patient data processed outside the hospital by processors that are not hospitals.” (Bavarian Parliament, printed paper 18/19685, p53)

According to the new version of the Act, however, it will also be necessary to observe the provisions of Articles 28 and 32 of the GDPR in future IT outsourcing. A new provision in Article 27(6) Bavarian Hospitals Act clarifies that the protective measures to be taken against unauthorised use or transmission must comply with the GDPR. This means in particular:

1. Hospitals must enter into a data processing agreement with their outsourcing companies in accordance with Article 28(3) of the GDPR. Since the patient data to be processed mainly consists of special categories of personal data, hospitals are likely to attach particular importance to the security of the processing. Supplementary agreements will also be agreed in view of section 203 German Criminal Code.
   
   
2. Furthermore, both the external processor and the hospital responsible must ensure the necessary protective measures in the form of a suitable security strategy in accordance with Article 32 of the GDPR.

According to the state legislature, the interest groups of the Bavarian hospital operators and their umbrella organisations should also prepare a set of rules on the technical and organisational requirements of outsourcing.

Hospitals that outsource IT services in future but are publicly owned will have to put the project out to public tender, depending on the extent of the planned outsourcing. From an IT contractual point of view, the content and necessary level of detail of the outsourcing agreement will be based on the expected forthcoming rules and regulations of the umbrella organisations, as well as on those of other regulated industries, such as the financial sector.

Conclusion

The state legislature itself realises that the planned amendment is only a way of legally catching up with digital progress. This is what the explanatory memorandum says:

“The rapid advance of digitalisation also affects hospitals in Bavaria. It requires the fast adaptation of individual points of the Bavarian regulations on data protection in hospitals. The aim of the amendment ... is to enable hospitals to provide modern, IT-assisted patient care in terms of digitalisation and innovation and at the same time to ensure a high level of data protection in hospitals. Given the stricter IT security requirements, the opportunities in particular for outsourced processing of patient health data must be considered for the future.” (Bavarian Parliament, printed paper 18/19685, p2)

The planned change in the legal admissibility of involving external service providers is thus very welcome and long overdue.

This would mean that in Bavaria, similar to hospital laws in Hamburg, Lower Saxony and Rhineland-Palatinate, comparatively liberal conditions would prevail for the use of processors by hospitals. However, the hospital laws of Baden-Württemberg, Mecklenburg-Western Pomerania, North Rhine-Westphalia and Saxony-Anhalt still contain comparatively strict restrictions that make the use of processors more difficult.