Privacy Storm Brews Over German Plan to Give Company Doctors Default Access to Patient Files
01.07.2026 - 02:03:13 | boerse-global.de
The German cabinet is expected to vote in mid-July 2026 on a contentious measure that would let company doctors view patients’ electronic health records without first obtaining explicit permission. The proposal, tucked inside the draft Health Data and Digital Innovation Act (GeDIG) from May 2026, would flip the current opt-in system to an opt-out model—meaning employees’ medical data becomes visible to workplace physicians unless they actively object.
Under today’s rules, a company doctor must secure a worker’s express consent before peering into the electronic patient record (ePA). The reform would align occupational Health physicians with other treating doctors, who can already access the ePA unless the patient has registered a blanket objection. The Federal Ministry of Health’s draft argues the change closes a loophole that was a drafting error rather than intentional policy.
Workplace doctors lobby for longer, broader access
Three professional associations representing occupational medicine—the German Society for Occupational and Environmental Medicine (DGAUM), the Federal Association of Company Doctors (BsAfB), and the German Professional Association of Occupational Physicians (VDBW)—are pushing to go further. They want the access window expanded from three days to 90 days and insist on the right to retrieve data relevant to mandatory workplace health screenings. In a formal hearing with associations on 18 May 2026, the groups argued that the current restriction rests on an editorial oversight and must be corrected to ensure patient safety and effective prevention.
Medical data protection advocates are raising alarms. The Professional Association of German Psychologists (BDP) warns that dropping the express-consent requirement could severely erode trust between employees and company doctors. The fear: sensitive health details—covering mental health, chronic illness, or reproductive matters—might end up visible to employer-adjacent clinicians, even though statutory medical confidentiality remains intact. Critics say the law’s safeguards offer little comfort when the doctor works for the company.
Supporters of the new rules counter that professional secrecy already binds occupational physicians. The DGAUM stresses that shutting company doctors out of the ePA’s information flow undermines quality of care and makes workplace prevention harder.
Technical and billing changes roll out alongside the debate
Since the start of July 2026, health insurers have deployed a new encryption technology based on the ECC (Elliptic Curve Cryptography) standard. As a result, ePA apps now run only on smartphones with Android 14 or iOS 18—a move that has drawn sharp criticism from consumer advocates, who accuse insurers of failing to properly inform users with older handsets. Desktop applications remain available as an alternative.
On the billing side, the reimbursement code EBM 01648 for initially populating the ePA remains in force; lawmakers scrapped a planned reduction. From July 2026, new billing codes for digital health applications also take effect, including one for remote monitoring of digital therapy progress.
The ePA, launched in spring 2025 for roughly 70 million insured people, continues to be a field of constant regulatory and technical adjustment in Germany’s health system.
