The coming year will bring far-reaching changes for the healthcare industry due to new legal requirements. It is important for all players in the industry to prepare in good time in order to make the most of the opportunities offered by digitalization and meet future requirements.
2024 and 2025 are crucial years for the digitalization of companies in the healthcare industry in Germany. The motivation for digitalization arises not only from changing market requirements or internal company measures but also from the latest legislation and regulatory framework conditions, which particularly affect companies in the healthcare industry. Let’s take a look at the most important developments in the coming year
ePA and e-prescription
The topic of e-prescriptions has been on the minds of companies in the healthcare sector for some time now and will play a decisive role in the coming year in particular. From January 2025, the “electronic patient file (ePA)” will be created automatically for patients with health insurance unless they have actively opted out. From this date, doctors must fill out the ePA with diagnostic reports, medical and discharge letters, and laboratory data (usually done via the practice management system). In addition, billing data from health insurance companies and information from the e-prescription service are automatically and directly entered into the EPA and displayed as a medication list.
From mid-July 2025, the medication list will be further developed into a medication plan. Doctors and pharmacists will then have the option of adding additional information and instructions on taking the medication. It will also be possible to document over-the-counter medicines, dietary supplements and other relevant data for the medication process.
For those with private health insurance, the e-prescription remains voluntary. Each private health insurance company decides for itself whether it wants to offer the e-prescription including the ePA. If the ePA is offered, it is also mandatory to offer the e-prescription. As things stand today, the apps need to be approved or certified by Gematik if these services are integrated, and various services are linked to the ePA, including the e-prescription.
As the ePA is becoming the de facto standard for statutory health insurance companies, private health insurers are forced to offer it. E-prescription offers privately insured patients numerous advantages over traditional paper prescriptions. These include the convenient digital filling of a prescription at an (online) pharmacy or the simplified submission of receipts to the health insurance company.
Cloud use in the healthcare sector
The C5 catalog, introduced by the German Federal Office for Information Security (BSI) in 2016, defines strict security standards for cloud providers. These standards are primarily used in regulated industries such as insurance companies to ensure data protection and risk management.
From January 2025, German health insurance companies and their service providers will only be allowed to process sensitive data in cloud systems if they meet the C5 standards. This is stipulated in Section 393 of the German Social Security Code (SGB V), which supports secure cloud use in the healthcare sector.
The C5 certificate is based on several international security standards, meaning that cloud providers who already adhere to frameworks such as ISO/IEC 27001, BSI IT-Grundschutz and GDPR can use existing measures to comply with C5. ISO 27001 provides a sensible basis, but organizations must expect more time and costs to obtain the BSI C5 certificate, as auditors carry out an intensive, annual audit. Not only is conformity with C5 audited, but particularly the effective, consistent, and verifiable application of the very detailed C5 criteria. Data processing is restricted to locations in the EU, EEA, Switzerland, or regions with GDPR adequacy, whereby providers must be present in Germany.
EU AI Act
Artificial intelligence is also playing an increasingly important role in the insurance industry. The EU AI Act provides a legal basis for using AI in this area. The EU AI Act is a proposal for a European regulation to ensure AI’s safe and ethical use. It does this by classifying AI systems based on risk, banning applications that are harmful to the user, and setting strict requirements for high-risk applications in areas such as healthcare and law enforcement.
Although the majority of the EU AI law will not come into force until 2026, some of its parts, such as the “ban on AI systems with unacceptable risk,” will take effect on February 2, 2025.
What are the most important aspects of the EU AI Act and how will it impact the healthcare industry?
On the one hand, clear disclosure that users interact with AI is required in all cases.
In addition, the new law classifies all AI systems on a risk basis:
- Minimal risk, e.g. spam filtering systems. No obligations are necessary here.
- Limited or minimal risk, such as chatbots in insurance apps. It must be clear to end users that they interact with AI, not humans.
- High risk, including AI systems with sensitive data such as health data. One example is the assessment of insurance risks. AI systems in this category are not prohibited, but are associated with a high risk and must therefore meet strict requirements. These requirements can be controlled, for example, by personal supervision and logging.
- Unacceptable risk, e.g. biometric identification systems and social scoring. AI systems in this category are automatically banned as they are ethically and manipulatively questionable
National authorities and an EU AI Committee will monitor and enforce compliance and transpose into national law to ensure uniform application in all Member States.
E-invoicing
From July 1, 2025, a new obligation for e-invoicing in the business-to-business sector will come into force in Germany. All entrepreneurs must be able to receive and process e-invoices. This will also bring about a major change for medical practices and all freelancers in the healthcare sector.
The processing of electronic invoices is fully automated – from creation to archiving. From 2025, only the XRechnung and ZUGFeRD 2.x formats will be used as common formats in Germany; PDF is not a recognized format for e-invoices.
Although the initial implementation costs are relatively high, electronic invoices also bring many advantages:
- Costs for paper and postage are reduced
- Increased speed and simultaneous minimization of manual errors during invoice processing
- Contribution to environmental protection
- Time and cost savings through automation
For the time being, nothing will change for patients’ invoices in practices, and they may continue to send paper invoices, as these are invoices to private individuals. Nevertheless, e-billing will set a new standard that will also impact business-to-customer invoices in the future.
Until then, patients can still benefit from the Gini photo payment, which can automatically process paper and digital invoices thanks to data extraction. The photo payment has been introduced in over 90% of German banks and has become the absolute industry standard. Users can pay their bills by scan without manually entering the recipient’s details – regardless of whether the bill is a scan, an e-bill or a photo.
DORA
The Digital Operational Resilience Act (DORA) will ensure financial institutions are better positioned against digital disruptions and cyber threats starting January 17, 2025. DORA is a law developed by the European Union and monitored by national authorities such as BaFin in Germany, which sets out uniform requirements for dealing with information and communication technology (ICT) risks in the financial sector.
Until now, regulated insurance and financial companies have been subject to various sector-specific regulations at national level, including the notifications published by BaFin on the IT requirements for credit institutions (BAIT) and the IT requirements for insurance supervision (VAIT). However, DORA introduces uniform requirements that apply to the entire financial sector. Insurance companies that already have a compliance framework based on VAIT can use this as a basis for meeting the DORA requirements.
A key aspect of DORA is monitoring risks associated with external ICT providers. This enables companies to ensure the security and continuity of their systems. Regular tests are required to assess the resilience of ICT systems to cyber threats and disruptions. Companies face sanctions if they violate the aforementioned standards. The competent authorities, such as BaFin, are authorized to enforce these.
The coming year will bring far-reaching changes for the healthcare sector due to new legal requirements. The mandatory introduction of the ePa, the widespread use of e-prescriptions, and strict security standards such as C5 certification marks the transition to digitalized, more efficient, and safer patient care. At the same time, the EU AI Act and DORA ensure that the use of modern technologies is responsible and resilient. These developments are a clear call to all players in the industry to prepare in good time to make the most of the opportunities offered by digitalization and meet future requirements.
At Gini, we want our posts, articles, guides, white papers and press releases to reach everyone. Therefore, we emphasize that both female, male, and other gender identities are explicitly addressed in them. All references to persons refer to all genders, even when the generic masculine is used in content.