NFC health card and electronic patient record
Topics in this article
- what information is contained in the EPA
- what the EPR is and how it works
- how the EPR can be viewed with an NFC card and electronic health card
- how the EPR can be managed
- Points of criticism of the ePA
- ePA situation with the various health insurance companies
1. Electronic patient file explained simply
The electronic patient file (also ePA) is, in short, a digital folder containing health information. Doctor visits, medication, examination results and other health information can be stored in it. This allows doctors to get a better overview of their patients more quickly and patients to track their own health history.
The data in the electronic patient file is stored centrally online. Exactly which data can be stored may depend on the health insurance company. Insured persons receive access to the ePA within their health insurance company's app. The following information can be stored as an example:
-
Personal details: Name, date of birth, address and contact details of the patient or emergency contacts
-
Insurance data: Information about the patient's health insurance
-
Medical history: Illnesses, diagnoses, treatments, operations, examination results, laboratory tests or doctor's letters
-
Documentation of preventive healthcare: Immunisations, check-ups and other preventative measures
-
Medication list: Medications, including dosages and directions for administration
6 Allergies and intolerances: Known allergies or intolerances to medication
- Self-measured health data: such as blood pressure or blood sugar levels
2. Motivation of the ePA
The electronic patient record was introduced on 1 July 2021 and has since been available to patients who wish to use it via an app. According to the Digital Act, the ePA is to become standard for statutory health insurance companies in 2025. However, its use remains voluntary - anyone who does not want to use it can object.
The central motivation behind the ePA and the legislation behind it is to digitise and facilitate the exchange of information in the healthcare sector, as the current communication channels are in urgent need of improvement.
A person's health data is still often spread across several doctors. Medications and treatments cannot be easily viewed and harmonised. Several attempts have been made to achieve a better exchange. However, the use of different software solutions in the respective medical practices makes smooth data synchronisation difficult. For this reason, data exchange by data carrier, paper or even fax is still the order of the day. It is also often not easy for patients to view their records. For example, specialised examinations are usually transmitted and made available via the family doctor.
In order to address these problems, efforts have been underway for some time to optimise data exchange. The ePA finally attempts to bring these together under one central standard, which promises the following advantages:
-
Improved care: Easy access to all relevant documents
-
Better collaboration: Faster and smoother exchange of information between doctors.
3 Transparency and participation: Insight into own data and the possibility to add health data.
4 Efficiency gains: Fast processes through simpler data management.
5 Better emergency care: Important data retrievable in emergency situations.
6 Digital data backup: Protection of data against loss.
3. How the ePA works
The electronic health record connects the following players in the healthcare system:
- Health insurance fund: The statutory health insurance funds provide the ePA within their software. Insured persons are issued with a corresponding NFC-enabled health card that can be used to log in and access the content. The health insurance company cannot view the content of the ePA.
2 Doctors/medical institutions: Doctors or medical institutions can view and also fill in the ePA through the patient's access authorisation. They are responsible for filling the file with qualified content.
3 Patient: Receive access to their ePA via health card or NFC smartphone. They can view and edit the EPR themselves.
4 Research institutions: Providing ePA data for medical research is intended to support it. However, insured persons can object to the release of data at the health insurance ombudsman's offices or digitally in the app.
- IT service providers: Provide the technical infrastructure for data storage and processing. Data cannot be viewed and is stored in encrypted form.
4. NFC and the electronic health card
As already mentioned, the electronic health card with an integrated NFC chip provides patients and doctors with access to their ePA.
You can recognise whether your health card is NFC-enabled by the NFC symbol, which must be visible on your card. If the symbol is on the health card, it is equipped with an NFC chip. This should not be confused with the gold contact chip, which is also on the health card. The NFC chip and an NFC antenna are built into the card. They are responsible for data exchange. They are installed in a similar way to bank cards.
4.1. NFC health card in the doctor's surgery
The health card has always been read in the practice using a chip card reader. At present, devices are still mainly used for the gold contact chip on the card - recognisable by the fact that the card has to be inserted.
With the next generation of devices, NFC will also be introduced and scanning in the doctor's surgery will be faster and error-free. Similar to payment terminals at cash registers, contactless scanning could speed up and simplify the process.
However, the scan at the entrance to the practice initially only serves to record the patient's visit. After approval, data is transferred to the electronic patient file separately via the software solutions used in the respective practice.
4.2. Using the NFC health card at home
In order to be able to use the health card itself via NFC, an activation is first required. This can be requested from the health insurance company. Insured persons will then receive an access code (PUK or TAN), a PIN and a step-by-step explanation.
After the initial activation, a scan via NFC and the entry of the individual access code is sufficient to open the patient file and display the data. In addition to the health card, an NFC-enabled smartphone or NFC reader for the computer is required. This makes it easy to view the patient file from a PC, laptop or tablet.
4.3. Easily view the ePA
There are two ways to view the EPR using a health card:
4.3.1. Viewing with a smartphone
To view the EPR with a smartphone, the health card must be held up to the smartphone. Your health insurance company's app will then open and ask you to log in. You can then navigate to the ePA in your app.
4.3.2. viewing with PC/laptop/tablet and reader
Attention: This step is only possible if your health insurance company offers a corresponding desktop client in which you can manage your ePA. The AOK offers such a client, for example. Ask your health insurance provider about this in advance._
Opening the patient file on a PC can be more convenient, especially if data needs to be managed, saved or downloaded. This is because the user interface of a PC is better suited to editing documents due to its fast handling.
As PCs, laptops and tablets do not have a reader integrated into their hardware, they require an external reader to be able to read the health card. These include chip card readers or NFC readers. A suitable device for reading the health card or ID card is the APG8201-B2 chip card reader.
To view the ePA with the PC, the reader must first be connected to the device via USB. The desktop client must also be installed.
To log in successfully, the desktop client must be opened. Login options can now be selected, and the health card must be selected. This step may be activated by default. The health card must then be inserted into the card reader as instructed. If necessary, the PIN of the health card must also be entered.
4.4. NFC reader
An NFC reader is a card reader that can read NFC chips. However, not every NFC reader is suitable for reading the EPA. A certain security class of reader is required for this.
There are a total of 4 different security classes:
-
Security class 1: These card readers offer the least protection. They have neither a display nor a keypad. Data must be entered manually on the PC, but malware can spy on this process.
-
Security class 2: These card readers have a keypad. A PIN must be entered here, which is transmitted from the terminal to the card. The card is then read.
-
Security class 3: In addition to a keypad, these card readers also have a display. The display can be used to check data for accuracy and completeness before it is transmitted. Devices in this security class also have firmware.
-
Security class 4: These card readers offer the highest possible level of security. In addition to the keypad and display, they have a SAM module (SAM = Secure Access Module). The module enables the owner of the reader to be clearly identified.
You should use at least a reader with security level 2 to read the ePA.
5. Managing the electronic patient file
The electronic patient file can be managed in various ways.
- View: The ePA can be accessed online using the health insurance app (or the software). Documents stored in the ePA can then be viewed there.
2 Fill patient file: Both the doctor and you yourself can fill in your patient file. The ePA allows them to upload and save documents within the user interface. Doctors can also store documents in your ePA on request.
3 Remove documents: You can also remove documents from your ePA at any time, e.g. if you no longer need them.
6. Criticism of the ePA
The ePA should bring some advantages, but there are also disadvantages. The ePA is only available via a health insurance company's app or software. However, using a smartphone or PC can be a challenge, especially for older people.
Furthermore, patients can delete documents if they find them unpleasant or disturbing. This can have a negative impact on patient treatment. However, treatment can also deteriorate on the part of doctors. Medical history can reinforce bias in doctors, for example by often attributing complaints to a patient's mental illness.
Storing data in a cloud is also a disadvantage. Cloud service providers use advanced security measures. Nevertheless, the risk of security breaches cannot be completely prevented. Unauthorised access to private health data can have serious consequences.
7. Electronic patient file and data protection
The question justifiably arises as to what extent the very sensitive data in the EPR is protected. To this end, insurance companies use encryption techniques to ensure that only patients and those authorised by the patient have access. It is also not possible for health insurance companies to view the EPR. The documents are encrypted in the app, which in turn can only be decrypted on the smartphone.
In order to manage large amounts of data, servers are used to store the EPR documents. The data is outsourced to the cloud for this purpose.
7.1. Access rights
Only patients can decide who can view their EPR and save data. It is not possible to access the EPR without consent. Patients can also decide whether access should be possible for a longer period of time or only limited to the current treatment.
The law stipulates to whom access to the patient file can be granted. On the one hand, this can be granted to healthcare professionals. This includes doctors, therapists, hospitals and pharmacies, for example. Since 2023, patients have also been able to share their data for research purposes.
7.2. Reject patient file
The patient file is mandatory for everyone, but it is also possible to object to the creation of a patient file. To do this, patients must contact their health insurance provider. It is also possible to create a patient file and cancel it afterwards. All data received will then be permanently deleted.
7.3. Protection of the health card
The electronic health card is protected by a PIN on the one hand and by NFC technology on the other. The PIN prevents unauthorised authentication in the health insurance app. The data on the health card itself is also protected. Due to its short range, near field communication (NFC) is often used in areas that work with sensitive data, e.g. payment. In order to read data stored directly on your health card, the health card would have to come into direct contact with a reader. There are also protective sleeves that completely prevent NFC cards from being read until they are removed.
8. EPA with the health insurance companies
8.1. EPA with the statutory health insurance companies
In 2025, the ePA is to become standard for all people with statutory health insurance. Every health insurance fund is therefore obliged to provide an EPR. The ePA is to be introduced comprehensively. Anyone who does not wish to use it must cancel it with the respective health insurance fund.
The ePA can be accessed via the health insurance app or a desktop client. The nfc-enabled health card can be used to authenticate with the app or desktop client. In terms of digitalisation, the statutory health insurance funds are in a more advanced position than private health insurers.
8.2. EPA with private health insurance companies
Not all private health insurance companies already provide the ePA. However, there are plans to introduce the EPR for private patients in the near future. The extent to which the patient file can be used therefore depends heavily on the health insurance company itself. For this reason, it is necessary for privately insured persons to obtain more detailed information from their own health insurance company.
As private patients do not have a health card, they cannot use it to view their ePA. Access is therefore usually via PIN or other authentication procedures. Some private health insurance companies provide their patients with a so-called insurance card. However, this cannot be used for authentication in an app or desktop client.
9. Conclusion
The electronic patient file enables the digital storage of health information such as doctor's visits, medication and examination results. The ePA is intended to ensure improved and faster care, a more efficient exchange of information between doctors and transparency for patients. However, certain points of criticism, such as difficulties for older people in handling, represent future challenges. Anyone wishing to use the ePA can access it using the nfc-enabled health card and health insurance app.
It is currently only available to people with statutory health insurance. However, as the healthcare system is to be comprehensively digitalised, it can also be expected to be introduced for private health insurance companies in the future.
4. NFC and the electronic health card
As already mentioned, the electronic health card with an integrated NFC chip provides patients and doctors with access to their ePA.
You can recognise whether your health card is NFC-enabled by the NFC symbol, which must be visible on your card. If the symbol is on the health card, it is equipped with an NFC chip. This should not be confused with the gold contact chip, which is also on the health card. The NFC chip and an NFC antenna are built into the card. They are responsible for data exchange. They are installed in a similar way to bank cards.
4.1. NFC health card in the doctor's surgery
The health card has always been read in the practice using a chip card reader. At present, devices are still mainly used for the gold contact chip on the card - recognisable by the fact that the card has to be inserted.
With the next generation of devices, NFC will also be introduced and scanning in the doctor's surgery will be faster and error-free. Similar to payment terminals at cash registers, contactless scanning could speed up and simplify the process.
However, the scan at the entrance to the practice initially only serves to record the patient's visit. After approval, data is transferred to the electronic patient file separately via the software solutions used in the respective practice.
4.2. Using the NFC health card at home
In order to be able to use the health card itself via NFC, an activation is first required. This can be requested from the health insurance company. Insured persons will then receive an access code (PUK or TAN), a PIN and a step-by-step explanation.
After the initial activation, a scan via NFC and the entry of the individual access code is sufficient to open the patient file and display the data. In addition to the health card, an NFC-enabled smartphone or NFC reader for the computer is required. This makes it easy to view the patient file from a PC, laptop or tablet.
4.3. Easily view the ePA
There are two ways to view the EPR using a health card:
4.3.1. Viewing with a smartphone
To view the EPR with a smartphone, the health card must be held up to the smartphone. Your health insurance company's app will then open and ask you to log in. You can then navigate to the ePA in your app.
4.3.2. viewing with PC/laptop/tablet and reader
Attention: This step is only possible if your health insurance company offers a corresponding desktop client in which you can manage your ePA. The AOK offers such a client, for example. Ask your health insurance provider about this in advance.
Attention: This step is only possible if your health insurance company offers a corresponding desktop client in which you can manage your ePA. The AOK offers such a client, for example. Ask your health insurance provider about this in advance._
Opening the patient file on a PC can be more convenient, especially if data needs to be managed, saved or downloaded. This is because the user interface of a PC is better suited to editing documents due to its fast handling.
As PCs, laptops and tablets do not have a reader integrated into their hardware, they require an external reader to be able to read the health card. These include chip card readers or NFC readers. A suitable device for reading the health card or ID card is the APG8201-B2 chip card reader.
To view the ePA with the PC, the reader must first be connected to the device via USB. The desktop client must also be installed.
To log in successfully, the desktop client must be opened. Login options can now be selected, and the health card must be selected. This step may be activated by default. The health card must then be inserted into the card reader as instructed. If necessary, the PIN of the health card must also be entered.
4.4. NFC reader
An NFC reader is a card reader that can read NFC chips. However, not every NFC reader is suitable for reading the EPA. A certain security class of reader is required for this.
There are a total of 4 different security classes:
-
Security class 1: These card readers offer the least protection. They have neither a display nor a keypad. Data must be entered manually on the PC, but malware can spy on this process.
-
Security class 2: These card readers have a keypad. A PIN must be entered here, which is transmitted from the terminal to the card. The card is then read.
-
Security class 3: In addition to a keypad, these card readers also have a display. The display can be used to check data for accuracy and completeness before it is transmitted. Devices in this security class also have firmware.
-
Security class 4: These card readers offer the highest possible level of security. In addition to the keypad and display, they have a SAM module (SAM = Secure Access Module). The module enables the owner of the reader to be clearly identified.
You should use at least a reader with security level 2 to read the ePA.
5. Managing the electronic patient file
The electronic patient file can be managed in various ways.
- View: The ePA can be accessed online using the health insurance app (or the software). Documents stored in the ePA can then be viewed there.
2 Fill patient file: Both the doctor and you yourself can fill in your patient file. The ePA allows them to upload and save documents within the user interface. Doctors can also store documents in your ePA on request.
3 Remove documents: You can also remove documents from your ePA at any time, e.g. if you no longer need them.
6. Criticism of the ePA
The ePA should bring some advantages, but there are also disadvantages. The ePA is only available via a health insurance company's app or software. However, using a smartphone or PC can be a challenge, especially for older people.
Furthermore, patients can delete documents if they find them unpleasant or disturbing. This can have a negative impact on patient treatment. However, treatment can also deteriorate on the part of doctors. Medical history can reinforce bias in doctors, for example by often attributing complaints to a patient's mental illness.
Storing data in a cloud is also a disadvantage. Cloud service providers use advanced security measures. Nevertheless, the risk of security breaches cannot be completely prevented. Unauthorised access to private health data can have serious consequences.
7. Electronic patient file and data protection
The question justifiably arises as to what extent the very sensitive data in the EPR is protected. To this end, insurance companies use encryption techniques to ensure that only patients and those authorised by the patient have access. It is also not possible for health insurance companies to view the EPR. The documents are encrypted in the app, which in turn can only be decrypted on the smartphone.
In order to manage large amounts of data, servers are used to store the EPR documents. The data is outsourced to the cloud for this purpose.
7.1. Access rights
Only patients can decide who can view their EPR and save data. It is not possible to access the EPR without consent. Patients can also decide whether access should be possible for a longer period of time or only limited to the current treatment.
The law stipulates to whom access to the patient file can be granted. On the one hand, this can be granted to healthcare professionals. This includes doctors, therapists, hospitals and pharmacies, for example. Since 2023, patients have also been able to share their data for research purposes.
7.2. Reject patient file
The patient file is mandatory for everyone, but it is also possible to object to the creation of a patient file. To do this, patients must contact their health insurance provider. It is also possible to create a patient file and cancel it afterwards. All data received will then be permanently deleted.
7.3. Protection of the health card
The electronic health card is protected by a PIN on the one hand and by NFC technology on the other. The PIN prevents unauthorised authentication in the health insurance app. The data on the health card itself is also protected. Due to its short range, near field communication (NFC) is often used in areas that work with sensitive data, e.g. payment. In order to read data stored directly on your health card, the health card would have to come into direct contact with a reader. There are also protective sleeves that completely prevent NFC cards from being read until they are removed.
8. EPA with the health insurance companies
8.1. EPA with the statutory health insurance companies
In 2025, the ePA is to become standard for all people with statutory health insurance. Every health insurance fund is therefore obliged to provide an EPR. The ePA is to be introduced comprehensively. Anyone who does not wish to use it must cancel it with the respective health insurance fund.
The ePA can be accessed via the health insurance app or a desktop client. The nfc-enabled health card can be used to authenticate with the app or desktop client. In terms of digitalisation, the statutory health insurance funds are in a more advanced position than private health insurers.
8.2. EPA with private health insurance companies
Not all private health insurance companies already provide the ePA. However, there are plans to introduce the EPR for private patients in the near future. The extent to which the patient file can be used therefore depends heavily on the health insurance company itself. For this reason, it is necessary for privately insured persons to obtain more detailed information from their own health insurance company.
As private patients do not have a health card, they cannot use it to view their ePA. Access is therefore usually via PIN or other authentication procedures. Some private health insurance companies provide their patients with a so-called insurance card. However, this cannot be used for authentication in an app or desktop client.
9. Conclusion
The electronic patient file enables the digital storage of health information such as doctor's visits, medication and examination results. The ePA is intended to ensure improved and faster care, a more efficient exchange of information between doctors and transparency for patients. However, certain points of criticism, such as difficulties for older people in handling, represent future challenges. Anyone wishing to use the ePA can access it using the nfc-enabled health card and health insurance app.
It is currently only available to people with statutory health insurance. However, as the healthcare system is to be comprehensively digitalised, it can also be expected to be introduced for private health insurance companies in the future.