BfDI warns about email transmission of medical appointment confirmations

According to a recent post by Dr. Carlo Piltz on LinkedIn, Germany's Federal Data Protection Authority (BfDI) has issued a formal warning against a public entity for sending medical appointment confirmations via email without end-to-end encryption. This ruling, detailed in the agency's 2024 Activity Report, determined that such transmissions violate Article 32 of the General Data Protection Regulation (GDPR).

The case centered on confirmation emails for doctor's appointments that included physicians' names. While the emails didn't contain explicit symptoms or illness details, the BfDI concluded they still constituted "health data" under GDPR Article 4(15). Following precedent established by the European Court of Justice (ECJ), the agency adopted a broad interpretation of health data, determining that merely knowing someone has booked an appointment with a specific doctor reveals information about their health status.

"This falls under health data since it allows one to infer that the person booking the appointment has a need for treatment," notes the BfDI in its ruling. The agency further observed that researching a doctor's specialty could narrow down the potential type of illness involved.

This decision builds upon existing guidance from the Conference of German Data Protection Authorities (DSK), which has previously established that when transmitting data where unauthorized disclosure would present a high risk, end-to-end encryption is required under GDPR Article 32(1)(a).

Dr. Piltz offers a more nuanced perspective in his post. While acknowledging the logical consistency of the BfDI's position, he questions whether the broad interpretation of health data creates practical challenges. "If I make an appointment with a pediatrician for my child and receive a confirmation, is this health data about me? I would say no. First, I am not a child and therefore would hardly be treated by a pediatrician. Second, in case of doubt, it's also not data about my child if I make the appointment," he writes.

Piltz further questions whether the mere knowledge that someone has scheduled a doctor's appointment necessarily implies a treatment need, noting that appointments may be made for preventive care rather than addressing existing conditions.

The ruling has significant implications for healthcare providers, who must now implement end-to-end encryption solutions for all appointment confirmation emails. It also raises questions about how broadly health data should be defined in the digital healthcare ecosystem.

This case highlights the tension between digital convenience and data protection in healthcare settings. While electronic appointment systems offer efficiency and convenience, the BfDI ruling emphasizes that even seemingly innocuous information can constitute sensitive health data requiring robust protection measures.

For healthcare providers and technical service providers, this ruling emphasizes the need to implement secure communication channels for all patient interactions, no matter how routine they might seem. The case also illustrates how data protection authorities are taking an increasingly expansive view of what constitutes protected health information.

The warning emerged from the BfDI's 33rd Activity Report for Data Protection and Information Freedom, released under the leadership of Professor Dr. Louisa Specht-Riemenschneider, who took office as Federal Commissioner on September 3, 2024. In her inaugural statement, Specht-Riemenschneider emphasized three priority areas: health, artificial intelligence, and security.

In the health sector, the commissioner noted the importance of considering data protection from the outset. "This applies, for example, to access to research data, which must be productive while complying with data protection requirements and maintaining trust," she wrote in the report's introduction. She expressed her conviction that the success of research data access, digital health applications, and electronic patient records depends on high data protection and IT security standards.

The BfDI's warning reminds organizations that when handling sensitive health data, technical measures like encryption aren't merely recommendations but legal requirements. This applies not just to detailed medical records but even to appointment confirmations that might indirectly reveal something about an individual's health status.

For patients concerned about their data security, this ruling offers reassurance that data protection authorities are vigilantly overseeing even routine healthcare communications. However, it may also result in additional steps or complexity when interacting with healthcare providers as they implement compliant communication systems.

The case represents part of a broader European trend toward stricter interpretations of health data protections under GDPR. As digital healthcare services continue to expand, we can expect further clarification and enforcement actions regarding the security requirements for various types of health communications.

Timeline

• May 2018: GDPR becomes fully enforceable across the EU
• December 2023: German Data Protection Conference issues position on end-to-end encryption requirements
• Early 2024: BfDI issues formal warning against a public entity for unencrypted medical emails
• May 2024: BfDI publishes its 33rd Activity Report highlighting the case
• September 3, 2024: Prof. Dr. Louisa Specht-Riemenschneider assumes office as new Federal Commissioner
• November 2024: Dr. Carlo Piltz discusses the case and its implications on LinkedIn