Ensuring data protection for video consultations

• vzbv analysis highlights data protection loopholes in telemedicine and doctor consultation portals.
• Policymakers must ensure data protection for video consultations.
• vzbv issues cease and desist letters to several platform providers.

Portals for telemedicine and doctor consultations repeatedly fail to comply with data protection obligations. This is the finding of an investigation carried out by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverbands – vzbv) for its project “Consumer interests in the e-health sector”. vzbv calls for platform providers to comply with data protection laws for sensitive medical data so that consumers can use such services without concerns.

“Video consultations are a valuable addition to healthcare services. When used appropriately, they can complement the treatment process, improve access to medical care, and reduce risks of infection. It is, however, essential that platforms meet the applicable consumer protection standards,” says Thomas Moormann, Team Leader Health Care at vzbv.

When using telemedicine and doctor consultation portals that offer video consultations, patients pass on sensitive data both directly and indirectly, such as the reason for the consultation or the nature of the respective medical discipline. Appointment dates can also provide indications about the state of an individual’s health. In vzbv’s view this data should be treated as special categories of personal data as forseen under the General Data Protection Regulation (GDPR). This means that health data can only be processed once explicit consent is given. The vzbv investigation shows that seven of the nine service providers investigated obtain either no or insufficient explicit consent.

“Consumers must be able to count on the applicable data protection regulations when using these platforms. The platform providers must ensure that data protection standards are thoroughly complied with,” says Moormann.

In addition, eight out of nine providers investigated state in their data protection policy that they use tracking services. These analyse the online behaviour of users, for example for marketing purposes. vzbv is fundamentally opposed to the processing of health data or data that could indicate the health condition of a user for marketing purposes.

The Digital Services Act (DSA), adopted by the EU legislator in summer 2022, also prohibits online platforms from using sensitive data for marketing purposes. vzbv calls for providers to swiftly implement the new rules. “Both the transmission of videos and access to video consultations should be free from tracking and advertising. Should data protection loopholes emerge after the DSA takes effect, the Federal Government must take steps to remedy the situation. The current rules must protect patients from tracking and manipulation by advertising,” Moormann says.

vzbv also recommends that providers are required to offer guest access to video consultations. This would simplify consumer access to the service.

Based on the findings of the investigation, vzbv took legal action against two providers for non-compliance with data protection laws. The cease and desist letters concern, for example, the insufficient design made to obtain the requiredexplicit consent from users for the processing of health data, or the excessively long period of data storage. In both cases the respective providers responded with a declaration to cease and desist, which meant proceedings were settled out-of-court. vzbv currently considers further cease and desist letters against other portals.

In a representative online survey commissioned by vzbv just over three quarters of those surveyed (76 percent) stated that good data protection is rather important or very important to them with respect to e-health services. Almost half (49 percent) said their decision on whether to use an e-health service depends on this factor. Good data protection is thus not only unavoidable for healthcare providers to fulfil legal requirements, but also essential to ensure consumer acceptance and use.

The findings arose as part of the project “Consumer interests in the e-health sector”. The project, funded by the Federal Ministry for the Environment, Nature Conservation, Nuclear Safety and Consumer Protection (BMUV), aims to warn consumers about problems associated with digital services. It also aims to provide a basis to derive the need to take action in the healthcare sector with respect to policy, collective agreements, or legislation.

We analysed a total of nine providers, selected, on the one hand, from the list of certified video services provided by the National Association of Statutory Health Insurance Physicians (NASHIP), and on the other hand by using a search engine to find doctors who, on the initiative of patients, offer consultation primarily via video consultation providers or platforms. vzbv analysed the data protection policies of these service providers in terms of pre-defined criteria relevant to the GDPR.

Representative online survey commissioned by vzbv and carried out by eye square. 1,100 internet users aged 16 and over were surveyed, of whom 167 use video consultations. The survey took place from 1 to 7 December 2022. Statistical error tolerance: max.± 3 percentage points in the total sample.