Data Protection lawyers with 50+ years of experience

Free initial consultation
/insights

Updated Tuesday, December 10, 2024

Updated Tuesday, December 10, 2024

SaaS providers in healthcare are now required to obtain C5 attestation

The “Act to Accelerate the Digitization of the Healthcare System” (Digitisation Act - “DigiG”) came into force on March 26, 2024, and the new Section 393 of the SGB V will be applicable from July 1, 2024, requiring many SaaS providers to obtain a C5 attestation.

Steffen Groß

Partner (Attorney-at-law)

Boris Arendt

Salary Partner (Attorney-at-law)

What is the legal text of the new Section 393 SGB V?
What will change compared to the previous legal situation under the GDPR?
Who is affected by the new law?
What obligations apply to processors from 01.07.2024?
What is a C5 certificate?
What is the difference between type 1 and type 2 certificates?
What requirements must be met in order to obtain a C5 test certificate?
How long does it take to obtain a C5 certificate?
What are the costs for a C5 attestation?
How can Simpliant support you with the implementation?
Sources
Downloads

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation

This law introduces, among other things, the new Section 393 of the SGB V, which sets specific requirements for the processing of health and social data by cloud service providers. The legislator aims to explicitly allow the processing of health and social data in the cloud while simultaneously increasing IT security requirements. In the following article, we have summarized the most important changes for you.




Who is affected by the new law?

The new regulation in Section 393 SGB V affects healthcare providers and health and long-term care insurances on the one hand and their respective data processors on the other.

Who are healthcare providers?

Healthcare providers within the meaning of the fourth chapter of SGB V are all natural and legal persons and institutions that are authorized to provide statutory health insurance benefits.

These include:

  • Doctors, dentists and psychotherapists
  • Hospitals
  • Prevention and rehabilitation facilities
  • Facilities of the Mothers' Convalescent Home
  • Service providers of remedies
  • Pharmacies and pharmaceutical entrepreneurs
  • Providers of domestic help
  • Home nursing care
  • Sociotherapy
  • Socio-medical aftercare measures
  • Specialized outpatient palliative care
  • Ambulance services
  • Midwifery assistance
Who is a processor on behalf of a healthcare provider?

Processors are companies that process health data for their customers as service providers (e.g. doctors, hospitals, rehabilitation facilities). Examples include providers of software-as-a-service for appointment booking systems for doctors, software for digital patient management or IT service providers in the healthcare sector, particulary:

  • Hospital information systems (HIS)
  • Practice management systems (PVS)
  • Electronic patient file (ePA)
  • Cloud storage solutions
  • Cloud-based picture archiving systems
  • Telemedicine and video consultation platforms
  • Billing software and management solutions
  • E-prescription and e-health platforms

What obligations apply to processors from 01.07.2024?

The change in the law brings with it a number of obligations for processors. In addition to the obligation to take technical and organisational measures (TOMs), special requirements are also placed on the location of data processing and the establishment of the data processor. However, the main regulation is likely to be that processors now require a so-called C5 certificate.

Place of processing and establishment

In accordance with Section 393 (2) SGB V, the processing of social and health data by means of the cloud computing service is only permitted

  1. in Germany,
  2. in a member state of the European Union,
  3. in a country that is treated as a Member State pursuant to Section 35 (7) of Book I, or
  4. in a third country, provided that an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 has been issued.

The law does not stipulate that a transfer to a third country may be carried out under further conditions (e.g. EU standard contractual clauses and transfer impact assessment). According to the new legal requirements, no health data may be processed in the USA.

In addition, there must be a branch in Germany.

Requirement for C5 Attestation

From July 1, 2024, companies will also be required to obtain a C5 certificate for their cloud systems. This legal requirement aims to ensure compliance with the security requirements of the "Cloud Computing Compliance Criteria Catalogue" (C5), developed by the German Federal Office for Information Security (BSI).

The C5 certificate certifies that the cloud service providers have taken specific technical and organizational measures to ensure the security and protection of the processed health and social data. The C5 criteria include requirements for data protection, information security, the technical security of the infrastructure and the processes and procedures for handling security incidents.

These measures are intended to ensure that the cloud systems meet the high IT security standards that the legislator considers appropriate for the processing of health data.


What is a C5 certificate?

A C5 certificate is based on the "Cloud Computing Compliance Criteria Catalogue" (C5), which was developed by the German Federal Office for Information Security (BSI). This catalog serves as a framework for the security requirements of cloud services and was first published in 2016, with an updated version in 2020. The C5 certificate is a standardized certificate that confirms compliance with specific security criteria by cloud service providers.

Until now, C5 certificates were regularly obtained by hosting providers or infrastructure providers in the cloud. However, the new law now also requires SaaS providers to undergo C5 testing. This leads to an extensive expansion of the organizations that must comply with the C5 requirements.


What is the difference between type 1 and type 2 certificates?

The audits as part of C5 testing can be carried out in the form of an adequacy test (type 1) or an effectiveness test (type 2). In a type 1 audit, the adequacy of the controls of an internal control system (ICS) is assessed at a specific point in time. The auditor checks whether the security controls are appropriately designed and implemented to fulfil the C5 criteria. This form of attestation is particularly relevant for the initial audit of a cloud service, as it represents an initial assessment of the IT security precautions at the time of the audit.

In contrast, the type 2 audit not only includes an assessment of the adequacy of the controls, but also their operational effectiveness over a defined audit period (usually 6 or 12 months). Here, it is checked whether the security controls are not only in place, but also function effectively and continuously. This type of audit provides greater validity with regard to the actual effectiveness of the IT security controls over the entire audit period.

In addition, Section 393 (4) SGB V allows an attestation or certificate according to a standard that ensures an equivalent or higher level of security compared to the C5 standard to be recognised instead of a C5 attestation. Such a standard is not yet available at the present time.


What requirements must be met in order to obtain a C5 test certificate?

In order to obtain a C5 certificate in accordance with the type 1 audit, the cloud service provider must commission a certified auditor to carry out the audit. This audit is based on the catalogue of criteria drawn up by the German Federal Office for Information Security (BSI), which consists of 125 criteria divided into 17 subject areas.

The subject matter of the audit comprises the cloud provider's service-related internal control system for the provision of the cloud service, including the principles, procedures and measures as well as the controls established for this purpose in its organizational and operational structure.

In order to meet the C5 criteria, a large number of legal, technical and organizational data security measures must be implemented. These include the creation of the cloud provider's system description, an internal pre-audit of the fulfillment of the C5 criteria and the performance of the actual audit by a certified auditor.


How long does it take to obtain a C5 certificate?

The planning and implementation phase can take more than 6 months. The pure testing phase is estimated at 20 weeks. The law was passed in March 2024 and comes into force in July 2024. This is (rightly) considered unrealistic by professional associations. Many processors will probably not be able to meet the legal requirements by the deadline.


What are the costs for a C5 attestation?

The budget depends on the size of the company, the audited IT infrastructure and the existing structures (management systems). The budget can typically be in the mid five-figure to low or mid six-figure range. The German Health IT Association (bvitg) states that the costs for a C5 certification often amount to more than 100,000 euros, while the draft law assumes lower costs in the low five-figure range.


How can Simpliant support you with the implementation?

We offer comprehensive support in assessing the new legal requirements of the Digital Law (DigiG) and Section 393 SGB V, as well as their impact on your organization. We are happy to assist you in preparing for C5 certification, including identifying and implementing necessary IT security measures, creating the system description, and selecting a certified auditor.

Contact us via email at info@simpliant.eu or use our contact form to schedule a non-binding initial consultation.


Sources

[1]: Act to accelerate the digitalisation of the healthcare system.
[2]: Guidance on data protection for health data, Federal Ministry for Economic Affairs and Climate Protection: Link, p . 52 et seq.
[3]: One example of this is a position paper from the German Data Protection Conference (DSK), which demands that providers of cloud-based healthcare applications must also offer local storage: Link, p. 3.


Downloads

Simpliant Legal Memo - Health data in the cloud - 1.0

This legal memo assesses the admissibility of processing health data by SaaS providers under the new § 393 SGB V in Germany. The download is only available in German.

Download

Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB

Consulting

Simpliant GmbH

Technology

Simpliant Technologies GmbH

Data protection

We will support you in implementing all data protection requirements with the GDPR.

Information security

We support you in setting up a holistic ISMS such as ISO 27001.

Artificial intelligence

We advise you on the integration of AI and develop legally compliant usage concepts.


© 2019 - 2024 Simpliant