The Federal Ministry of Health (BMG) plans to grant company doctors access to all data in the electronic patient record (ePA) without the consent of the insured employees being necessary. This emerges from a draft bill for the law for data and digital innovation in healthcare (GeDIG), which was presented at the beginning of May 2026.
We show what the draft bill specifically envisages, what associations think of the plans and what health data company doctors are currently allowed to view.
What are the plans for ePA access for company doctors?
With the GeDIG, the Federal Ministry of Health is planning further digitalization of the health system. The draft also takes up points from the coalition agreement and the digitalization strategy for healthcare and nursing (“Together Digital 2026”). In particular, the electronic patient file should be further developed in several aspects. One of these concerns access for company doctors to the electronic patient file.
Specifically, the draft bill proposes to delete the consent requirement for access to the ePA by the public health service and company doctors. You would then be able to access the entire file without the insured person’s prior consent. However, this only applies if the insured person does not actively object to access.
This so-called “opt-out” principle is not new in the context of the ePa. Since January 2025, everyone with statutory health insurance has automatically received an ePA – unless they actively decide against it. They would have to do this via app or in writing and in person at the responsible health insurance company.
Access authorization for company doctors: What currently applies legally?
In principle, company doctors already have access to the electronic patient file, but only with the express consent of the patient, i.e. as an “opt-in” solution. The legal basis for access authorizations is Sections 352 and 339 of the Fifth Social Code (SGB).
For general practitioners or specialists, health data is usually accessed by opening a treatment context. The patient presents the electronic health card at the doctor’s appointment and the practice receives 90 days of access to the ePA. Alternatively, access can be granted via the app.
However, this does not currently apply to company doctors. According to the Occupational Safety Act (ASiG), their tasks are primarily of an advisory and preventive nature; they are not responsible for treatment. This means that no treatment context opens up here. So far, they have been dependent on employees actively granting them access to the ePA app. The draft bill for the GeDIG is intended to abolish precisely this consent requirement.
Association of Psychologists with criticism: “Enormous loss of trust”
The Federal Association of German Psychologists (BDP) clearly criticizes the expansion of access rights for company doctors as a “data protection catastrophe”. BDP Vice President Susanne Berwanger explains in a recent press release: “It is a devastating signal for data protection and means an enormous loss of trust for the ePA.” The file was originally developed to support medical care. Data release to company doctors without explicit consent no longer has anything to do with this.
The BDP is not interested in distrusting company doctors across the board, but they do not perform a classic treatment function, as Berwanger explains to “heise online”. With unrestricted ePA access, information could become visible that has nothing to do with the actual question, such as ongoing psychotherapy or a previous addiction.
What does HR need to keep in mind when expanding ePA access?
The planned change therefore raises fundamental questions for employers and HR managers. Company doctors find themselves in an area of tension between employers and employees. They are commissioned and financed by the employer, but are intended to independently protect the health of employees.
Expanded access to the ePA could further strain this tension. Employees could fear that sensitive diagnoses such as mental illnesses will reach the employer. However, the fear of stigmatization is particularly great when it comes to mental illnesses, Berwanger continues. Because many people want to decide for themselves who learns about diagnoses.
According to the BDP Vice President, things also get tricky in situations in which company doctors advise employees directly, for example with company integration management (BEM) or with the question of a job change. For this assessment, a complete look at the ePA is actually not medically necessary. The result could be that recommendations to the employer that concern the employee are influenced by looking at other diagnoses.
Mara Marx is a volunteer at Human Resources.
