Overview
- Since October 1, providers are legally required to populate the ePA, with officials reporting 10.6 million document uploads in October, 17.4 million medication-list accesses in the last October week, and an opt-out rate of about five percent.
- Patients manage access via insurer apps, with default access set to 90 days for practices and three days for pharmacies, and they can hide or delete documents, though per-facility hiding is limited to the medication list and insurers cannot view ePA contents.
- Security researchers from the CCC previously demonstrated viable attack paths; Gematik has tightened controls and restricted bulk access, yet a hack remains technically possible according to current reporting.
- Gematik plans a stronger authentication step next year called Proof of Patient Presence, expected to use a cryptographic challenge–response with the physical health card to verify the patient is present.
- Incorrect entries pose practical issues: patients may remove items from their ePA but cannot compel physicians to alter their own records, while corrections at insurers require medical evidence and legal action is uncommon due to cost and effort.