The electronic patient record (ePA) has been mandatory for medical facilities since October 1, 2025, but the German AIDS Service draws a negative balance: Only a few patients actively use the system, and the control of sensitive data remains complicated and error-prone. Further development is essential in order to take advantage of opportunities and minimise risks.

Since the nationwide launch of the ePA in April 2025, all people with statutory health insurance have automatically received a file, unless they object to their health insurance company. According to Gematik, however, of around 70 million insured persons, only about 3 million have set up a health ID that is necessary for app access – that is only 4 percent. Many are not aware that sensitive data is already stored and who can access it, which leads to risks in stigmatized diseases. Hardly anyone checks or adjusts visibility.

The default setting also makes the ePA hostile to self-determination: All medical information is generally accessible to treatment facilities. Billing data and medication lists reveal diagnoses even if they have been blocked or not stored – for example, in the case of HIV therapies. This circumvents rights of objection in the case of sexually transmitted infections, mental disorders or abortions, where doctors must point out opt-out options. In order to hide individual entries, users would have to manually hide documents, lists and invoices in the app every time they visit – a time-consuming process that overwhelms many.

The AIDS service is calling for real further development: convenient functions for data self-determination, better handling and tangible advantages. Patients must be involved and informed from the outset, with broad educational campaigns starting immediately. A strong ePA could benefit many if security and ease of use were prioritized.

As a self-help organization, Deutsche Aidshilfe is critically monitoring the development of the ePA. On www.aidshilfe.de/epa, it provides information on functions, opportunities, risks, visibility management as well as data protection and IT security.

_{The articles in the news section are produced by X-Press journalist office}

Gender note. The personal designations used in this text always refer equally to female, male and diverse persons. Double/triple references and gendered designations are avoided in favor of better readability.