Companies that process personal data must comply with privacy requirements and obtain the consent of their users. The same applies to the electronic health record (EHR), which plays a pivotal role in digital healthcare delivery. To accelerate its adoption in Germany, handling for users needs to be simplified. The current discussion is to introduce it automatically for all insured persons in the same way as elsewhere in Europe and to implement a facility to object based on the opt-out procedure. But what does the term opt-out mean? And what have (double) opt-in procedures and permission marketing had to do with it? In this blog post, we shed light on the topic.
When health insurers mention opt-out and opt-in in connection with the electronic health record (EHR), they refer to approaches originating from permission marketing.
Permission marketing is a form of direct marketing that streamlines the management of rights associated with the delivery of advertising or information. That's because potential recipients explicitly grant their permission. They can do so differently: via (double) opt-in and opt-out.
The two methods of permission marketing: opt-in and opt-out
Opt-in – the consent procedure
The opt-in procedure generally involves asking interested parties via a form whether they consent to receive advertising or information in the form of a newsletter. If they do, they must explicitly consent to use their data, for instance, by providing their email address.
Since email addresses are classified as personal data, declarations regarding data processing, storage and sharing and the objection to same must be visible to users. In addition to consenting to the receipt of a newsletter, another opt-in function will probably be familiar to everyone: consenting to the cookies on a website.
Incidentally, regarding the opt-in procedure, a distinction is made between the simple opt-in procedure, or single opt-in, described above and the double opt-in. How do they differ?
Single opt-in and double opt-in procedures
Since the single opt-in simply requires the provision of an email address to confirm consent, the procedure is more susceptible to errors and misuse. Ultimately, there is nothing to prevent the email addresses of people or organisations that have no interest in the delivered content from being added to the mailing list. This is also why the single opt-in does not offer legal certainty.
The double opt-in procedure is required to prevent these types of fake registrations. This also ensures compliance with the General Data Protection Regulation (GDPR) requirements. Like the single opt-in, potential contacts use the double opt-in to consent to receive information and advertising with the help of a form. Unlike the single opt-in, they are not automatically added to the mailing list and will not receive the requested newsletter, for example.
That's because the double opt-in incorporates another intermediate step: the interested parties receive an email containing a confirmation link in their inbox. This is used to verify that the customer has access to the email address and that they requested delivery of the information or advertising. Consent is only issued after the customer clicks on the confirmation link. If the confirmation link is not activated, no advertising or information media can be sent to the email address.
The double opt-in procedure has several advantages. On the one hand, it stops companies from adding inactive members and involuntary addressees to their mailing lists. On the other hand, double opt-in is required following Articles 7 and 8 of the GDPR. Since it involves two checks to verify that the customer consented to the email marketing, this procedure satisfies privacy and data protection requirements. It guarantees that nobody receives advertising against their wishes and protects personal data against misuse.
The opposite of the opt-in procedure is the opt-out consent procedure, for which various technical possibilities can be used. Opt-out can be used to facilitate the right to object and the right to withdraw.
In some cases, consent to the receipt of advertising or information is assumed in the absence of any active objection. Other widely used opt-out applications include a link – usually appearing at the end of a newsletter and allowing users to withdraw their consent to receive the newsletter. A scenario where users must remove a previously set checkmark to object to using their data qualifies as an opt-out procedure.
Opt-out procedures for EHR
The opt-out procedure is also a more practical approach in relation to the EHR. After all, if the insured party is required to consent using an opt-in every time the electronic health record is accessed, the workload for the stakeholders involved would be excessive. Therefore, it would make sense to follow the example of other European countries, such as Austria – where the EHR has a user acceptance rate of around 97 per cent. When designing the EHR, these countries adhere to the approach of enabling its creation, completion and use as a matter of course without seeking the consent of every insured person. However, they are given the option of using an opt-out procedure to object to the creation of the EHR and its completion in all cases. This makes handling much more efficient and, last but not least, much more attractive to patients.