Skip to the content
DeutschBecome a member
Become a member

Glossary

Ad hoc authorization (ePA)
These are authorizations that the insured person can grant to a service provider institution (LEI), e.g. their GP, directly on site using their eHC and PIN.

File system
The ePA file system is a product type of the specialized application ePA. It ensures that only authenticated and authorized users interact with the ePA file system. In a document management component, the ePA file system manages the documents for an insured person's file account.

Alternative insured person identity (al.vi)
With the help of an alternative insured person identity, an insured person without an eGK can log in to the ePA file system. Confirmation of identity is requested from the signature service (SGD) after two-factor authentication at the insured person's front end (FdV) and returned to the front end (comparable to a remote signature).

Change of provider
If there is a change of provider, the file provider changes (e.g. a change from BITMARCK to IBM). With ePA level 1.1, the insured person cannot yet have their file moved to the new provider. This will only be possible from 01.01.2022. Until then, the insured person can temporarily store the documents from their previous file locally when changing provider and then transfer them to the new file. The old file will be deleted by the previous provider.

Authentication
Authentication is the verification of identity.

Example: The system checks the accuracy and validity of the signature.

Technical process (ePA): computerized verification of the signature, verification of the validity to date of the certificate against the current date, verification of the certificate status against the OCSP responder of the eHC certificates. Transfer of an authentication token to the front end.

Authentication - one-factor authentication (1FA)
Verification of identity by means of a factor, e.g. the front door key, which gives the owner access to the house.

Authentication - two-factor authentication (2FA)
Verification of identity using two independent factors, e.g. knowledge (PIN) and possession (eGK).

Authentication
Authentication is proof of a unique identity.

Example: An insured person authenticates himself by inserting the eHC and entering the PIN.

Technical process (ePA): For example, challenge / response. The system sends a challenge to the front end when access is requested. The front end uses the AUT certificate of the eHC. By entering the PIN, the private key for the AUT certificate is activated. The private key is then used to sign the challenge and the insured person's certificate. The signed challenge and the signed certificate are transferred to the system as a response.

Authorization
Authorization is the checking/assignment of rights.

Example: The system checks whether the owner of an authentication token is authorized to use the ePA.

Technical process (ePA): The system checks whether an encrypted key package is available for the owner of an authorization token and transfers this to the front end together with an authorization token.

Federal Office for Information Security (BSI)
The Federal Office for Information Security is a higher federal authority within the portfolio of the Federal Ministry of the Interior, Building and Community, based in Bonn, which is responsible for IT security issues.

Federal Office for Social Security (BAS)
On 01.01.2020, the Federal Insurance Office (BVA), which was founded in 1956, was renamed the Federal Social Security Office (BAS).
The BAS is responsible for supervising the statutory health, long-term care, pension and accident insurance providers and institutions whose area of responsibility extends across more than three federal states. The BAS also performs important administrative tasks in the area of social insurance. These tasks include the administration of the health fund, the implementation of risk structure compensation in health insurance, the approval of treatment programs for the chronically ill and the administration of the compensation fund in social long-term care insurance.

Federal Commissioner for Data Protection and Freedom of Information (BfDI)
The BfDI pursues the goal of safeguarding and expanding data protection.

Business Service Manager (BSM)
The BSM is used when a user reports an error via the ePA app and details of the smartphone used are required. For example, the hardware model used can be determined, including the exact software version and current battery capacity.

Captcha
A captcha is used to determine whether a human or a machine (robot program, or bot for short) is involved. As a rule, this is used to check who has made entries in Internet forms, because robots are often misused here. Captchas are therefore used to protect the operator's resources, not the user or their data. In contrast to the classic Turing test, in which people want to clarify the question of whether they are interacting with a human or a machine, captchas are used so that a machine can clarify this question.

Change Request (CR)
Request for a change to certain features of a product.

Data Universal Numbering System (DUNS / D-U-N-S)
The D-U-N-S number is a nine-digit number that can be used to uniquely identify companies based on their location. It is assigned and managed by Dun & Bradstreet (D&B) and is used as a standardized code number in the business sector.

Digital health applications (DiGA)
Digital products that are designed, for example, to detect or alleviate illnesses or assist with diagnosis. You can find detailed information on DiGA under Digital Health Applications.

Digital Health Applications Ordinance (DiGAV)
Medical prescription required for the prescription of a DiGA.

Document management
The ePA document management component of the ePA file system is used for the secure storage and retrieval of the insured person's documents from their personal file by authorized users. These are the insured person themselves or their designated representatives as well as service provider institutions.

Electronic health card (eGK)

Electronic IDentification, Authentication and trust Services (eIDAS)
The eIDAS Regulation contains binding Europe-wide regulations in the areas of "electronic identification" and "electronic trust services".

Electronic patient file (ePA)
From 01.01.2021, people with statutory health insurance can - on a voluntary basis - manage their health-related documents securely throughout their lives with an electronic patient file (ePA) from their health insurance provider. The information contained therein will be available to them and to service providers - provided the insured person has previously authorized the respective service provider institutions to do so.
When the Appointment Service and Care Act (TSVG) comes into force, statutory health insurance providers will be obliged to offer their policyholders an electronic patient file (ePA) approved by the Gesellschaft für Telematik mbH (gematik) from 01.01.2021 at the latest.
Furthermore, those with statutory health insurance also have a legal right to use their EPR; all service providers are obliged to provide their patients with the data collected about them in their EPR if the patient so wishes. This will significantly strengthen the rights and participation options of the insured person. The ePA is an insured person-managed file.

Electronic medication plan (eMP)
Information on drug treatment can be voluntarily stored on the eHC as an electronic medication plan.

Electronic ID card (nPA)
ID card with online ID function.

ePA - Insured person helpdesk (ePA-VHD)
The insured person helpdesk is the first point of contact for the insured person for all questions relating to the ePA. The ePA-VHD is provided to the insured person by the relevant health insurance fund or a service provider commissioned by it.

ePA file system
The ePA file system is a product type of the specialized ePA application. It ensures that only authenticated and authorized users interact with the ePA file system. In a document management component, the ePA file system manages the documents for an insured person's file account.

ePA module front end of the insured person (FdV module)
The ePA module front end of the insured person is integrated as a component in the front end of the insured person and executes the decentralized specialist logic of the specialist application ePA. It enables the insured person to use the ePA file system.

Specialist application-specific service (FAD)
A specialist application-specific service is a system that is connected to the TI platform and acts as a provider in the context of specialist use cases. The specialized application-specific service uses infrastructure and network services of the TI platform. Specialist application-specific services represent the integration layer for backend systems and existing networks (Existing Application Zone).

Front end of the insured person (FdV)
The ePA front end of the insured person refers to a client on a mobile device of an insured person, for example a smartphone, with which the insured person accesses the electronic patient file.

Graphical User Interface (GUI)
Graphical user interface

Health care provider (HCPO)
Health care provider institution

Healthcare professional card (HBA)
The healthcare professional card is a personal ID card for people who practise a healthcare profession, such as doctors or pharmacists. This ID card has the format of a check card and is equipped with a photograph and a microprocessor chip. The HBA enables authentication to the telematics infrastructure (TI), encryption and also contains a qualified electronic signature (QES) of the doctor or pharmacist. The HBA can be used to access patient data on the eHC, provided the patient has authorized it. The electronic ID card makes additional applications, such as electronic prescriptions, possible in the first place. The card is usually issued by the relevant chamber, e.g. the state chamber of physicians or the state chamber of pharmacists.

Identity Access Management (IAM)
The introduction of Identity and Access Management (IAM) provides a solid basis for the health insurance company's online products / applications for secure identification and authentication of the insured person. If necessary, additional authentication factors are used depending on the data to be displayed and their level of protection. The insured persons are maintained as online users at a central location and can be integrated into existing applications using standard procedures such as OAuth2 (Open Authorization) / OpenID Connect for single sign-on. This fulfills the requirements of § 217f SGB V as well as gematik in the context of ePA. For the standard authentication procedures, the OpenID Connect standard is preferable to pure OAuth2, as the respective processes are described more precisely here and thus problems with integration are avoided.
The ePA IAM offers flexible options for using initial registration modules in order to identify the insured person correctly.

Identity provider (IDP)
Provider of a digital identity.

Integrated Circuit Card Serial Number (ICCSN)
Unique identification number of an eHC. The ICCSN contains the industry code, the country code, the card issuer key and a consecutive number. The ICCSN of an eHC is generated automatically by the card application management system. It is stored on the chip of the eHC and is usually printed on the back of the card.

Integrating the Healthcare Enterprise (IHE)
Initiative of users and manufacturers with the aim of standardizing and harmonizing the exchange of data between IT systems in the healthcare sector.

Communication in Medicine (KIM)
KIM ensures the secure exchange of sensitive information such as findings, notifications, invoices or X-ray images via the telematics infrastructure.

Account management system (KVS)
File management that enables certain use cases, such as documentation and queries of activities including status on the basis of an insured person.

Cost bearer (KTR)
In the context of the ePA: carrier of the costs of an insured person's ePA.

Change of health insurance company
When changing health insurance provider, from 01.01.2022 the insured person can export the data from their electronic health record and take it with them to the new provider. Unfortunately, this function is not yet available in 2021, as the standards for the transfer are not yet available.

Health insurance number (KVNR)
With the introduction of the eGK, the KVNR previously defined for each individual health insurance fund became a KVNR valid for all health insurance funds. In future, an insured person will keep this number for the rest of their life. The basis for the KVNR is the pension insurance number (RVNR). The RVNR is issued by the "Datenstelle der Deutschen Rentenversicherung" (DSRV). The KVNR (nationally standardized health insurance number range) is assigned by the "Vertrauensstelle Krankenversichertennummer" (ITSG). The procedure for assigning a KVNR is controlled by the health insurance fund. The insured person only provides the necessary data.

Service provider (LE)
A service provider belongs to a group of persons entitled to access in accordance with Section 291a (4) SGB V and provides healthcare services for insured persons. In the German healthcare system, service providers are all persons and organizations that provide services for those insured by the health insurance funds. All service providers must have an institution identifier (IK). This IK is a prerequisite for billing the health insurance companies for the services provided. Service providers include doctors and physiotherapists, for example.

Service provider institution (LEI)
The service providers grouped together in organizational units or legal entities (e.g. medical practices, hospitals).

Medical information object (MIO)
MIO is a clearly defined standard for how a specific collection of information (e.g. vaccination record) is stored in the ePA, ensuring basic semantic and syntactic interoperability.

Minimum Viable Product (MVP)
MVP is the first minimum viable version of a product or software.

Near Field Communication (NFC)
Contactless interface

Emergency data management (NFDM)
Information on diagnoses, medication, allergies or an existing pregnancy can be retrieved directly from the eHC.

Online branch office (OGS)
Insured persons can deal with their health insurance company online in a password-protected area directly and conveniently from home or on the move, e.g. request certificates or submit applications. You can find information about your online office on our Online Office page.

Open Authorization 2.0 (OAuth2)
The abbreviation OAuth stands for Open Authorization and is an open protocol that enables secure authorization of web services or mobile applications without having to disclose passwords to third-party providers. The protocol uses token-based authorization and authentication. The process for obtaining a token is called Flow. The Open Authorization Framework 2.0 was adopted in 2012 in RFC 6749.

In short: OAuth 2.0 is the authorization protocol. It therefore answers the question "What am I allowed to do?" as a user and deals with the authorizations of a user.

OpenID Connect (OIDC)
OpenID is based on a decentralized concept and uses URL-based identities (IDs) to log in to web services. With the help of these identities, it is possible to log in to several services without re-entering the user name and password. The concept thus supports single sign-on. In 2014, the OpenID Foundation adopted a completely revised version of the protocol called OpenID Connect. The new version uses the OAuth 2.0 framework to provide better support for mobile applications and greater interoperability. The aim of the new protocol is to create wider acceptance and more options for single sign-on procedures in the network.

In short: OpenID Connect handles authentication and asks the question "Who am I?". The protocol uses ID tokens to map the identity of the user. OpenID Connect is therefore the extension of OAuth 2.0 to include authentication aspects.

Output Management System (OMS)

Patient Data Protection Act (PDSG)
The Patient Data Protection Act makes digital services such as the electronic patient file usable and at the same time protects sensitive health data in the best possible way.

Personal identification number (PIN)
Access to application data on an eHC and personal keys is activated by entering personal identification numbers (PINs). PINs are core components of every eHC. They have a length of 6-8 digits. They are intended exclusively for the cardholder and may only be known to the cardholder to ensure data confidentiality.

Public Key Infrastructure (PKI)
A PKI is a system that makes it possible to issue, distribute and check certificates for public keys. The certificates are used to clearly assign the public keys, which are provided in generally accessible directories, to their owners.

RISE (Research Industrial Systems Engineering)
RISE is an IT service provider.

Key generation service type 1 (SGD1)

Key generation service type 2 (SGD2)

Secure Module Card (SMC)
The Secure Module Card (SMC) is an institution-related electronic ID card with which service provider institutions, e.g. doctors' surgeries or hospitals, identify themselves to the telematics infrastructure (TI). This ID card is required to access the data on the eHC, provided the patient has authorized it. It has the format of a SIM card (identical to a cell phone card) and is equipped with a microprocessor chip. It is issued by specified bodies, e.g. the Associations of Statutory Health Insurance Physicians (KV) for doctors' practices or the German Hospital Association (DKG) for hospitals. These organizations ensure that the SMC is only issued to authorized institutions. A distinction is made between the SMC-A and the SMC-B card. The SMC-A card contains the keys to access the eGK. It is inserted in the card terminal. The SMC-B card contains all the functions of the SMC-A card and is also used to identify the institution to the telematics infrastructure (TI). It can be inserted in the connector or in a card terminal that can be used by the connector.

Secure transmission procedure (SEV)

Secure central access point to the TI (SZZP)

Security certificate (SIGU)

Signature service (SigD)

Single Sign On (SSO)

Software Development Kit (SDK)

Stack trace
A stack trace is a report that provides information about program subroutines. It is often used for certain types of debugging where a stack trace can help software engineers to find out where a problem lies or how different subroutines work together during execution.

TAGS
This term is used in computer science to mark or label certain values.

Telematics infrastructure (TI)
The "data highway" of the healthcare system. Enables fast and secure communication between doctors, hospitals, etc.

Trust Service Provider (TSP)

Universally Unique Identifier (UUID)
The Universally Unique Identifier, or UUID for short, is a standard for identification numbers. A unique ID can help whenever information needs to be clearly distinguished. In the context of the ePA, the UserId is a UUID and is generated anew for each app session.

Trusted execution environment (VAU)

Directory service (VZD)
The VZD is a central service of the TI platform. It contains the storage of all entries of service providers and institutions with all defined attributes that are to be included in the directory and the specialist data through specialist application-specific services. Clients and specialist application-specific services can use a search query to retrieve basic and specialist data (e.g. X.509 certificates). Furthermore, entries in the directory can be changed, added and deleted by authorized specialist application-specific services.