Patient name pseudonymisation
100% (initials + birth year max.)
No.
BP-AT-005
Scale
1 : 1
Date
2026-05-25
Rev.
A
Werkstatt 4notify · HealthcareReleased
Blueprint BP-AT-005 of BP-AT-008 · Healthcare
SMSEmail
ELGA patient communication with opt-out and medical confidentiality
e-Medication, e-Findings and patient notifications under strict confidentiality rules
§ AThe problem
Practices, hospitals and pharmacies send reminders daily — and too often sloppily. An SMS saying ’Your thyroid cancer suspicion finding is available’ breaches several norms at once: medical confidentiality (§ 54 ÄrzteG), the ELGA Act (opt-out right not respected — the patient may not want to be informed in detail), and GDPR (disproportionate data disclosure). Correct practice: neutral notification (’A finding is ready. Please contact the practice') + a secure login path for the details.
§ BMain view
ELGA — the Electronic Health Record — has been live in Austria since 2015 and centrally covers e-Medication, e-Findings and, since 2024, expanded modules like the e-vaccination card. Access to one's own health data is provided via the ELGA portal (elga.gv.at) with ID Austria. The ELGA Act (GTelG 2012) mandates an opt-out scheme — patients are enrolled by default but can register partial or full objections at any time. For notifications around health events (appointments, findings available, vaccinations due) the rule is: minimal data exposure via SMS/email, no medical content in cleartext, and a strict audit trail bound to the ELGA person ID.
§ CParts list
| Channel | Primary provider | Fallback |
|---|---|---|
| Patient-SMS (neutral) | BP-AT-002 SMS-Routing | E-Mail mit Login-Link |
| Login-Link mit ID Austria | OAuth2 → BRZ BKU | Direkt-Login Ordination |
| Audit-Log ELGA-Bezug | Postgres + Hashed ELGA-Person-ID | S3 EU-Central WORM |
| Widerspruchs-Check vor Versand | ELGA-Widerspruchsregister API | Lokale Cache mit Refresh 4h |
§ DTolerances
Objection status freshness
≤ 4hours
Audit retention
30years (patient record)
SMS character cap
160GSM-7 (no Unicode)
Objection response time
≤ 30days (GDPR)
§ ENormative references
GTelG 2012 (Gesundheitstelematikgesetz)
Legal basis for ELGA. Patients can object at any time (partial or full). Data processors must check the objection status before every processing.
§ 54 ÄrzteG (Ärztegesetz) — Schweigepflicht
Doctors are bound by professionally enshrined confidentiality. This applies to electronic channels too — diagnostic content does not belong in unencrypted SMS or emails.
DSGVO Art. 9 (besondere Datenkategorien)
Health data are a special category. Processing requires explicit consent or a clear legal basis (treatment contract, vital interest) — marketing use is effectively excluded.
ELGA-Vertraulichkeitsstufen
Findings are categorised in confidentiality tiers (special confidentiality, normal, restricted access). Notifications must respect the tier — for ’special confidentiality’ external notification is dropped entirely.
§ FBuild steps
Check objection status before every send
Before a notification goes out, 4notify queries the ELGA objection register with the ELGA person ID. On full objection the send is suppressed; on partial objection (by area: e-medication / e-findings / e-vaccination), the send is suppressed only when it falls into the objected area.
Neutralise content, link to ID Austria login
The SMS or email mentions only the action type (finding available, prescription ready, appointment on 28.05.) without diagnostic content. The link goes to the secure patient portal with ID Austria login; medical details are shown only after successful sign-in.
Pseudonymisation in audit logs
Patient names are never stored in cleartext in audit logs. Instead, the ELGA person ID is hashed (BLAKE2b with a held salt) and the last 8 hex characters serve as the display token. On audit requests the mapping can be restored via a separately stored, KMS-encrypted lookup.
Respect the confidentiality tier
Findings tagged ’special confidentiality’ (e.g. psychiatric diagnoses, HIV tests, genetic tests) are never signalled externally — the information stays inside the ELGA portal and the patient sees it on next sign-in. This rule cannot be disabled in the notification routing.
§ GTest procedure
Test procedure: (1) Set up a test patient with full objection in the ELGA sandbox — attempting to send an SMS must be rejected with `objection_full`, without the patient number appearing in cleartext in the log. (2) Test patient with partial objection on ’e-medication’ — appointment SMS must go through (the e-appointment area is not objected), prescription SMS must be rejected. (3) Create a finding with the ’special confidentiality’ tag — no send, audit log row `tier_block`. (4) Inspect a regular SMS content: no patient first name, no diagnosis, only a sign-in prompt. (5) Audit-log entry contains only the pseudonymised token, no cleartext name.
§ HCode
bash
curl -X POST https://api.4notify.net/v1/health/notify \
-H "Authorization: Bearer $API_KEY' \
-H "Content-Type: application/json' \
-d '{
"elga_person_id_hashed': 'blake2b:f1a4c9e3b8d2…",
"event_type': 'finding_available",
"confidentiality_tier': 'normal",
"channel': 'sms",
"recipient': '+436641234567",
"portal_login_url': 'https://praxis-wien.at/portal",
"objection_check": true,
"audit_purpose': 'elga_finding_notification"
}'§ ISample message
SMS
Dr. Huber's practice: a finding is ready. Please review via praxis-huber.at/portal with ID Austria. Phone +43 1 587 44 10.
§ JCommissioning checklist
- ELGA objection-register API integrated, cache refresh ≤ 4 h
- SMS/email templates contain no diagnostic content (reviewed with DPO)
- Login link leads to ID Austria authentication, no magic-link bypass
- Pseudonymisation of person ID (BLAKE2b with KMS salt) in audit logs
- Confidentiality-tier block hard-wired (cannot be disabled via config)
- Audit log retention: 30 years (patient record per ÄrzteG)
What 4notify does differently
Instead of best-effort pseudonymisation, 4notify hard-codes the confidentiality tier into notification routing as a non-bypassable check — an HIV-finding notification is blocked by the system, even if the operator triggers it by mistake.
§ KFAQ
Am I even allowed to send an appointment reminder as SMS?
Yes, provided the patient has agreed (the treatment contract usually covers this) and the content stays neutral. ’Reminder of your appointment on 28.05. at 14:30, Dr. Huber's practice’ is fine — ’Reminder of your spine MRI on 28.05.’ is not, because it reveals the diagnostic region.
What about pharmacy reminders for medication pickup?
Stay neutral here too: ’Your prescription is ready for pickup. Apotheke Mariahilf, Mariahilfer Straße 88, 1070 Vienna.’ Omit the active ingredient/brand name. The patient already knows the prescription content; the SMS may land on a shared family phone.
How do we prove the patient's consent?
Through the consent ledger from BP-AT-001 — it stores the consent with hashed ELGA person ID, purpose (e.g. `appointment_reminder`), channel (`sms`) and the exact wording template. On a DPA complaint the full history can be reconstructed.
Open a free account
14 days, no card. German-language support.
§ LOther blueprints
BP-AT-001 · Data protection
GDPR-compliant consent management with audit trail
BP-AT-002 · Mobile networks
SMS routing across A1, Magenta and Drei with a fallback chain
BP-AT-003 · eGovernment
ID Austria & Handysignatur as a second factor
BP-AT-004 · E-invoicing B2G
E-invoicing to the federal government: status notifications via PEPPOL & ebInterface
BP-AT-006 · Logistics
Österreichische Post, DPD AT and GLS — shipment-tracking webhooks
BP-AT-007 · Appointments
Doctor appointment management with cancellation window and ÖGK context
BP-AT-008 · Retail