Hospital groups are facing a clear reality today: demand for AI is high due to staff shortages and budget pressure, and so are regulatory requirements. While standard companies can use GDPR-compliant AI tools, professional secret holders in healthcare must meet elevated requirements to use AI in daily clinical operations.
This is not a blockage—it is an opportunity. Organizations that integrate Section 203 StGB, professional regulations, and GDPR into their AI governance from day one can bring AI into clinical practice safely, in line with professional obligations, and productively.
Section 203 StGB and professional confidentiality in hospitals
While standard companies using non-compliant AI tools mainly violate data protection law, physicians can additionally face criminal liability under Section 203 StGB. This provision criminalizes the unlawful disclosure of private secrets by specific professional groups, including doctors. Under Section 203 (1) StGB, a physician who unlawfully discloses another person’s secret entrusted to them—or otherwise learned in their role as a doctor—may face imprisonment of up to one year or a fine.
This criminal-law obligation is complemented by physicians’ professional codes of conduct. Although these regulations vary by state medical association, they all impose confidentiality obligations (for example, Section 9 of the Professional Code for Physicians in Bavaria). A violation of Section 203 StGB in an AI context is therefore also a violation of professional law.
In practice, this means clinics need a setup that is legally robust and technically controllable. This is exactly where modern enterprise architectures come in—not by avoiding AI, but by defining clear guardrails for its use.
Azure in healthcare: legally secure with a Section 203 StGB supplementary agreement
For many hospital groups, Microsoft Azure is already the established cloud foundation: they often already use Microsoft 365 for email, calendars, files, and Teams. Beyond technical advantages such as scalability, integrability, and operational control, this foundation can also be used to meet Section 203 StGB requirements in AI scenarios.
The key point is that Section 203 requirements must not merely be “considered”—they must be explicitly implemented contractually and organizationally. This includes, in particular, a Section 203 StGB supplementary agreement with Microsoft. Unlike many other cloud providers, Microsoft offers such an agreement. Combined with clear governance, Azure is therefore a fully viable foundation for AI in clinical operations.
Put differently: Section 203 StGB is not an argument against Azure. Section 203 StGB is an argument for a professional Azure implementation.
CompanyGPT in your own Azure tenant: the architecture hospital groups need
CompanyGPT is operated in the hospital group’s own Azure subscription. This keeps control, governance, and operational responsibility exactly where they belong: with the organization itself.
Concretely, this means:
- Own tenant, own rules: Identities, roles, and access are governed by clinic locations, specialties, and processes.
- Contractual and technical setup from one source: The Section 203 StGB supplementary agreement also applies to AI usage.
- Scalability for hospital groups: One central standard, roll-out ready across multiple hospitals and teams.
- Secure day-to-day productivity: AI use cases are not pushed into shadow IT but integrated into existing workflows in a controlled way.
Hospital groups are already working successfully with this architecture in real-world practice.
Why this is especially important for large hospital groups
With multiple locations, requirements for governance, training, and operations increase significantly. Without a central approach, organizations end up with isolated solutions, inconsistent security levels, and avoidable risks.
CompanyGPT provides a unified framework: shared policies, clear responsibilities, standardized processes—and still enough flexibility for different medical specialties.
This is also economically relevant. As we showed in our comparison with other AI platforms, larger organizations in particular benefit from an architectural approach that is not reduced to rigid per-user models.
AI competency under Article 4 EU AI Act: implementation instead of box-ticking
Legal certainty does not end with contracts and infrastructure. Clinics need teams that can use AI responsibly.
Article 4 of the EU AI Act makes this competency a clear operator obligation. For hospital groups, this means training programs, documented processes, and careful handling of AI outputs must be organizationally embedded.
As we explain in our article on AI competency, this is not bureaucratic overhead but a central success factor for secure AI adoption. To support this, we offer specialized AI training and help clarify when an AI officer is advisable.
Typical use cases in clinical practice
With a properly implemented architecture, hospital groups can use AI where it has the greatest impact:
- Draft physician and discharge letters faster and in a more structured way
- Support documentation and findings text with consistent quality
- Prepare ICD-10/OPS coding and review it more efficiently
- Enable faster clinical research workflows for teams
- Standardize internal communication and QM documents
This creates a robust AI operating model that relieves medical teams while meeting compliance requirements.
Conclusion
Section 203 StGB is a real issue for clinics—but not an obstacle to AI. With the right architecture, the requirement is solvable and operationally manageable.
The proven path for hospital groups is clear: CompanyGPT in your own Azure tenant, combined with a Section 203 StGB supplementary agreement with Microsoft and structured AI governance.
If you want to introduce AI strategically, legally securely, and at scale in your hospital group, we support you from legal classification and technical implementation through to team qualification.
Further reading
- GDPR-compliant private GPTs for enterprises
- ChatGPT in business: Why your path should lead to CompanyGPT
- STACKIT: Fully sovereign AI solutions
- CompanyGPT vs. Logicc
- AI competency under Article 4 EU AI Act
- When do I need an AI officer?