Practices and Attitudes of Bavarian Stakeholders Regarding the Secondary Use of Health Data for Research Purposes During the COVID-19 Pandemic: Qualitative Interview Study

Background The COVID-19 pandemic is a threat to global health and requires collaborative health research efforts across organizations and countries to address it. Although routinely collected digital health data are a valuable source of information for researchers, benefiting from these data requires accessing and sharing the data. Health care organizations focusing on individual risk minimization threaten to undermine COVID-19 research efforts, and it has been argued that there is an ethical obligation to use the European Union’s General Data Protection Regulation (GDPR) scientific research exemption during the COVID-19 pandemic to support collaborative health research. Objective This study aims to explore the practices and attitudes of stakeholders in the German federal state of Bavaria regarding the secondary use of health data for research purposes during the COVID-19 pandemic, with a specific focus on the GDPR scientific research exemption. Methods Individual semistructured qualitative interviews were conducted between December 2020 and January 2021 with a purposive sample of 17 stakeholders from 3 different groups in Bavaria: researchers involved in COVID-19 research (n=5, 29%), data protection officers (n=6, 35%), and research ethics committee representatives (n=6, 35%). The transcripts were analyzed using conventional content analysis. Results Participants identified systemic challenges in conducting collaborative secondary-use health data research in Bavaria; secondary health data research generally only happens when patient consent has been obtained, or the data have been fully anonymized. The GDPR research exemption has not played a significant role during the pandemic and is currently seldom and restrictively used. Participants identified 3 key groups of barriers that led to difficulties: the wider ecosystem at many Bavarian health care organizations, legal uncertainty that leads to risk-adverse approaches, and ethical positions that patient consent ought to be obtained whenever possible to respect patient autonomy. To improve health data research in Bavaria and across Germany, participants wanted greater legal certainty regarding the use of pseudonymized data for research purposes without the patient’s consent. Conclusions The current balance between enabling the positive goals of health data research and avoiding associated data protection risks is heavily skewed toward avoiding risks; so much so that it makes reaching the goals of health data research extremely difficult. This is important, as it is widely recognized that there is an ethical imperative to use health data to improve care. The current approach also creates a problematic conflict with the ambitions of Germany, and the federal state of Bavaria, to be a leader in artificial intelligence. A recent development in the field of German public administration known as norm screening (Normenscreening) could potentially provide a systematic approach to minimize legal barriers. This approach would likely be beneficial to other countries.


Introduction Background
The COVID-19 pandemic is a threat to global health and requires collaborative health research efforts across organizations and countries to address it. However, lack of integrated, comprehensive, and accessible patient-level data has been identified as a key barrier to COVID-19 research across the globe [1].
A valuable source of information for researchers is the large amount of digital health data collected by health care organizations through electronic health records. Indeed, health care systems worldwide are increasingly using this routinely collected digital health data for biomedical research, enabling large-scale and multidimensional aggregation and analysis of heterogeneous data sources [2]. The increase of such digital data has also created significant opportunities for artificial intelligence (AI) in health care [3]. With the ability to learn from large sets of clinical data, health care AI applications have the potential to support a wide range of activities [4][5][6][7][8][9][10][11], and public and private sector investment in the field continues to grow [12][13][14]. If data-intensive medicine is able to realize the continuous improvement of health care quality and thereby reduce patient harm, increase health, empower patient decision-making, and improve equity, it would fulfill the core ethical principles of health care [15,16].
However, benefiting from digital health data requires the ability to access and share the data. Single-center databases are also somewhat limited and sharing data across institutions and countries has various potential advantages, including allowing cross-validation of models across institutions to determine which findings are institution specific and which are generalizable and for knowledge discovery to be accelerated [17]. Efforts to create and link databases for secondary-use research, however, can be undermined by concerns about data protection; concerns that are only likely to intensify available data for research become higher resolution and more diverse (eg, medical images and physiological waveforms) [18].
Patients have legitimate interests in controlling access to and use of their health data, and their consent is often required for the use of their personal data if it was not collected for specific research purposes [18]. However, requiring consent for pseudonymized data to be used in secondary-use research cannot only lead to significant administrative and financial hurdles that delay or even impede important research but can also create major selection biases that undermine data representativeness [19]. Although fully anonymized data typically fall outside data protection laws around the world and can thus be freely used and shared, full anonymization is increasingly difficult to achieve given the use of models that can correctly reidentify people in anonymized data sets [20]. Furthermore, irreversible anonymization involves removing essential information required for most large collaborative research projects [21].
The European Union's (EU) General Data Protection Regulation (GDPR) is a key legal framework for the use and exchange of European digital health data for research purposes [18]. The GDPR entered into force in May 2016 but was only applied from May 25, 2018. Although early drafts of the GDPR raised concerns that the regulation may severely restrict data research [22], the final text adopted a more research-friendly approach, and it was thought that the GDPR would have little negative impact on data research overall [23]. However, concerns remain that the GDPR has made many organizations very risk-averse in terms of data sharing, even if the regulation permits such sharing; for example, via scientific research exemption [1]. When health care organizations are overly concerned with individual risk minimization, it threatens to undermine COVID-19 research efforts. It has been argued that there is an ethical obligation to use the GDPR scientific research exemption, particularly during a crisis such as the COVID-19 pandemic, to support collaborative health research [1].
However, the integration of clinical care and clinical research as part of a learning health care system can often conflict with the current regulatory system and raise a number of important ethical, legal, and social implications [24]. The need for more work on determining when patient notification and consent are required has been particularly highlighted, and investigating the views of patients and other stakeholders has been identified as essential to this work [25,26]. Previous international empirical research with patients regarding the secondary use of their data has found widespread support for such activities and willingness to share their data; however, it has also highlighted variations in patient's wishes regarding notification and consent [27][28][29][30][31][32][33][34][35][36][37][38]. Previous research with other stakeholders is rather limited. However, a systematic review found that although researchers and health care professionals were generally supportive of data sharing, they raised concerns about access to data, data storage infrastructure, and consent [39]. Research with other stakeholders has highlighted the challenge of balancing the benefits and risks of secondary research [40][41][42].
Although Germany is known for its strict approach to data protection, it is currently attempting to make health data more useful and meaningful, such as through the Medical Informatics Initiative [43]. During the COVID-19 pandemic, there have also been large research corporations, such as the National University Medicine Research Network. On April 15, 2020, a nationwide standardized template document for patient consent was approved, enabling researchers across Germany to obtain broad consent for the use of pseudonymized health data in accordance with the GDPR. Germany has also taken a number of regulatory efforts to support digital health care. In 2019, it enacted a new Digital Healthcare Act in 2019, which allows digital health applications to be prescribed and reimbursed under statutory health insurance [44,45]. In 2020, the Patient Data Protection Act was passed, and a step-by-step plan to implement electronic health records and complementary applications such as electronic prescriptions was announced [46]. Despite these efforts, however, the successful implementation of such digital health applications has experienced significant delays and is yet to be achieved [47,48]. Nevertheless, Germany, and the federal state of Bavaria in particular, has also set the goal of becoming a leading hot spot and innovation location for AI [49]. Although recent research involving German patients indicates that abolishing consent for secondary research use of clinical data will likely be acceptable to a large majority of patients [28,29], we are not aware of empirical research with other stakeholders such as researchers, data protection officers, and research ethics committee members, regarding their views and use of the GDPR scientific research exemption for secondary-use health data research either during or before the pandemic.

Objectives
The first German COVID-19 case appeared in Bavaria in January 2020, and Bavaria was one of the most affected states in Germany during the pandemic. In August 2020, the Bavarian State Ministry of Science and the Arts funded the Technical University of Munich's Faculty of Medicine for COVID-19 research projects. As a part of this program, this project aimed to explore the practices and attitudes of Bavarian stakeholders regarding the secondary use of health data for research purposes in a time of particular need for fast, data-rich research, namely during the COVID-19 pandemic. It was particularly interested in exploring stakeholders' views and use of the GDPR scientific research exemption for secondary-use health data research, either during or before the pandemic. Such research, even when performed at the local and regional levels to assess attitudes within a specific legal, cultural, and national context, can illuminate and inform the wider challenge of balancing the goals of furthering health research and improving public health with the goal of responsible data use, a challenge that is relevant across the globe.

Methods
The methods of the study are presented in accordance with the COREQ (Consolidated Criteria for Reporting Qualitative Research) [50].

Relationship With Participants
No relationship was established between the interviewer and participants before the study, and the participants received limited information about the interviewer. There was no hierarchical relationship between the interviewers and study participants.

Theoretical Framework
The theoretical framework used in this study was conventional content analysis [66].

Participant Selection
Stakeholders were primarily selected through purposive sampling [67] to ensure that the participants involved in COVID-19 data sharing for scientific research were from different backgrounds. Additional participants were identified using snowball sampling [68]. Participants were contacted by email and provided with information about the study design and aims and rights as participants. Suitable dates for an interview were found for those willing to participate. Verbal consent was obtained from all participants directly before the interview and audio recorded. A total of 17 Bavarian stakeholders agreed to participate in the study and were recruited from 3 groups: researchers involved in COVID-19 research (n=5, 29%), data protection representatives (n=6, 35%), and research ethics committee representatives (n=6, 35%). A total of 6 people who were contacted did not respond to emails.

Setting
The interviews were conducted between December 2020 and January 2021. All interviews were conducted via a telephone or video call in German. Only the participant and researcher were present during the interview. Overall, 71% (12/17) of the stakeholders were male, and 29% (5/17) were female.

Data Collection
A researcher-developed semistructured interview guide was developed for each group to guide the discussions (Multimedia Appendix 1). On the basis of the first 2 interviews that did not show any problems, it was decided that no further piloting or adaptation of the interview guides was necessary. No repeat interviews were conducted. Interviews were audio recorded, and no field notes were taken. The interviews lasted an average of 32 minutes (range 20-41 minutes). The interviews were transcribed in full, checked for accuracy, and subsequently pseudonymized. After 17 interviews, a question about data saturation arose, and it was concluded that saturation was reached in the content and attitudes expressed by the participants [69]. The transcripts of the interviews were returned to all participants with an invitation to review the transcription and send any corrections or clarifications; a total of 6 responses were received with minor corrections to syntax.

Analysis and Findings
Using the interview transcriptions in their original language, JL and SM performed conventional content analysis with the assistance of the qualitative software MAXQDA (version 11; VERBI Software). The analysis commenced after the interviews were completed. Initial themes identified that were common across participants, as well as those unique to individuals, were labeled using a process of open coding. The findings are presented as higher and lower level categories. The other investigators (SR, AF, DH, and AB) reviewed the initial analysis to clarify and refine codes, and conversations among the investigators continued until coding differences were resolved and consensus was achieved. Selected quotes have been translated into English by the researchers using back translation.

Ethics Approval
This study received a waiver from the Technical University of Munich's Research Ethics Committee.

Current Practices
Participants identified systemic challenges in conducting collaborative secondary-use health data research in Bavaria, particularly research that involves sharing health data outside the institution it was collected. These were reported to be preexisting challenges that were independent of the COVID-19 pandemic but were often brought into sharp focus during the pandemic.
Participants described strict handling of patient data in Bavaria, which led to collaborative secondary health data research being conducted primarily only when patient consent (individual or broad) had been obtained, or the data had been fully anonymized. Although patient data could be used within the hospital where it was collected for research or educational purposes without consent, it was reported that sharing pseudonymized data for research purposes outside the hospital where it was collected was generally not possible under Bavarian law without consent. Participants reported that this could make the use of Bavarian patient data in multicenter studies highly bureaucratic and time consuming. Although many participants thought it was important that the GDPR research exemption existed, they reported that it is currently used seldom and very restrictively: Participants reported that the strict handling of patient data in Bavaria continued during the COVID-19 pandemic, although COVID-19 project applications were assessed more urgently than other research applications. COVID-19 projects were primarily conducted based on patient consent or anonymization, and participants felt that the GDPR research exemption did not play a significant role during the pandemic. Nevertheless, some research ethics committee representatives reported instances during the pandemic where their committees had allowed the use of pseudonymized data for research purposes without patient consent, as they wanted to allow valuable research to be conducted; however, they saw themselves at risk of breaking the law: It [the GDPR research exemption] played practically no role for us. It did not have to be forced, because as an ethics committee we made it possible from the outset to work with the data. The patients who were COVID positive and able to give consent were, as far as I know, very willing to agree to this, and those who were not able to give consent because they were too ill, we as an ethics committee stuck our necks out so that their data and samples could also be used. [P10, ethics committee] For many participants, balancing the protection of patient privacy with health research for the common good was at the core of many of these challenges, which was particularly pronounced during the COVID-19 pandemic. Research ethics committee representatives saw it as their responsibility to consider how to best balance these issues:

Barriers to Collaborative Health Data Research in Bavaria
Participants identified three key groups of barriers that led to difficulties in conducting collaborative health data research in Bavaria: (1) the wider ecosystem at many Bavarian health care organizations, (2) legal uncertainty and risk minimization, and (3) participants' ethical views.

Wider Ecosystem
A number of participants identified issues in the wider ecosystem at many Bavarian health care organizations as underlying barriers to collaborative secondary-use health data research.

Medical Informatics
Although participants noted increasing pressure from the German-wide Medical Informatics Initiative to use health data, it was reported that many Bavarian health care organizations were still not using the valuable data they possess. Medical informatics systems were often reported to be inadequate and that there were insufficient people with the right knowledge and skills to implement such systems:

GDPR Implementation
Some participants felt that the basic implementation of the GDPR is still lacking in many Bavarian health care organizations; smaller institutions, in particular, were reported to have insufficient financial and personal resources to adequately implement it. Some participants were also not in favor of using the research exemption until sufficient implementation of the GDPR was achieved:

Legal Uncertainty and Risk Minimization
Participants perceived legal uncertainty regarding a number of issues were leading people to be risk adverse in relation to collaborative secondary-use health data research in Bavaria.

Bavarian Hospital Act
Participants identified the Bavarian Hospital Act's Article 27 on Data Protection as a significant barrier. Although participants reported that the act permitted patient data to be used within the hospital for education and research purposes, they repeatedly noted the challenges raised by the requirement in Article 27 that patient data must remain in the custody of the hospital. Participants felt that the provisions of the Bavarian Hospital Act prevented the GDPR research exemption from being used and that patient consent is required if pseudonymized data are shared with third parties for research purposes: Participants described how this situation created a great deal of legal uncertainty in Bavaria and led to a general unwillingness to share pseudonymized patient data for secondary-use data research without consent.

Vagueness of Law
Regarding the GDPR research exemption, participants reported that as there was significant perceived vagueness in the law in Germany, people avoided using the research exemption to reduce their legal risk:

Variations in the Interpretation of the Law
Participants also reported that wide variations in the interpretation of the law could create significant uncertainty and cause researchers to take a very conservative approach to minimize risk. At the local level, participants reported that a lot depended on the makeup of the research ethics committee, whether it was more medically or legally oriented, with a legally oriented ethics committee seen to be more complicated: The other problem is that ethics committees are structured differently. Whether they are more medically oriented or more legally oriented. So that has to be said honestly. And

Ethical Views
The reluctance to conduct health data research without patient consent also reflected participants' ethical views. Some participants felt that patient consent ought to be obtained whenever possible to respect patient autonomy, and consequently, that the use of the research exemption should be very limited and as an option of last resort:

Facilitators for Collaborative Health Data Research in Bavaria
To improve health data research in Bavaria, participants wanted greater legal certainty regarding the use of pseudonymized data for research purposes without patient consent. In the short term, some participants felt that a clear statement from relevant local authorities clarifying the application of the law would be helpful: I would suggest the following. Briefly, at least in the short term, a stipulation by the relevant state supervisory authorities that project data and really, I would call it project pseudonymised data, which are not traceable for the recipient of this data under any reasonable conditions and using any normally applicable means or methods, are treated the same as fully anonymised data as far as the transfer of data is concerned and this transfer of data does not require consent. It is equivalent to fully anonymised data as far as data transfer is concerned and this data transfer does not require consent. In the long term, I would like to see an amendment to Article  However, participants also pointed out that this situation cannot be improved by Bavaria alone and saw the need for a federal law for the handling of research data: To be honest, I don't see Bavaria as the decisive factor for advancing research in an area like this. You have to talk to more specialised centres, and the German university hospitals are already a good cluster. Although at the level of a university hospital, I would say that a Bavarian regulation would perhaps be easier to implement in parliament, but all the projects of the National University Medicine Initiative alone would not be helped here, because they are all coordinated via Charité. [P08, data protection] I would like to see something like a research law or at least a binding specification of the requirements and a binding harmonisation of the requirements at federal level. We should say that we are enacting a research law and that data should be handled in such and such a way. Taking into account the GDPR, data protection regulations, hospital regulations and other regulations. [P04, data protection]

Principal Findings
This is one of the first qualitative studies examining European stakeholders' views and use of the GDPR scientific research exemption for secondary-use health data research, either during or before the COVID-19 pandemic. It also aims to add empirical insight to the global debate about the conflicting goals of furthering public health and health research on the one hand and protecting individual privacy and ensuring responsible data use on the other. This study has resulted in two key findings: (1) stakeholders in the German federal state of Bavaria were generally unwilling to use scientific research exemption owing to legal and ethical concerns and (2) stakeholders felt that the current strict handling of patient data is undermining important health research. This study suggests that the balance between enabling the positive goals of health data research and avoiding associated data protection risks can often be heavily skewed toward avoiding risks; thus making it extremely difficult to reach the goals of health data research. This is important as it is widely recognized that there is an ethical imperative to use health data to improve care. The current approach also creates a problematic conflict with Germany's, and the federal state of Bavaria's, ambitions to be a leader in AI. However, this is also a challenge for many other countries.
Despite recent research indicating that abolishing consent for secondary research use of clinical data will likely be acceptable to a large majority of German patients [28], Germany and many other countries, including in the EU, are still pursuing a consent or anonymize approach. Various authors have argued for several years that this approach undermines data-intensive medicine and that there is a need to specify the appropriate conditions for using a research exemption from consent [21]. Article 9(2)(j) of the GDPR sets out a scientific research exemption for processing sensitive personal data, which could occur without consent if subject to appropriate safeguards and if such rights would render impossible or seriously impair the achievement of the research purpose-see Article 89(1). Such a research exemption has a number of advantages in the context of the secondary use of health data for research purposes. The data from a large number of patients not requiring consent can be covered by the same provision. The existence of the research purpose is also relatively independent of further developments. In contrast, for example, if the data processing is based on Article 9(2)(i) GDPR, which explicitly allows the processing of sensitive personal data if it is "necessary for reasons of public interest in the area of public health," the processing can only take place as long as it is necessary to protect against the risk. If the situation stops being so dangerous, it would have the consequence that the data could not be used any further, not even to avert more abstract or possible future dangers [70].
However, as this study highlights many countries across the world continue to pursue a restrictive approach regarding the secondary use of patient data and seldom allow the use of data without consent or anonymization. As the participants of this study noted, various regulatory regimes must be considered, both at the national and European levels, with regard to the legal use of data in EU countries. Owing to the primacy of the application of EU law, the lawfulness of data processing is governed by the GDPR. This is supplemented by further general data protection laws at the national level (for Germany, the Federal Data Protection Act), as well as the state level (for Bavaria, the Bavarian Data Protection Act). However, Article 9(2)(i) of the GDPR-in conjunction with Article 89(1)-does not constitute separate authorization for data processing for research purposes [71]. Rather, the member states must make use of this opening clause through their own law. For Germany, this means that because of the federal system and the different competences of the federal government and federal states, the competence is initially based on the national competence regulations. Corresponding regulations can be found in section 27 of the Federal Data Protection Act; Article 25 of the Bavarian Data Protection Act, Act 25, section 27; and in Article 27 of the Bavarian Hospital Act. However, the decisive competence in this area usually lies with the federal states (exceptions may occur in individual cases, but in principle, hospital acts apply to all hospitals in a federal state, regardless of whether they are run publicly or privately or church-run). Furthermore, the regulations of the more specific Bavarian Hospital Act take precedence over those of the general Bavarian Data Protection Act (principle lex specialis derogat legi generali). Article 27(4) of the Bavarian Hospital Act states the following: 1. "Hospital physicians may use patient data insofar as this is necessary within the framework of the hospital medical treatment relationship, for initial, further and continuing training in the hospital, for research purposes in the hospital or in the research interests of the hospital." 2. "They may instruct other persons in the hospital to do so, insofar as this is necessary for the fulfillment of these tasks; for the purposes of research in accordance with sentence 1, they may permit other persons to use patient data if this is necessary for the implementation of the research project and the patient data remain in the custody of the hospital." 3. "Such persons shall be bound to secrecy." 4. "The hospital administration may use patient data to the extent necessary for the administrative processing of patient treatment." The regulations are narrower than the general data protection requirements in Article 25 of the Bavarian Data Protection Act. In particular, the Hospital Act requires that the data remain in the custody of the hospital. This restriction is not provided for by the Data Protection Act. However, it is up to the member states to decide in which form and under which further conditions they make use of the opening clause. If the requirements of Article 27(4) of the Bavarian Hospital Act cannot be met, one of the other justification options for data processing from Article 9(2) GDPR must be used. Therefore, the current legal requirements in Bavaria hinder the use of patient data for research purposes. Other German federal states have similar regulations to Bavaria; however, some states (eg, Bremen or North Rhine-Westphalia) have opted for more detailed regulations. There is a need to examine such local regulations in more detail, not only in Germany but also in other countries and how these are affecting the secondary use of patient data.
Recent developments in the field of German public administration known as norm screening (Normenscreening) could potentially provide a systematic approach to minimize such legal barriers. To encourage digital transformation and reduce existing barriers, some German federal states (eg, Schleswig-Holstein and Saarland) reviewed their entire public state laws to identify all norms that could act as barriers to further digitalization. As a result, the federal state of Saarland identified and categorized more than 1000 rules, and those preventing, or at least complicating digitalization, were removed or at least changed into more moderate forms. Such a screening process could be used to identify all types of legislative obstacles, sort them, and enable fundamental changes. Therefore, it is suggested that a screening process could be used to harmonize and minimize barriers in regulations regarding the use of patient data for research purposes. The focus would be on regulations that are narrower than those required by EU or constitutional law. This screening process would likely be beneficial to all EU members, as member states are required to make use of the GDPR scientific research exemption through their own national law and will therefore likely face similar challenges as those described in Germany. This approach could also, in principle, be applied outside Europe.
In an era of increasing global collaborative health research efforts, however, significant variations in laws regarding this issue are not only a problem within countries but also across countries [18]. Concerns have long been raised that the GDPR allows too much room for interpretation of the regulation by member states on key aspects of data protection, including sufficient methods of pseudonymization, when data are considered fully nonidentifiable, what further limitations should be set on processing sensitive data for research purposes, and sufficient safeguards and conditions for processing data under research exemption [72]. Although this may help recognize local values and norms, it risks undermining the goal of the GDPR to address the heterogeneity of data protection within the EU. The process of norm screening on a national level could potentially help identify already existing similarities between member states as well as detect best practices, which could support the progress on EU-level.
Germany, and Bavaria in particular, prides itself for research impact and innovation potential. However, their current approach to patient data is often heavily skewed toward avoiding risks; thus making it extremely difficult to reach the goals of health data research. This approach also conflicts with their stated ambitions to be leaders in AI. Benefiting from data-intensive medicine, particularly activities driven by AI technologies, requires first and foremost, having access to data. Being very restrictive with secondary patient data use at the same time as pouring significant amounts of public funds into data-intensive medical and medical AI is inconsistent and arguably unethical, as it constitutes a waste of public resources and, at worse, may end up causing patient harm owing to unrepresentative and biased data sets and models [73]. Politicians and policy makers need to take the issue of data access and sharing more seriously.

Strengths and Limitations
This is a qualitative study that did not collect statistically representative data. However, we included a range of experts who have direct experience with sharing COVID-19-related health data for research purposes in Bavaria, which makes it likely that this study has captured key aspects of a multisided issue. A bias might exist toward the reporting of socially desirable attitudes [74]; however, given that our results are rather critical of current practice, we believe that such a bias is limited. The study was only carried out in Bavaria, and there may be some regional and country-specific differences that might limit the generalizability. Nevertheless, many of the key issues are associated with aspects that are common in other countries (eg, balancing the goals of public benefit of the research with consent and privacy), and these findings are likely to be of wider international interest. The strengths of this study include the fact that it is, to our knowledge, one of the first to investigate stakeholders' views and use of the GDPR scientific research exemption either during or before the pandemic.

Acknowledgments
This study was funded by the Technical University of Munich's Faculty of Medicine via the Special Programme for the Promotion of Corona Research by the Bavarian Council of Ministers. The funder had no role in the design and conduct of the study; collection, management, analysis, and interpretation of the data; preparation, review, or approval of the manuscript; and decision to submit the manuscript for publication.

Data Availability
Our data include pseudonymized transcripts of interviews, which cannot be made publicly available in their entirety because of (1) the terms of our ethics approval and (2) because participants could be identifiable if the context of the entire transcript. This is in line with the current ethical expectations for qualitative interview research. We provide anonymized quotes within the paper to illustrate our findings (corresponding to transcript excerpts), and the complete interview guide used in the study has been included in the Multimedia Appendix 1.

Conflicts of Interest
AB is the chair of the German Ethics Council.