Digital health applications in Germany

Data Protection and IT Security Requirements for Digital Health Applications in the sense of the German Social Security Code

The German legislator has acknowledged that digital innovations play an important role in the health sector. With the German Act on Digital Supply (Digitale-Versorgung-Gesetz, "DGV"), which came into force on 19 December 2019, a number of essential measures have been issued to facilitate the inclusion of digital innovations to standard care under the German statutory social health security system. Almost 90 percent of the insured persons in Germany are member of this system.

One of the most important innovations introduced by the DVG is the insured persons' entitlement to medical devices based on software and other digital technologies with a medical purpose ("Digital Health Applications"), Section 33a of the German Social Security Code, Book V (5. Sozialgesetzbuch -"SGB V"). In other words: Digital Health Applications - as opposed to mere lifestyle / wellness applications, which do not provide for a medical purpose in the meaning of medical devices law - can be reimbursable by the social health security insurer, if certain requirements are met.

The prerequisite for the reimbursability of Digital Health Applications is that the German Federal Institute for Medicinal Products and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte - "BfArM") - as the competent authority - has included the Digital Health Application into a specific list, regarding reimbursable Digital Health Applications ("DiGA-Verzeichnis"), according to Section 139e SGB V. The details for such inclusion are laid down in the German Ordinance on the procedure and requirements for the assessment of Digital Health Applications (Digitale Gesundheitsanwendungen-Verordnung - "DiGAV"), which came into force, just recently, on 21 April 2020.

Besides regulatory requirements, such as compliance with the medical devices directive 93/42/EEC (from 26 May 2021: the regulation 2017/745), and proof of a positive healthcare effect (positiver Versorgungseffekt; i.e., a medical benefit for the patient or a patient-relevant structural or process improvement), the DiGAV requires manufacturers of Digital Health Applications to comply with strict data protection and data security requirements (Section 4 DiGAV). To prove compliance with the latter, the DiGAV includes a comprehensive checklist on data protection and IT security requirements ("Checklist"), which has to be completed by the manufacturer and submitted to the BfArM for approval.

On 21 July 2020, the BfArM released an updated version of its guidance on the DiGAV ("Das Fast-Track-Verfahren für digitale Gesundheitsanwendungen nach § 139e SGB V, (Version 2.1)" - "Guidance"), taking into account, particularly, a decision of the European Court of Justice on the transfer of personal data to the US ("Schrems II"). In the following, we summarise the Guidance.

1. Data Protection Requirements

Digital Health Applications have to comply with statutory data protection rules (Section 4 para. 1 DiGAV), namely the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Federal Data Protection Act (Bundesdatenschutzgesetz - "BDSG"), as well as data protection provisions in other statutory laws, such as legislation on medical devices or the SGB V.

1.1 Limitations of the legal basis

Generally, Digital Health Applications may only process personal data based on a user's consent, as required for the processing of special categories of personal data according to Article 9 para. 2 lit. a GDPR (Section 4 para. 2 DiGAV). The Guidance further clarifies that such (free, informed and express) consent must be obtained at the beginning of the use of the Digital Health Application and prior to the collection and processing of personal data. Consent may be solely obtained, for the following purposes:

1. the intended use of the Digital Health Application by the users in the context of medical treatment. Which kind of data are necessary for this, depends to a large extent on the respective Digital Health Application. Any data processing for this purpose has to strictly comply with GDPR principles, in particular with data minimisation and privacy by design and by default principles.

2. ensuring the Digital Health Application's continued technical operability, usability and development. Processing for this purpose may not lead to a comprehensive monitoring of user activities. The Guidance highlights that the functionality of the Digital Health Application may not be negatively affected, if an user refuses to consent to this purpose.

3. to provide evidence relating to a positive healthcare effect (positiver Versorgungseffekte) in case of a preliminary admission in the DiGA-Verzeichnis, according to Section 139e para. 4 SGB V.

4. to provide evidence for a Digital Health Application's performance to a health insurance fund, in context of respective agreements on performance-related price components, according to Section 134 para. 1 sentence 3 SGB V.

   In both of the latter cases, the BfArM stresses the GDPR's data minimisation principle.

   As a result of these purpose limitations, providing consent, e.g. to use personal data as a "payment" to unlock specific certain additional functions is not permissible. Additionally, the DiGAV expressly excludes any processing of personal data for marketing purposes, Section 4 para. 4 sentence 1 DiGAV.

   As far as processing shall be based on statutory law, the BfArM clarifies that such processing will not only be permitted by the DiGAV, but also by other laws. This applies particularly, as far as processing concerns invoicing purposes with health insurance funds, or compliance with obligations under medical device regulations.

1.2 Limitations on the location of processing

In deviation to the GDPR and similar to the rules that apply for health insurances, the DiGAV restricts the processing of data to the

• Federal Republic of Germany;

• EU Member States;

• contracting states of the Agreement on the European Economic Area and Switzerland; and

• states for which an adequacy decision has been made in accordance with Art. 45 DSGVO (Section 4 para. 3 DiGAV).

  The BfArM clarifies that the processing of personal data outside the EU on the basis of Art. 46 DSGVO (standard contractual clauses) or Art. 47 (corporate binding rules) is not permitted. According to the BfArM, both of these measures do not provide sufficient security for data processed by Digital Health Applications.

No transfer of personal data to the US

In its prior versions, the Guidance stated that data transfer to the US is permissible, as far as a respective US data importer would be certified for processing non-HR data under the EU-US Privacy Shield. In its updated version, the Guidance takes into account the European Court of Justice (ECJ) decision of 16 July 2020 (no. C-311/18 - "Schrems II"). The ECJ decided that the EU-US Privacy Shield does not provide for an appropriate level of data protection for transferring personal data to the US. Accordingly, the Guidance now states that the "processing of personal data in the USA is therefore no longer permitted on its basis of the EU-US Privacy Shield". In the English version of the Guidance, the BfArM expressly states that the "processing of health data in the USA is therefore not permissible for a Digital Health Application."

2. Information security

Digital Health Applications must comply with the legal requirements for data security according to the state of the art, taking into account the type of data processed (Section 4 para. 1 DiGAV). The BfArM points out that IT security requirements relate to the protection of the confidentiality, integrity and availability of all data processed on the Digital Health Application. It differentiates between basic requirements, which apply to all Digital Health Applications and additional requirements for Digital Health Applications with particularly high security needs (Zusatzanforderungen bei digitalen Gesundheitsanwendungen mit sehr hohem Schutzbedarf). Generally, all requirements are based on the relevant publications and recommendations of the Federal Office of Information Security (Bundesamt für Sicherheit in der Informationstechnik - "BSI").

2.1 Information Security Management System

The BfArM recommends manufacturers to implement and execute management systems for information security ("ISMS"), in order to appropriately respond to high market dynamics and the fast pace of technological developments. In particular, the BfArM requires the following series of processes:

• Protection requirement analysis (structural analysis of the Digital Health Application and its life cycle to determine the respective security requirements);

• Release-, Change- and Configuration-Management (to ensure compliance with the relevant regulatory framework (e.g. Medical Device Regulation (EU) 2017/745 - "MDR");

• Market monitoring and directory of libraries (e.g. third-party software) in use (to monitor any security-relevant information).

  The BfArM highlights that a comprehensive ISMS, according to the ISO-27000-series or the BSI-Standard 200-2 will be mandatory for any Digital Health Application to be submitted from 1 January 2022. However, a certificate under the above standards will not release a manufacturer from proving its implementation by providing the BfArM with the completed Checklist, mentioned above.

2.2 Additional Requirements for high security needs

Where high security needs are identified - e.g. where a lack of protection may endanger the life and limb or personal freedom of the data subject - additional requirements have to be met:

• penetration tests of the product version (major release) for all system components connected to the internet;

• appropriate encryption of data stored on servers in accordance with the identified security need; and

• 2-factor authentication for access to health data.

3. BSI: technical guideline for Digital Health Applications

In this context, please note that on 15 April 2020, the BSI published a technical guideline on the minimum requirements for the secure operation of Digital Health Applications (Sicherheitsanforderungen an digitale Gesundheitsanwendungen - Technische Richtlinie BSI TR-03161 - "BSI Guideline"). The BSI Guideline explains in detail which data protection and IT Security measures an application has to comply with, in order to process health data. You can find our summary of the BSI Guideline here. Due to the diverging prioritisation and level of detail, the BSI Guideline, as well as the BfArM's Guidance, should be taken into account by manufacturers. If you have any questions in relation to these documents or any other questions relating to Digital Health, please do not hesitate to contact us at any time.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.