Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government published a draft regulation setting out the procedure for examining the eligibility of health apps to receive insurance reimbursements, as well as the requirements that such health apps must fulfill.

Notably, among its various obligations, the draft regulation and its Annex 1 include a number of data protection and data security requirements that health app developers must comply with if their health apps are to benefit from the reimbursement scheme.

According to the draft regulation, developers must:

  • implement appropriate data protection and security measures, taking into account the state of the art, the categories of personal data processed and the risk level;
  • carry out a Data Protection Impact Assessment;
  • obtain the explicit consent of the patient to process their health data (Art. 9(2) (a) GDPR);
  • not disclose data outside the European Economic Area to countries that do not provide an adequate level of protection of personal data pursuant to an adequacy decision of the European Commission (transfers on the basis of standard contract clauses or BCRs are apparently not allowed);
  • impose an obligation of confidentiality on all persons under its authority that have access to the personal data of the user; and
  • ensure the portability of the personal data.

The patient’s data may be used by the developer of the health app only:

  • for the intended use of the health app and for the reimbursement procedure;
  • to prove the benefit of the application (in the framework of specific procedures regulated under Book V of the Social Security Code);
  • to comply with legal obligations imposed by the EU Medical Devices Regulation 2017/745 and the German Medical Devices Implementation Act, and
  • to ensure, on an ongoing basis, the technical functionality and user-friendliness of the health app.

The health app must be free of advertising and the patient’s data must not be used for advertising purposes whatsoever.

Developers must fill out a detailed checklist (Annex 1 of the draft regulation) explaining how they comply with the above requirements when applying for registration with the Federal Institute for Drugs and Medical Devices (BfArM).

Updates to the draft regulation and the procedure to register a health app for reimbursement will be published on a dedicated page of the BfArM’s website.