Every medical device on the European market must bear a CE mark. This CE marking demonstrates that the medical device is compliant with the Medical Devices Regulation (MDR) (or the old Medical Devices Directive (MDD), considering the soft transition periods.

A digital health application that is to be registered as a DiGA must meet a number of requirements. One of these requirements is that the application complies with European medical device legislation. This means that all DiGAs are SaMD under the MDR or MDD, and that all DiGAs bear a CE mark. However, the Digital Health Applications Ordinance (‘Digitale-Gesundheitsanwendungen-Verordnung’, DiGAV) – the German ordinance on DiGAs – has some additional requirements for SaMDs to be registered as DiGAs.

A digital health application may be designated as a DiGA if it has the following characteristics:

• it is a medical device of risk class I or IIa under the MDR or the MDD,
• it has a CE marking pursuant to the MDR or the MDD,
• it is not merely intended to collect data from a device, or to monitor a device. The medical purpose of the digital health care application must be fulfilled by the main digital functions,
• it supports the recognition, monitoring, treatment, or alleviation of disease, or the recognition, treatment, alleviation, or compensation of injury or disability,
• it is not designed primarily for prevention purposes (unless it is prevention of the deterioration of a disease or a secondary disease or complication), and
• it is used at least by the patient, possibly by the patient and the healthcare provider jointly.

The developer of a digital health application can request a review by the German Federal Institute for Medicines and Medical Devices (‘Bundesinstitut für Arzneimittel und Medizinprodukte’, BfArM).

Review is conducted according to the fast-track process. If the digital health application successfully passes this process, it is included as a DiGA in the directory for reimbursable digital health applications (DiGA directory). Applications included in this directory can – as the name suggests – be reimbursed by health insurance institutions.

Within three months of the application’s submission, the BfArM must perform advice and review of the digital health application. This advisory and review covers the following elements:

• Requirements regarding security, functionality, quality, data protection and security, interoperability, and
• Positive care effects such as medical benefit, structural and procedural improvements.

The outcome of the review of these elements may be as follows:

• both requirements and positive care effects are assessed positively: the DiGA is included in the DiGA directory,
• the requirements are assessed positively, but the care effects are questionable: the DiGA is included in the DiGA directory preliminarily, but a plausible rationale for the healthcare impacts must be submitted within 12 months, or
• the requirements and/or care effects are evaluated negatively: the DiGA is not included in the DiGA directory.

After inclusion in the DiGA directory, price/reimbursement negotiations may need to occur. After being approved for reimbursement, a DiGA can be prescribed by doctors or psychotherapists.

Before an app is designated as a DiGA and included as such in the DiGA directory, the manufacturer must demonstrate that the digital health application meets requirements related to:

• safety and suitability for use,
• data protection and information security, and
• quality, in particular interoperability.

Safety and suitability for use

For safety and suitability for use, BfArM carries out checks on the formal validity of the CE marking. Without a CE mark, this requirement cannot be fulfilled.

Data protection

Regarding data protection, the DiGAV imposes additional requirements in relation to the General Data Protection Regulation (GDPR). For example, the DiGAV tightens up the permissible purposes for data processing:

• personal data may only be used for the following purposes with the explicit consent of the data subject (unless other legislation permits or requires the data processing):
  • achieving the intended use of the digital health application,
  • proving positive care effects,
  • demonstrating the presence of agreements with the Central Association of Health Insurance Funds, and
  • permanently securing the technical functionality, usability, and ongoing development of the digital health application,
• the consent of the data subject should never be sought as a basis for the processing of their health data for purposes other than those mentioned above.

Laws that permit or require data processing relate specifically to the DiGA’s billing to health insurance institutions, and compliance with requirements of the MDR or MDD. For these purposes, it is therefore not necessary to seek explicit consent from the data subject if their personal data is to be processed.

International transfers

An important consideration regarding data protection is that transfer and/or other processing of personal data to/in the United States is not permitted for a DiGA. This has to do with the ruling of the Court of Justice of the European Union regarding the European Commission’s adequacy decision. Read more about this in our earlier blog.

Information security

Under the DiGAV, it is not necessarily expected to demonstrate information security by an accumulation of separate technical measures. What is required, is an integrated management system with which information security can be assured within the organization. Such a management system can be set up based on the international standard ISO 27001. Compliance with this standard usually leads to approval of the DiGA’s information security level.

Interoperability

A DiGA must meet the standard of interoperability with respect to three elements.

1. The patient must be able to make exports of the data relevant to their therapy. This extraction must be in a format that is readable by humans, and allows printing (e.g. a pdf).
2. The patient must be able to export the data in a format that is machine-readable and interoperable, so that this data can be processed through other digital products.
3. Data that may be collected through medical devices or wearables must be addressable through an interoperable interface.

To achieve the required level of interoperability, it is recommended that standards such as ISO/IEEE 11073 and HL7 FHIR be used.

Quality

The digital health application must meet a few additional quality requirements.

The application must be robust.

This means that measures must ensure that the application must be able to be used without disruption due to interference, loss of data, transmission errors or difficulties in connecting to medical devices. This applies to:

• • external factors, such as loss of power or internet connection,
  • connections to devices and wearables, such as improper contrast when using the camera,
  • operating errors and malfunctions, such as impossible input values.

For the last bullet, BfArM gives as example: a daily food intake of 10,000 kcal is unlikely, and a food intake of 100,000 kcal in one day is impossible. In case of the first value, a notification should be made to the user to reconsider their input, whereas the latter should not be accepted.

Consumer protection should be considered:

1. 1. the purpose and functionality of the application must be transparently communicated to users (i.e., patients and healthcare providers),
   2. compatibility must be able to be confirmed by the user, i.e., the website must state which mobile devices, web browsers, operating systems, etc. support the application,
   3. in-app purchases are allowed, provided that:
      • the in-app purchases are not advertised in the application,
      • the sales platform clearly indicated which additional purchases can be made at what cost,
      • the in-app purchases are not renewable subscriptions or special offers of limited duration, and
      • it must not be possible for an in-app purchase to be made accidentally.
   4. advertisements are not allowed within the digital health application.

The content of the application must be of high quality, and based on sound medical knowledge.

Appropriate technical and organizational measures must ensure patient safety. The CE mark ensures basic technical safety. In addition, measures must be taken to eliminate residual risks to the patient.

To process applications from manufacturers of digital health applications, fees are charged by BfArM. The BfArM provides the following table regarding the applicable fees:

In special situations, the manufacturer of the digital health application can be (partially) exempted from fees. This may be the case, for example, when the digital health application is intended for a very small target group.