Germany's Digital Medical Device Regulations: A Framework For The World To Follow, Part I

Germany’s Digital Healthcare Act came into effect on December 19, 2019, introducing the “app on prescription” as part of healthcare provided to patients through digital health applications (in German: “digitale Gesundheitsanwendungen,” hereinafter DiGA). The Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM, or the Federal Institute for Drugs and Medical Devices) released a new guide in August 2020 detailing the requirements for DiGA manufacturers in order to make your DiGAs available to the more than 73 million participants in the German statutory health insurance. I will give an overview of the situation and will cover the many privacy requirements noted in the new guide in Part 1 of this article series. In Part 2, I’ll examine the data security requirements. In Part 3, I’ll detail the interoperability, robustness, consumer protection, and patient safety requirements.

Assuming that your digital medical device or software as a medical device (SaMD) can provide a medical benefit, particularly regarding the improvement of the state of health, the reduction of the duration of a disease, the prolongation of survival, or an improvement in the quality of life, BfArM has to assess your DiGA. Likewise, if your digital medical device or SaMD can be considered as part of the detection, monitoring, treatment, or alleviation of disease or the detection, treatment, alleviation, or compensation of injury or disability, BfArM has to assess your DiGA. BfArM also has to assess your DiGA if it supports the health behavior of patients or integrates the processes between patients and healthcare providers, and include in particular the areas of:

1. Coordination of treatment procedures
2. Alignment of treatment with guidelines and recognized standards
3. Adherence
4. Facilitation of access to care
5. Patient safety
6. Health literacy
7. Patient autonomy
8. The coping with illness-related difficulties in everyday life
9. Reduction of therapy-related efforts and strains for patients and their relatives.

BfArM has to assess your DiGA within a three-month period starting with the filing of the complete application. The clinical evaluation of the Medical Device Directive (MDD)/Medical Device Regulation (MDR) conformity procedure must initially be considered separately from the DiGA Fast Track. The conformity assessment first proves the safety and suitability of the medical device. However, you can cite study results that have been included in the conformity assessment proving positive healthcare effects.

Generally, a digital medical device qualifies as a DiGA if it is a medical device of the risk class I or IIa (according to MDR or MDD as part of the transition regulations until the beginning of the validity of the MDR on May 26, 2021), its medical purpose is achieved through the main digital functions, and the app is used only by the patient or by the patient and the healthcare provider. This means that apps that are only used by the physician to treat patients are not eligible.

A DiGA must meet explicit requirements regarding safety and suitability for use, data protection, and information security and quality, especially interoperability. You as the manufacturer must demonstrate this to BfArM with emphasis on the completed checklists as well as the evidence of compliance with regulatory requirements for medical devices. BfArM can request further evidence on individual quality features during the application assessment and check the accuracy of the information. In any case, you must provide free access (login data) of your DiGA to BfArM.

The essence of the BfArM assessment is a thorough examination of the manufacturer’s statements about the product qualities — from data protection to user friendliness — and the examination of the evidence of the positive healthcare effect of the DiGA. Manufacturers must declare compliance regarding data protection regulations and data security requirements. All DiGAs must meet basic requirements, and those deemed requiring a very high protection requirement must meet additional requirements per the required protection requirement analysis. It is important to understand that the processing of personal data by the DiGA and its manufacturer is subject to EU General Data Protection Regulation (GDPR) 2016/679. Beyond privacy and security, manufacturers must also declare the fulfillment of the requirements regarding interoperability, robustness, consumer protection, ease of use, medical content, and patient safety.

The DiGA privacy requirements emanate from the GDPR’s data protection framework and are based on the principles of data privacy, data protection, and privacy rights for individuals in the EU:

Consent

• A voluntary, specific, and informed consent of the user is to be obtained for data processing before the processing of such personal and related data is taken place.
• The consent and declarations of the user is given consistently expressly, i.e., through an active, clear action.
• The user can revoke their consent easily, barrier-free, at any time and in an easily understandable way with effect for the future.
• The user is informed of the right and options to withdraw consent before giving their consent.
• Before giving consent, the user is informed in a clear, understandable, user-friendly, and target-group-appropriate form about which categories of data are processed by the DiGA or you as the manufacturer.
• The person concerned can access the texts of the consents and declarations given at any time from the DiGA or via a source referenced within it.

Data Minimization And Adequacy

• The personal data processed via the DiGA are appropriate for the purpose and limited to what is necessary for the purposes of processing.
• You have ensured that the purposes of processing personal data through the DiGA cannot reasonably be achieved to the same extent by other, more data-efficient means.
• Health-related data is stored separately from the data required exclusively for service accounting.
• You have ensured that employees entrusted with non-product-related tasks do not have access to health-related data.
• Provided that the DiGA’s use is not restricted to a private IT system of the person using it:
  • You have explicitly considered corresponding application scenarios in the data protection impact assessment.
  • You explicitly advise the insured person that the use of the DiGA in a potentially unsafe environment is associated with security risks that cannot be fully addressed by you as the manufacturer.
• When using the DiGA on an IT system that is not only used by the insured person, the storage, even if temporary, of health-related data on this IT system is completely prevented, and data and files stored locally on the IT system used are securely deleted after the end of the usage session of the DiGA, even if the user has not explicitly ended the usage session.

Integrity And Confidentiality

• The DiGA provides appropriate technical and organizational measures to protect personal data against unintentional or impermissible destruction, deletion, falsification, disclosure, or illegitimate forms of processing.
• The exchange of data controlled by the DiGA between the end device of the person concerned and external systems is encrypted according to the state of the art.

Accuracy

• The DiGA provides technical and organizational measures to ensure that the personal data that it processes are factually correct and up to date.
• You as the manufacturer take all reasonable measures to ensure that incorrect personal data are immediately deleted or corrected.

Necessity And Data Portability

• Personal data collected via the DiGA is stored only for as long as it is absolutely necessary for the provision of the promised functionalities or for other purposes resulting directly from legal obligations.
• You must justify separately the purposes of the storage and the maximum storage period, stating the reasons why these purposes represent a legitimation for the further storage of personal data.
• You provide mechanisms via which the data subject can exercise the right to data portability from the DiGA and can retrieve or transfer it to another DiGA.

Information Requirements

• The data protection declaration is easy to find, barrier-free, and freely accessible via the application website.
• The data protection declaration contains all relevant information about the manufacturer and data protection officer, the purpose of the DiGA, the data categories processed for this purpose, your (the manufacturer’s) handling of this data, the right to revoke given consent, and the options for exercising the rights of those affected, and you adequately implement additional information obligations according to GDPR Articles 13 and 14.
• The data protection declaration is easy to find even after the installation of the DiGA.
• The user can receive information from you on the personal data stored about them to the extent specified in GDPR Article 15.
• The data protection declaration contains a comprehensible deletion concept that regulates the procedure for withdrawing consent and deinstallation of the DiGA as well as the handling of claims for deletion of data and restriction of their processing per the requirements of GDPR Articles 17 to 19.
• The user can request that you correct incorrect personal data relating to them and to complete incomplete personal data relating to them.
• Before deleting the user account, you need to inform the data subject of any data that may be lost and the right to data transfer in accordance with Article 20 of Regulation (EU) 2016/679.

Data Protection Impact Assessment And Risk Management

• You have implemented a procedure for the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing, with which all systems and processes used in connection with the DiGA are recorded.
• You have obliged all persons who have access to personal data from their work to secrecy.
• You have carried out a data protection impact assessment for the DiGA and transferred the risk analysis carried out in the documented risk management processes after a continuous reassessment of threats and risks has taken place.
• You can ensure that personal data breaches are reported to the supervisory authority within 72 hours of becoming aware of the breach.
• You have implemented the requirements of GDPR Article 34 on informing those affected in the event of data protection incidents.

Evidence

• You have documented the data protection guidelines applicable to the company and trained your employees in their implementation.
• You have implemented measures to ensure that it can be subsequently checked and determined whether and by whom personal data has been entered, changed, or removed.
• The DiGA or you as the manufacturer do not pass on personal data at all to processors or exclusively to processors who have sufficient trustworthiness and liability. You have implemented appropriate mechanisms to protect transferred data and have a binding contractual relationship that excludes a weakening of the commitments made to the insured.
• The processing of health data as well as personally identifiable inventory and traffic data takes place exclusively in Germany, in another member state of the European Union, or on the basis of an adequacy decision in accordance with GDPR Article 45.

The DiGA privacy requirements emanate from the GDPR’s data protection framework and are based on the principles of data privacy, data protection, and privacy rights for persons in the EU. It is important to analyze what, how, and why you process data. Be prepared to show how data is transferred and processed because you could be asked. Put consent and privacy notes in plain language and be ready to be responsive to requests from individuals and incidents.

In Part 2 of this article series, I will examine the data security requirements. In Part 3, I’ll detail the interoperability, robustness, consumer protection, and patient safety requirements.

About The Author:

John Giantsidis is the president of CyberActa, Inc, a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their cybersecurity, privacy, data integrity, risk, SaMD regulatory compliance, and commercialization endeavors. He is also a member of the Florida Bar’s Committee on Technology and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in Cybersecurity Policy and Compliance from The George Washington University. He can be reached at john.giantsidis@cyberacta.com.