Guest Column | February 26, 2021

Germany's Digital Medical Device Regulations: A Framework For The World To Follow, Part III

By John Giantsidis, president, CyberActa, Inc.

Germany’s Digital Healthcare Act came into effect on December 19, 2019, introducing the “app on prescription” as part of healthcare provided to patients through digital health applications (in German: “digitale Gesundheitsanwendungen,” hereinafter DiGA). The Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM, or the Federal Institute for Drugs and Medical Devices) released a new guide in August 2020 detailing the requirements for DiGA manufacturers in order to make your DiGAs available to the more than 73 million participants in the German statutory health insurance. In Part 1 of this article series, I gave an overview of the situation and covered the many privacy requirements noted in the new guide. In Part 2, I examined the data security requirements.

This last article in this series has to do with the remaining requirements pertaining to the DiGA application (interoperability, robustness, consumer protection, and patient safety). Emphasis is on the adherence of ISO/IEEE 11073 Health Informatics — Medical/Health Device Communication Standards enable communication between medical, healthcare, and wellness devices and with external computer systems. They provide automatic and detailed electronic data capture of client-related and vital signs information, and of device operational data.


  • The data processed can be exported by the user in an interoperable format from January 1, 2021, at the latest and made available to the insured person for further use.
  • The export takes place in or using an open, recognized international standard or in a profile you have disclosed as using an open, recognized international standard.
  • The user can export relevant excerpts from the health data processed via the DiGA for their care, particularly regarding therapy progress, therapy planning, therapy results, and data analyses carried out from the DiGA by January 1, 2021, at the latest. The export takes place in a human-readable and printable format and takes into account the care context in which the DiGA is typically used according to its intended purpose.
  • The DiGA must be able to collect data from medical devices used by the user or from sensors worn by the user to measure and transmit vital signs (wearables), and the DiGA supports a published and documented profile from January 1, 2021, at the latest ISO IEEE 11073 standard
  • The standards and profiles used to establish the interoperability are published or linked on the application website and can be used without discrimination and implemented in their systems by third parties.


The DiGA is robust against malfunctions and operating errors by demonstrating that:

  • Sudden power failure does not result in loss of data.
  • Sudden internet connection failure does not result in data loss.
  • The DiGA checks the plausibility of measurements, inputs, and other data from external source.
  • The DiGA includes functions for testing and/or calibrating connected medical devices and sensors.

Consumer Protection

  • The user receives all the information they need to make a usage decision before commitments are made to you or a third party. In the information on the sales platform or on the application website, the range of functions is fully described, and the medical purpose is fully reproduced. The information on the sales platform or the application website clearly shows which features are available with the download or use of the application and which features are available at what price, e.g., can or must be purchased as in-app purchases or function redirects.
  • The compatibility with systems and devices is communicated transparently. You have published a list of compatibility commitments regarding operating system versions and mobile end devices or web browsers and web browser versions as well as other required or optionally usable devices on the application website and you are keeping this list constantly up to date.   
  • You must publish the DiGA’s medical purpose.
  • The usage conditions are designed in a consumer-friendly manner:
    • The DiGA is ad-free.
    • It does not contain any non-transparent offers such as auto-renewing subscriptions or time-limited specials.
    • It contains measures to protect against unintentional in-app purchases or does not offer in-app purchases.
  • You have implemented measures to support users by providing free German-language support in operating the DiGA, which answers user inquiries within 24 hours at the latest.

Ease Of Use And Accessibility

  • Usability style guides of the respective platform for mobile applications have been fully implemented, or alternative solutions have been implemented for which user-friendliness can be demonstrated.
  • Easy and intuitive usability was confirmed in tests with focus groups representing the target group.
  • The DiGA offers operating aids for people with disabilities by January 1, 2021, at the latest, or supports the operating aids offered by the platform.

Support For Service Providers

  • You provide information for integrated service providers in which the additional use of the app by a service provider is disclosed and clearly describe the underlying roles for the service provider and patient.
  • You provide information for integrated healthcare providers that describes how the DiGA’s use can be explained to the insured as part of the therapy.
  • The user can activate their own data access for the service providers to be involved or transmit data securely to the service providers.

Quality Of The Medical Content

  • The DiGA is built on secured medical knowledge and makes this transparent:
    • The medical content and procedures implemented in the DiGA are based on the generally recognized professional standard.
    • You have established suitable processes to keep the medical content and procedures implemented in the digital health application up to date.
    • The sources for the medical content and procedures implemented, for example, guidelines, textbooks, and studies, are published and named in the DiGA or on a website linked from the DiGA.
    • The studies carried out with the DiGA are published and named in the DiGA or on a website linked from the DiGA.
  • The health information with which the DiGA supports the user is appropriate:
    • It is based on the generally recognized professional standard, it is tailored to the target group, and it is offered on a case-by-case basis and in the context of the respective use.
    • You have established suitable processes to keep the health information up to date.
    • The sources for the health information are published and named in the DiGA or on a website linked from the DiGA.
    • Didactic procedures are implemented to deepen and strengthen the health knowledge offered.

Patient Safety

  • You clearly state on the sales platform or before the web application is started for which users and indications the DiGA should not be used, if there are restrictions.
  • In the DiGA, the user is given context-sensitive information on risks as well as information on suitable measures to mitigate or avoid them.
  • In the context of critical measured values or analysis results, the DiGA clearly indicates the need or the usefulness of consulting a doctor or another service provider.
  • The DiGA recommends the user to discontinue use of the app or to change the use of the app if a defined state is determined.
  • Consistency conditions are defined for all values entered by the user or collected via the connected medical devices or sensors or taken from other external sources, which are checked before a value is used.
  • Error messages are designed in such a way that the user can understand where the error was and how they can contribute to avoiding it in the future.


A DiGA can be a native app or a desktop or browser application, and can also comprise devices, sensors, or other hardware in addition to software, such as wearables, if the main function is a predominantly digital one. If the requirements regarding security, functionality, quality, data protection, data security, and interoperability are met, along with evidence of positive healthcare effect, a digital medical device (class I or IIa) can achieve admission to the DiGA directory and be used by anyone of the 73 million participants in the German statutory health insurance with the corresponding reimbursement rate.

About The Author:

JohnJohn Giantsidis is the president of CyberActa, Inc, a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their cybersecurity, privacy, data integrity, risk, SaMD regulatory compliance, and commercialization endeavors. He is also a member of the Florida Bar’s Committee on Technology and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in Cybersecurity Policy and Compliance from The George Washington University. He can be reached at