Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government published a draft regulation setting out the procedure for examining the eligibility of health apps to receive insurance reimbursements, as well as the requirements that such health apps must fulfill.

Notably, among its various obligations, the draft regulation and its Annex 1 include a number of data protection and data security requirements that health app developers must comply with if their health apps are to benefit from the reimbursement scheme.

According to the draft regulation, developers must:

  • implement appropriate data protection and security measures, taking into account the state of the art, the categories of personal data processed and the risk level;
  • carry out a Data Protection Impact Assessment;
  • obtain the explicit consent of the patient to process their health data (Art. 9(2) (a) GDPR);
  • not disclose data outside the European Economic Area to countries that do not provide an adequate level of protection of personal data pursuant to an adequacy decision of the European Commission (transfers on the basis of standard contract clauses or BCRs are apparently not allowed);
  • impose an obligation of confidentiality on all persons under its authority that have access to the personal data of the user; and
  • ensure the portability of the personal data.

The patient’s data may be used by the developer of the health app only:

  • for the intended use of the health app and for the reimbursement procedure;
  • to prove the benefit of the application (in the framework of specific procedures regulated under Book V of the Social Security Code);
  • to comply with legal obligations imposed by the EU Medical Devices Regulation 2017/745 and the German Medical Devices Implementation Act, and
  • to ensure, on an ongoing basis, the technical functionality and user-friendliness of the health app.

The health app must be free of advertising and the patient’s data must not be used for advertising purposes whatsoever.

Developers must fill out a detailed checklist (Annex 1 of the draft regulation) explaining how they comply with the above requirements when applying for registration with the Federal Institute for Drugs and Medical Devices (BfArM).

Updates to the draft regulation and the procedure to register a health app for reimbursement will be published on a dedicated page of the BfArM’s website.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.