BfArM tightens data protection requirements for DiGAs – A new certification is needed

Since 2020, clinicians can prescribe – and SHI funds will reimburse – medical apps and digital health treatments, the so-called “DiGAs”.

The BfArM assesses these DiGAs in terms of patient benefit, quality, and data protection and information security. After an application is received, the BfArM checks within three months whether the product meets the requirements set out in the Digital Health Applications Ordinance. If the assessment was successful, the BfArM will include the product in the DiGA list. The products on this list can then be prescribed and are covered by SHI funds. The legal basis is §139e SGB V.

In September 2022, the BfArM has now published new, even stricter, data protection criteria that need to be met for a new DiGA to receive a certification. These are covered in the First Amendment of the Digital Health Applications Ordinance (1. DiGAVÄndV) and the amendment to Paragraph 139e of the Social Security Code V (SGB V). The BfArM is among the first agencies in Europe to develop a specific data protection certification to strengthen patient rights.

The certifications show that the apps comply with the data protection law, both according to the European General Data Protection Regulation as well as the extended requirements for digital applications.

To develop the new requirements, the BfArM also consulted the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Office for Information Security (BSI).

Certification process

The checks and certification will be carried out by accredited bodies. If they find any flaws, the DiGA manufacturers have to fix these, before the DiGA can receive its certification. If the assessment was successful, they award the certification.

The DiGA manufacturers will then submit the data protection certification to the BfArM, when they request inclusion on the DiGA list.

Digital care applications (DiPAs)

In the future, the BfArM plans to apply the same set of data protection requirements also to digital care applications (DiPA). However, there could still be changes to the test criteria within the European coordination process.


Newsletter

If you liked this post and don’t want to miss the next one, sign up for my free weekly newsletter!

Want my free guide about German HTA?

X