Skip to content

News

Digital health applications: What DiGA operators must now consider

The 1st DiGAVÄndV places some new requirements on "apps on prescription". Find out what DiGA manufacturers and operators will have to consider in future in order to have their digital health application listed in the DiGA directory.

Ein Mann sitzt in einem Büro an einem Laptop und lächelt. | TÜVIT
29/09/2022 | Essen

Requirements for “apps on prescription”

For a good two years now, doctors and psychotherapists have been able to prescribe so-called "apps on prescription". To ensure that patients can use them safely, digital health applications (DiGA) must fulfil certain IT security, data protection and data security requirements. These are laid down in the Digital Health Applications Ordinance (DiGAV), which was supplemented by further regulations with the 1st DiGAV Amendment Ordinance.

We have summarised for you the requirements that DiGA operators and manufacturers must fulfil in future in order to be listed in the DiGA directory of reimbursable digital health applications.
 

The requirements at a glance:

  • Authorisable penetration tests for all risk classes: Whereas penetration tests were previously only required for digital health applications with increased protection requirements, they have been part of the basic requirements since 01/04/2022. This makes them equally mandatory for all DiGAs. The basis for carrying out pentests is the BSI's implementation concept for penetration tests and the current OWASP Top 10 security risks.
  • Proof of an information security management system (ISMS): DiGA manufacturers must have introduced an ISMS in accordance with ISO 27001 or "ISO 27001 on the basis of IT-Grundschutz (BSI Standard 200-2: IT-Grundschutz methodology)" and provide evidence of its implementation. Since 1 April 2022, proof must be provided in the form of ISMS certification. The corresponding certificate must be presented to the Federal Institute for Drugs and Medical Devices (BfArM) upon request.
  • Proof of data security: From 01.01.2023, DiGA manufacturers must prove that their applications meet certain technical and organisational requirements. These are set out in the BSI TR-03161 technical guideline (Requirements for applications in the healthcare sector). Accordingly, proof is provided by means of a certificate in accordance with TR-03161.
  • Interoperability of DiGA with the electronic patientrecord: From 1 January 2023, digital healthcare applications must enable regular, automated export of the data collected by the DiGA to the electronic patient record (EPR). The requirements for semantic and syntactic interoperability associated with this are defined by the National Association of Statutory Health Insurance Physicians (KBV).
  • Secure authentication: The 1st DiGAV-ÄndV introduces the need for a secure authentication option for insured persons via the digital identity. This must be implemented by 1 January 2023 at the latest.
  • Proof of data protection: Currently, the data protection of a DiGA only has to be proven via the manufacturer's self-declaration. From 1 April 2023, proof of compliance with data protection requirements will be required for digital health applications that wish to remain listed in the DiGA directory. This will take the form of a certificate issued in accordance with Article 42 GDPR.