Data protection and IT security requirements for digital health app under Social Security Code

Introduction
Data protection requirements
​Limitations of legal basis
Limitations on location of processing​
No transfer of personal data to United States
Information security
Information security management system
Additional requirements for high-security needs
BSI: technical guideline for digital health apps

Introduction

The legislature recently acknowledged that digital innovation plays an important role in the health sector. The Act on Digital Supply (DGV), which came into force on 19 December 2019, established numerous essential measures to facilitate the inclusion of digital innovation to standard care under the German statutory social health security system. Almost 90% of insured persons in Germany are members of this system.

One of the most important innovations that the DVG introduced is insured persons' entitlement to medical devices based on software and other digital technologies with a medical purpose (digital health apps) under Section 33a of the Social Security Code, Book V (SGB V). In other words, digital health apps – as opposed to mere lifestyle or wellness apps, which provide no medical purpose under the meaning of medical devices law – are reimbursable by social health security insurers if certain requirements are met.

The prerequisite for the reimbursability of digital health apps is that the Federal Institute for Medicinal Products and Medical Devices (BfArM) – as the competent authority – has included the digital health app on a specific list regarding reimbursable digital health apps (DiGA-Verzeichnis), according to Section 139e of the SGB V. The details for such inclusion are set out in the Ordinance on the procedure and requirements for the assessment of digital health apps (DiGAV), which came into force on 21 April 2020.

Besides regulatory requirements (eg, compliance with the EU Medical Device Directive (93/42/EEC) and the EU Medical Device Regulation (2017/745)) from 26 May 2021 and proof of a positive healthcare effect (ie, a medical benefit for the patient or a patient-relevant structural or process improvement), the DiGAV requires digital health app manufactures to comply with strict data protection and data security requirements (Section 4). To prove compliance with the latter, the DiGAV includes a comprehensive checklist on data protection and IT security requirements, which must be completed by the manufacturer and submitted to the BfArM for approval.

On 21 July 2020 the BfArM released an updated version of its guidance on the DiGAV (Section 139e of the SGB V, (Version 2.1) – the guidance), taking into account, in particular, a European Court of Justice (ECJ) decision on the transfer of personal data to the United States (Schrems II).

Data protection requirements

Digital health apps must comply with statutory data protection rules (Section 4(1) of the DiGAV), namely:

• the EU General Data Protection Regulation (GDPR) (2016/679);
• the Federal Data Protection Act (BDSG); and
• data protection provisions in other statutory laws (eg, legislation on medical devices or the SGB V).

Limitations of legal basis

In general, digital health apps may process personal data only based on a user's consent, as required for the processing of special categories of personal data under Article 9(2) of the GDPR (Section 4(2) of the DiGAV). The guidance further clarifies that such (free, informed and express) consent must be obtained at the beginning of the use of a digital health app and prior to the collection and processing of personal data. Consent may be obtained solely for the following purposes:

• The intended use of the digital health app by users in the context of medical treatment. Which kinds of data are necessary for this depends to a large extent on the respective digital health app. Any data processing for this purpose must strictly comply with GDPR principles, in particular with data minimisation and privacy by design and default principles.
• Ensuring the digital health app's continued technical operability, usability and development. Processing for this purpose may not lead to a comprehensive monitoring of user activities. The guidance highlights that the functionality of the digital health app may not be negatively affected if a user refuses to consent to this purpose.
• To provide evidence relating to a positive healthcare effect in case of a preliminary admission in the DiGA-Verzeichnis, according to Section 139e(4) of the SGB V.
• To provide evidence for a digital health app's performance to a health insurance fund, in the context of respective agreements on performance-related price components, according to Section 134(1)(3) of the SGB V.

In both of the latter cases, the BfArM stresses the GDPR's data minimisation principle.

As a result of these limitations, providing consent for other purposes (eg, to use personal data as a payment to unlock specific additional functions) is not permissible. Further, the DiGAV expressly excludes any processing of personal data for marketing purposes (Section 4(4)(1) of the DiGAV).

As far as processing will be based on statutory law, the BfArM clarifies that such processing will not be permitted only by the DiGAV, but also by other laws. This applies in particular as far as processing concerns invoicing purposes with health insurance funds or compliance with obligations under medical device regulations.

Limitations on location of processing

In deviation to the GDPR and similar to the rules that apply for health insurance policies, the DiGAV restricts the processing of data to:

• Germany;
• EU member states;
• EEA agreement contracting states; and
• states for which an adequacy decision has been made in accordance with Article 45 of the GDPR (Section 4(3) of the DiGAV).

The BfArM clarifies that the processing of personal data outside the European Union on the basis of Articles 46 (standard contractual clauses) or 47 (corporate binding rules) of the GDPR is not permitted. According to the BfArM, both of these measures provide insufficient security for data processed by digital health apps.

No transfer of personal data to United States

In its prior versions, the guidance stated that data transfer to the United States was permissible as far as a respective US data importer would be certified for processing non-HR data under the EU-US Privacy Shield. In its updated version, the guidance takes into account Schrems II. The ECJ decided that the EU-US Privacy Shield does not provide for an appropriate level of data protection for transferring personal data to the United States. Accordingly, the guidance now states that the "processing of personal data in the USA is therefore no longer permitted on its basis of the EU-US Privacy Shield". In the English version of the guidance, the BfArM expressly states that the "processing of health data in the USA is therefore not permissible for a digital health app".

Information security

Digital health apps must comply with the legal requirements for data security according to the state of the art, taking into account the type of data processed (Section 4(1) of the DiGAV). The BfArM points out that IT security requirements relate to the protection of the confidentiality, integrity and availability of all data processed on the digital health app. It differentiates between basic requirements, which apply to all digital health apps, and additional requirements for digital health apps, with particularly high-security needs. In general, all requirements are based on the relevant publications and recommendations of the Federal Office of Information Security (BSI).

Information security management system

The BfArM recommends that manufacturers implement and execute management systems for information security (ISMS), in order to appropriately respond to high-market dynamics and the fast pace of technological developments. In particular, the BfArM requires the following series of processes:

• protection requirement analysis (structural analysis of the digital health app and its life cycle to determine the respective security requirements);
• release, change and configuration management (to ensure compliance with the relevant regulatory framework (EU Medical Device Regulation)); and
• market monitoring and directory of libraries (eg, third-party software) in use (to monitor any security-relevant information).

The BfArM highlights that a comprehensive ISMS, according to the ISO-27000-series or the BSI-Standard 200-2, will be mandatory for any digital health apps to be submitted from 1 January 2022. However, a certificate under the above standards will not release a manufacturer from proving its implementation by providing the BfArM with the completed checklist, mentioned above.

Additional requirements for high security needs

Where high security needs are identified (eg, where a lack of protection may endanger the data subject's life and limb or personal freedom), the following additional requirements must be met:

• penetration tests of the product version (major release) for all system components connected to the Internet;
• appropriate encryption of data stored on servers in accordance with the identified security need; and
• two-factor authentication for access to health data.

BSI: technical guideline for digital health apps

On 15 April 2020 the BSI published a technical guideline on the minimum requirements for the secure operation of digital health apps (the BSI guideline). The BSI guideline explains in detail which data protection and IT security measures apps must comply with, in order to process health data.(1)

Due to the diverging prioritisation and level of detail, the BSI guideline, as well as the BfArM's guidance, should be taken into account by manufacturers.

For further information on this topic please contact Christopher Götz, Fabian Huber or Felix Hänel at Simmons & Simmons LLP by telephone (+49 2 11 4 70 53 0) or email (christopher.goetz@simmons-simmons.com, fabian.huber@simmons-simmons.com or felix.haenel@simmons-simmons.com). The Simmons & Simmons LLP website can be accessed at www.simmons-simmons.com.

Endnotes

(1) A summary of the BSI guideline is available here.