Germany is pushing the digital transformation of the healthcare sector, driven by the COVID-19 pandemic and a general need for reform. E- and M-Health are high on the agenda. Recently published laws will make it easier for doctors to hold online video consultations, reimburse patients for using prescribed digital health apps and ensure that all stakeholders have access to a secure healthcare data network for treatment.
Hospitals can now apply for funding to improve their digital infrastructure from a specially created fund of 4.3 billion euros. A new era of digital transformation in the health sector has begun with patient data at its heart. It creates great opportunities for market players but there are a number of issues to watch out for.
The Digital Care Act
A real challenge for new digital health solutions has been their cost. At the end of 2019, the German legislator published the Digital Care Act (Digitale-Versorgung-Gesetz or DVG). Its most prominent effect is to allow reimbursement of costs for qualifying health apps prescribed by healthcare professionals (HCPs) under public health insurance and, for this reason, it's also known as the 'apps by prescription' Act.
While COVID slowed things down on both the regulatory and industry sides, the recently published Health App Regulation (Digitale-Gesundheitsanwendungen-Verordnung or DiGAV),allows the regulator to add qualifying health apps to a central directory. In order to qualify, a health app must be certified as a medical device in a certain risk category. A digital health application (smartphone or hospital software) requires a risk classification in categories I or IIa. To this end, stand-alone software is considered an active medical device, while a diabetes app that reads and evaluates data from an implanted computer chip is based on the risk classification of the computer chip. Once a health app is listed, HCPs can prescribe them and patients will be able to be reimbursed for the costs under the DVG.
The main function of a qualifying health app should be based on digital technologies which are intended to support the detection, monitoring, treatment or alleviation of disease, or the detection, treatment, alleviation or compensation of injury or disability of the patient. This includes health apps on a patient’s smartphone or smart watch which are already used in everyday life. However, mere fitness apps will not usually be within scope of the DiGAV regulation. Apps which focus solely on “prevention” will not be subject to reimbursement. This is in line with the current regulatory system in Germany, which only allows for reimbursement of prevention measures under limited conditions. For example, a nutritionist app would be a borderline case. If the app also serves to detect or treat obesity, then it will be a medical device because it is used to detect or treat a disease.
The requirements for health app data protection
The relevant provider or, as the DiGAV says, manufacturer, must provide evidence that the health app gives suitable guarantees around safety, functionality, quality, data security and data protection and improves patient care. One critical issue is the DiGAV’s requirement to only transfer personal data outside the EU or EEA, (including to the UK after 31 December 2020) on the basis of a European Commission adequacy decision. This means that health apps cannot use other safeguards under the GDPR, such as the Standard Contractual Clauses to transfer personal data to third countries (countries outside the EEA) which do not benefit from adequacy decisions unless they can find a workaround, for example, encrypting data at rest so that it cannot be accessed by anyone other than the manufacturer.
This data transfer requirement is a serious obstacle for health apps in Germany since not many can limit transfers of personal data to a specific geography. In addition, many apps rely on various third party service providers for technical reasons. These data processors are often based in countries outside the EU. Under the DiGAV, the data transfer limitation also applies to the processing of data by a data processor who also needs to process the data concerned in the EEA. While this may seem surprising it is a deliberate move by the legislator to establish the highest possible protection for the data.
For more on GDPR restrictions around data transfers, see here.
From analogue to digital prescriptions
Another and much needed step to digitally transform the healthcare sector in Germany is the phasing out of paper prescriptions. Healthcare services, aids or home care can now be prescribed electronically. HCPs are incentivised to use e-prescriptions as they're able to recover a greater percentage of their costs if they do. In addition, doctors will have more scope to exchange information with colleagues electronically. A patient who would like to join a public health insurance fund voluntarily can do so electronically. Finally, it will be easier to agree on elective service agreements electronically, for example during planned hospital stays.
The Hospital Future Act
The aim of the investment program adopted under the Hospital Future Act (Krankenhauszukunftsgesetz or KHZG) is to improve the digital infrastructure of hospitals, particularly in relation to IT and cybersecurity. Funding is available for investment in modern emergency capacities and digital infrastructure including patient portals, electronic documentation of care and treatment services, digital medication management, IT security measures and cross-sectoral telemedical network structures.
Three billion euros will be made available for the program from the federal budget and another 1.3 billion has been allocated from the federal states’ budget. A hospital future fund will be established at the federal level so that this staggering amount can be distributed. Hospitals can apply for funding at state level – ie the Länder decide which hospitals receive money. The status of digital transformation of hospitals will be evaluated in mid-2021 and mid-2023.
Ensuring compliance with data protection laws and data security is essential for hospitals in all respects. This is not just due to the high level of protection required for patient data under the GDPR and the associated high risk of fines. Hospitals can often be subject to special data protection regulations under State law and sector-specific regulations such as the German Medicines Act or the Social Security Code. In addition, special IT security requirements may apply to hospitals as critical infrastructures.
Against this background, future-proof data protection compliance must be ensured and the KHZG has focused attention on this. The German legislator emphasises the importance of data protection in the implementation of the program and stresses "compliance with data protection regulations is also a criterion for eligibility for funding". GDPR compliance can also be highlighted under "technical performance" in the grant application for funding made available by the KHZG.
The new era of digital health requires constant monitoring
Digital transformation of the healthcare sector boasts a range of opportunities for product development. The tremendous potential unlocked by the new and incoming laws is particularly relevant for providers of prescription-only health apps and telemedical software and hardware.
At the core of these digital models, solutions and functions, lies the personal data of patients. This must processed with the highest degree of compliance given its sensitivity. Data is one of the most valuable assets a company has. If it is not sufficiently protected its value can be compromised which will have a knock-on effect on the value of the company.
In order to make the most of the opportunities in Germany, and to be prepared for upcoming innovations, market players must closely monitor legal and political developments in the healthcare sector.
Thanos RammosThanos is a partner in the Technology, Media & Communications group in Berlin