Back to Dr. Gerrit Hötzel

DiGA: No US service providers permitted Apps / Medical law

The "app on prescription" is now possible thanks to the Digital Healthcare Act, which introduced digital health applications ("DiGA"). However, DiGAs must comply with considerable additional requirements. Data protection in accordance with the GDPR must also be complied with. However, the already narrow permissions of the GDPR are further restricted for DiGA.

One of the numerous questions with regard to the design of DiGA is how and which service providers may be involved.

According to Section 4 (2) DiGAV (and correspondingly No. 38 Annex 1 Data Security to the DiGAV), the following applies

"If the processing of health data and personally identifiable inventory and traffic data takes place exclusively

- in Germany,

- in another Member State of the European Union,

- in [an EEA state or Switzerland], or

- on the basis of an adequacy decision pursuant to [Art. 45 GDPR]?"

An adequacy decision existed for the previous EU-US Privacy Shield between the European Union and the USA. However, the ECJ recently ruled that the EU-US Privacy Shield is invalid (ECJ, judgment of 16.07.2020, Case C-311/18 - "Schrems II"). The EU-US Privacy Shield was a decision that fell under Art. 45 GDPR mentioned above in Section 4 (2) DiGAV. The integration of US service providers would therefore have been possible, at least if they were certified under the EU-US Privacy Shield.

Currently, data protection law in general (including outside the medical device industry) is feverishly looking for ways to continue to enable the involvement of US service providers and data transfers between the European Union and the USA. Attempts are being made to use various other options provided for in the GDPR, in particular so-called standard data protection clauses (formerly: standard contractual clauses) and so-called binding corporate rules. However, these are all solutions that are based on regulations outside of Art. 45 GDPR. However, only Art. 45 GDPR is mentioned in Section 4 (2) DiGAV cited above.

Overall, it must therefore be stated that there is currently no possibility within the framework of DiGA to involve US service providers or to enable data transfer between the European Union and the USA.

However, it should be noted that these additional restrictions only apply to DiGA. It is possible to offer an app as a DiGA and in parallel as a non-DiGA. The BfArM will neither object to nor review this. Depending on the specific app, it may therefore only be possible to offer certain functions outside the reimbursable DiGA or to use solutions via interoperability and export functions. However, further legal developments remain to be seen and the design options with regard to the specific app must be considered.

In summary, extreme caution is required when integrating service providers within DiGA. This is because they must not be based in the USA and must not trigger any data transfer to the USA. Even if the service providers are based in a permitted country, further checks are required. This is because the service providers could use other service providers undetected, which in turn are based in the USA and initiate a data transfer to the USA.

Date: 26. Nov 2020