Digital health apps and telemedicine in Germany

Software as a medical device

Software within digital health apps can be classified as medical devices, if the intended purpose (Zweckbestimmung) relates to one of the following pursuant to article 2 of the Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, which applies from 26 May 2021 (“MDR”):

• diagnosis, prevention, monitoring, treatment or alleviation of disease,
• diagnosis, monitoring, treatment, alleviation or compensation of injuries or handicaps,
• investigation, replacement or modification of the anatomy or of a physiological process,
• control of conception. 

The differentiation between a medical device and a consumer product – which does not fall within the scope of the MDR – can largely be influenced by the manufacturer based on the intended purpose which is defined by him.

Not only is the explicitly described intended purpose relevant, e.g., for an authority decision on qualification as a medical device, but so are the instructions for use and the promotional materials (e.g., website, information in App Store) regarding the specific product.

Possible indicative terms in connection with the intended use of corresponding functions can be, for example: alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying.

Indicative functions for classification as a medical device can be, amongst others, the following:

• decision support or decision-making software, e.g., regarding therapeutic measures,
• calculation, e.g., of dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves),
• monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy.

Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in classification as a medical device.

Classification

Medical devices are — generally speaking — assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to Classes I, II a, II b or III, whereby Class I comprises those products with the lowest risk potential.

A key difference between the former regulations of the German Medical Device Act ("MPG") and the MDR are the classification rules for software medical devices.

According to rules 9 to 12 most medical apps belonged to risk class I under the MPG. The classification rules for software devices that apply now are listed under annex VIII chapter III, rule 11 MDR. In principle, it is still possible for a software medical device to fall into Class I under the MDR. However, according to the views expressed in the German legal literature, it is assumed that software medical devices have to be upgraded in principle and now generally fall under Class IIa.

If a product is considered as medical device, it is necessary to affix it with a CE marking, cf. article 20 and annex V MDR.

CE-Mark

If the manufacturer brings a medical device onto the market or puts it into operation without the required CE marking, this constitutes an administrative offence in case of negligence and a criminal offence in case of intent. According to article 113 MDR, member states lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. In Germany, sanctions are regulated in section 92 et seq. Medical Devices Implementation Act. (See also Q6). Furthermore, this is a so-called “unfair act” within the meaning of the German Unfair Competition Act (UWG, Gesetz gegen den unlauteren Wettbewerb), so that the manufacturer can be sued for stopping distribution and for damage.

Software within digital health apps as medical devices can be qualified as “products” to which liability can attach.

The term “products” often refers only to movable, physical objects. There are some doubts in the legal literature whether software can also be covered by the product definition.

The fact that software is explicitly mentioned in the MDR is a justified basis for this discussion and in our opinion speaks in favour of including software in the scope of application of product liability law.

Thus, strong arguments support the fact that the general rules on product liability apply also to software medical devices.

The applicable rules are section 1 Product Liability Act (Produkthaftungsgesetz), sections 823 para. 1 and 831 as well as section 823 para. 2 of the German Civil Code (Bürgerliches Gesetzbuch) in connection with article 5 para. 1 and 2 MDR.

Special provisions that focus on liability, e.g., regarding artificial intelligence within the software of digital heath apps does not – so far – exist in German law. The EU Commission drafted a proposal for an Artificial Intelligence Regulation (COM/2021/206 final) that should be noted in this regard (see under Q7.) However, the proposal does not contain comprehensive product liability regulations.

There aren't exclusions or limitations of liability that apply solely to the liability of software medical devices.

Rather, the liability exclusions that also apply to other products are applicable.

The liability according to the German Civil Code requires, for example, negligence. According to the Product Liability Act, the manufacturer's obligation to pay compensation is excluded under certain conditions, cf. section 1 para. 2 Product Liability Act.

Furthermore, the duties of vigilance and observation apply to both medical products and other products.

• So-called digital health applications are software medical devices that can be prescribed by a doctor in Germany and whose costs for patients are covered by the statutory health insurance funds. Which software medical devices can be reimbursed by the health insurance funds in Germany depends on whether the software is listed as a DiGA in the so-called "DiGA Directory" of the Federal Office for Drugs and Medical Devices (BfArM). For this purpose, the manufacturer must carry out an extensive application process, which, in addition to the requirements for the software's status as a medical device, also includes comprehensive data protection requirements. In addition, studies on a so-called "positive supply effect" must be submitted for a permanent listing.  The BfArM published new test criteria for data protection in digital health applications and digital care applications. The criteria are to serve as a basis for certificates issued in the future, with which manufacturers are to prove the data protection conformity of their applications. An accredited body certifies them. Only after "successful implementation, testing and auditing" will the certificate be issued. As soon as manufacturers apply for inclusion in the DiGA or DiPA directory, the certificate shall be submitted to the BfArM.
• If Software processes personal data of the users/patients, it must comply with the applicable data protection regulations, in particular with the EU General Data Protection Regulation (“GDPR”).
• When processing personal data, the principles contained in art. 5 GDPR, such as the lawfulness and purpose limitation of data processing, data minimization, and the integrity and confidentiality of processing, must be taken into account.

The rules in Q2 only apply to the processing of data of individuals (regardless of citizenship) residing in the European Union (art. 3 GDPR). If they use the app outside of their jurisdiction, GDPR will still apply if the provider is a company established in the EU.

B2B/B2C

• The GDPR always applies in B2C scenarios.
• The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing personal data of other individuals via the app. If the business user is processing personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent).
• In addition, special requirements may arise regarding the information content of instruction manuals according to annex I chapter III number 23 MDR. For example, medical devices that are only intended for the end user are subject to higher requirements regarding the scope of the instructions for use than products that are only used between physicians (B2B).

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device.

In addition, location tracking is also subject to consent provided it is not an essential part of the service provided.

• Yes, the physician is responsible for the selection of methods how to treat patients and thus also for the selection of the right app/software in relation to its intended purpose, just as the physician is responsible for the selection of the appropriate therapy or medicine.
• The manufacturer is liable according to the principles of product liability on the basis of section 1 Product Liability Act and section 823 German Civil Code if the product has a default. However, the medical decision at the end cannot (and must not) be made by the software but by the physician.

• Under the article 113 MDR member states shall lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. In Germany the legal consequences for non-compliance regarding the CE marking are regulated in sections 92, 93, 94 and 95 Medical Devices Implementation Act and may include imprisonment, fines and the seizure of goods. The respective sanction depends above all on whether negligence or intent is involved.
• In the event of product defects, claims for damages against the manufacturer may arise in accordance with section 1 Product Liability Act. Claims for damages may also arise in accordance with sections 823 para. 1, 2 German Civil Code and art. 82 GDPR.
• In case of breaches of data protection law and if the manufacturer is “controller” of personal data, the manufacturer can be subject to fines (art. 83 GDPR).

In Germany, there are in principle three major expected future developments – a possible EU wide AI Regulation that will also affect Germany, probable new product liability regulations and new German provisions regarding the reimbursement of digital care applications – so called "DiPAs":

• The EU Commission's proposed an AI Regulation (COM/2021/206 final – "AIA-E"). In this proposal the European Commission used a risk-based approach based on three levels: unacceptable risk, high risk and low risk. AI systems that violate fundamental rights (EU Charter of Fundamental Rights) shall be prohibited (unacceptable risk). According to the proposal, strict requirements shall apply to AI systems with high risk, which include software in medical devices (cf. article 6 para 1 in connection with annex II, no. 11 of the proposal of the AI Regulation). However, the relationship to existing regulations, in particular the MDR and the national implementation acts, has not yet been fully clarified.
• There is also a lot underway with regard to an updated EU Product Liability Regulation. For example, the fifth revision initiative of the Product Liability Directive of the European Commission is currently underway, which aims to adapt the 35-year-old European Civil Liability Directive to the Digital Age and Artificial Intelligence.
• With the implementation of the German Digital Care and Nursing Modernization Act (DVPMG) on 9 June 2021, digital care applications were introduced in the Social Long-Term Care Insurance (sections 40a, 40b Volume XI Code of Social Law - SGB XI). Details, such as the reimbursement of these digital care applications, are still being prepared by the German Federal Ministry of Health.

German physicians are subject to their own professional code of conduct (Berufsordnung der Ärzte). 

Each physician must be a member of a medical association in order to practice medicine. In Germany every chamber district has one Medical Association (Landesärztekammer) that is the regulator. On top there is the German Medical Association (Bundesärztekammer).

Each Medical Association has its own Professional Code of Conduct. All Professional Codes are oriented on a so-called Model Professional Code of Conduct by the German Medical Association. In the following responses, we refer to the regulations of the Model Professional Code of Conduct by the German Medical Association.

In the past, the Professional Codes of Conduct contained strict rules regarding telemedicine.

Under section 7 para. 4 Professional Code of Conduct by the German Medical Association exclusive remote treatment where a patient was solely treated via telemedicine was prohibited for a long time.

However, the relevant regulation regarding the prohibition of remote treatment was relaxed in 2018.

Now section 7 para. 4 sent. 2 and 3 Professional Code of Conduct by the German Medical Association regulates that under certain circumstances further specified under question 10 physicians may treat patients via telemedicine.

Besides the Professional Codes of Conduct, Telemedicine is also regulated in the German Drug Advertising Act (Heilmittelwerbegesetz).

Advertising the use of telemedicine was prohibited for a long time, cf. section 9 Drug Advertising Act.

Since 2018, advertising for remote treatment is possible under certain circumstances, cf. section 9, sent. 2, Drug Advertising Act. As a rule, a ban on advertising for remote treatments still applies. Exceptionally, however, remote treatments may be advertised using communication media if personal medical contact with the person to be treated is not required by generally accepted professional standards.

On 9 December 2021, the German Federal Supreme Court (BGH) made an important decision regarding section 9, sent. 2 German Drug Advertising Act: The term "generally accepted professional standards" used in section 9 sent. 2 and that must be met in order to be allowed to advertise telehealth treatment shall be interpreted with regard to section 630a, para. 2, German Civil Code and the principles and guidelines developed in this context. According to this, such standards can also develop over time, e.g., from the guidelines of medical societies.

The interpretation of section 9, sent. 2, will be subject to a dynamic development. It can be assumed that remote treatments will become more established and will become recognised as the so-called "gold standard" in certain areas in the next few years. Model trials have already been conducted.

The circumstances under which physicians can use telemedicine in order to treat patients are regulated in section 7, para. 4, sent. 2, 3 Professional Code of Conduct by the German Medical Association: “Exclusive consultation or treatment via communication media is permitted in individual cases if this is medically justifiable and the necessary medical care is ensured in particular by the manner in which findings are collected, consultation, treatment and documentation and the patient is also informed about the special features of exclusive consultation and treatment via communication media.”

Essentially, the following aspects must be observed:

• According to section 7, para. 4, Professional Code of Conduct by the German Medical Association, the physician can decide whether he considers remote treatment to be justifiable in the individual case.
• Such treatment can also include diagnosing a patient.
• However, it is still disputed under which circumstances physicians can issue a valid certificate of incapacity to work in remote treatment scenarios. For example, in 2018, the German Physicians' Congress rejected the issuing of a remote sick note for unknown patients that they have never treated before.
• According to the German National Association of Statutory Health Insurance (Kassenärztliche Bundesvereinigung), video consultation hours can be used by almost all groups of doctors.
• The only exceptions are laboratory physicians, nuclear medicine specialists, pathologists and radiologists.
• For psychotherapists, telemedicine should in principle only be used if there was already a personal first contact for entrance diagnostics, indication position and explanation. Moreover, if from a therapeutic view no direct personal contact is necessary.

In Germany, volume limits for treating patients via telehealth apply. There are two volume limits that must be distinguished since 1 April 2022 after the special Corona regulations – that lifted the limits - have ended. The first limit is the number of patients that a doctor may treat exclusively via telehealth per quarter (section 87 2a sentence 31 SGB V). The second limit is the volume of services that physician/psychotherapist may get renumerated for by the KV (section 87 2a sentence 30 SGB V).

The German Federal Joint Committee (Gemeinsamer Bundesausschuss.) had also temporarily relaxed the rules for issuing sick leave certificates for work, cf. section 4, para. 1, sentence 3, Work Incapacity Directive (Arbeitsunfähigkeits-Richtlinie). 

Pursuant to section 4, para. 5, sent. 2, Work Incapacity Directive the determination of incapacity for work can be done directly in person or in some cases indirectly by means of a video consultation. However, if a video consultation is sufficient depends on the illness and the individual case and is limited only to a short sick leave of up to seven days, cf. section 4, para. 5, Work Incapacity Directive.

While treatment with personal contact is still considered the so-called “gold standard,” exclusive remote treatment has been allowed by way of exception of the general rule according to the Professional Code of Conduct by the German Medical Association.

The general regulations for the clarification are to be considered sections 630e, 630h para. 2 German Civil Code and section 8 Professional Code of Conduct.

Patients must be informed about the special characteristics of remote treatment, cf. section 7, para. 4, sent. 3 Professional Code of Conduct. Verbal clarification is sufficient but should be documented in the patient's file.

Regarding data protection rules a consent is required in accordance with Art. 9 para. 2 letter a) in conjunction with Art. 7 GDPR. It should be noted, however, that according to Art. 7 para. 1 GDPR, the person responsible for data processing must be able to prove the consent of the data subject – regardless of any formal requirements. Since recordings of the video consultation hour are not permitted, at least electronic documentation of the declaration of consent will be required if the written form is not used.

No, the same standards regarding due diligence obligations are applicable.

For liability reasons, the remote treatment should be carefully documented in the patient's file.

The provisions of sections 630f and 630h para. 3 German Civil Code as well as section 10 Professional Code of Conduct must be observed.

The measures essential for current and future treatment and their results must be documented, such as:

• the master data of the patients;
• the information that the consultation took place via video;
• the medical history, diagnoses, examinations, therapies and their effects, interventions, findings, consents and clarification (also with regard to the specifics of remote treatment);
• the recommendations for further treatment and repeat referrals;
• if necessary, referral to another health care provider.

Previously, it was forbidden to prescribe any medication via telemedicine. In August 2019, the general prohibition of medicine delivery by remote prescription was abolished by deleting the previous sentences 2 and 3 of section 48 para. 1 German Medicinal Products Act (Arzneimittelgesetz).

The more telemedicine becomes established in Germany, the more relevant the so-called electronic prescription becomes. Since 1 September 2022, pharmacies in Germany must be able from a technical point of view to fill the e-prescription. The e-prescription is created and signed digitally only. The prescription code can be redeemed on the smartphone or by printout at any pharmacy in Germany.

Physicians can get reimbursement for the video consultation only after they indicated to their Association of Statutory Health Insurance Physicians that they intend to use a video service provider certified according to Annex 31b to the Federal Collective Agreement for Physicians (Bundesmantelvertrag-Ärzte). For the volume limits regarding the reimbursement of telehealth consultation see under Q10.

A list of the certified video service providers can be found online.

The video consultation hour is reimbursed via the respective insured, basic or consultation flat rate. The lump sum plus surcharges is paid in full if personal contact is made with the patient within the same quarter.

If this is not the case and the contact takes place exclusively via video, the flat rate and, if applicable, the related surcharges will be reduced.

In addition, doctors and psychotherapists can charge for services for conversations that take place via video consultation. They also receive a flat rate for technology to finance the costs.

For the additional work involved in authenticating new patients in the video consultation hour, doctors' surgeries receive a surcharge on the basic, insured or consultation flat rate.

In accordance with the German Digital Care Act (Digitale-Versorgungs-Gesetz), which has been in force since December 2019, costs for Digital Health Applications are reimbursable under national law.

To be eligible for reimbursement, the respective digital health application must be included in a list maintained by the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte).

They can be reimbursed, if the Digital Health Application has a proven so-called positive health care effect. This means either a medical benefit or patient-relevant structural or procedural improvements in care. Furthermore, the Digital Health Application shall—among other things—be designed in accordance with data protection regulations and guarantee adequate data security.

The manufacturer has to prove data protection conformity and sufficient data security.

The costs are covered by the statutory health insurance.

In addition to medical confidentiality, which means that the video consultation is not allowed to be recorded, reference can be made to Q2 regarding data protection.

The use of electronical prescriptions (E-Rezept) according to the Law for more safety in drug supply (GSAV) which came into force on 16 August 2019 is to be gradually expanded further.