The Federal Office for Drugs and Medical Devices has published revised test criteria for data protection for digital health applications.
The Federal Office for Drugs and Medical Devices (BfArM) has published new test criteria for data protection in digital health applications (DiGA) and digital care applications (DiPA). The criteria should serve as a basis for certificates issued in the future, which manufacturers should use to prove the data protection conformity of their applications. An accredited body certifies them. The certificate is only issued after “successful implementation, testing and auditing”. As soon as the manufacturers apply for inclusion in the DiGA or DiPA directory, the certificate is submitted to the BfArM.
Digital health applications have been available to be prescribed by doctors and psychotherapists for around two years. The sometimes criticized high costs for the “apps on prescription” are borne by the health insurance companies. In the past, there have always been incidents in which the data protection of these apps revealed deficiencies that manufacturers then had to rectify.
Also for digital care applications
The data protection requirements that have now been published should also affect digital maintenance applications (DiPA). The BfArM sees itself as one of the first authorities within the EU to develop a certificate to strengthen patient rights in data protection. Due to the European coordination process, there could still be changes to the test criteria.
According to the BfArm, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Office for Information Security (BSI) were involved in the new test criteria. In addition, the criteria would meet both the requirements of the General Data Protection Regulation and the “extended requirements for DiGA and DiPA”. According to the BfArM, thanks to the “First Ordinance to Amend the Digital Health Applications Ordinance (1. DiGAVÄndV) and the amendment to § 139e Fifth Book of the Social Code (SGB V)”, the legislator has expanded the regulations, which “need an even more intensive examination and the submission provide for a data protection certificate”.