Key legal aspects of implementing digital therapeutics (DTx) in Germany

For software solutions in the healthcare sector it is important to consider that the software may constitute a medical device in the sense of the EU Medical Devices Regulation (EU) 2017/745 ("MDR"). In this case, the requirements of the MDR must be observed, including obligations for quality management processes, appropriate conformity assessment procedures and CE marking. If a product is considered as medical device, the legal manufacturer has to comply with all these obligations before the product is placed on the market in Germany.  

The question whether or not the software qualifies as a medical device depends on a number of criteria, e.g. according to the MDR. The definition and the local case law may vary between the countries. 

In Germany, authorities and courts apply the MDR taking into account the available guidance on the EU level (in particular MDCG guidance) and guidance provided by the German regulator, the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM). 

Software will qualify as a medical device in accordance with article 2 of the MDR, if the intended purpose relates to one of the following:  

• diagnosis, prevention, monitoring, treatment or alleviation of disease,  
• diagnosis, monitoring, treatment, alleviation or compensation of injuries or handicaps, 
• investigation, replacement or modification of the anatomy or of a physiological process, control of conception. 

The differentiation between a medical device and a consumer product – which does not fall within the scope of the MDR – can largely be influenced by the manufacturer who defines the intended purpose of the respective product. Mere lifestyle/everyday apps (e.g., for fitness tracking, nutritional recommendations, resilience exercises, meditation training without a medical purpose) are generally not intended for therapeutic purposes.  

Not only is the explicitly described intended purpose relevant but so are the instructions for use and the promotional materials (e.g., website, information in App Store) regarding the specific product. Possible indicative terms in connection with the intended purpose and corresponding functions can be, for example: alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying. Indicative functions for classification as a medical device can be, amongst others, the following: Decision support or decision-making software, e.g., regarding therapeutic measures; calculation, e.g., of dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves); monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy. Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in classification as a medical device. 

Medical devices are — generally speaking — assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to Classes I, IIa, IIb or III, whereby Class I comprises those products with the lowest risk potential. 

The classification rules for software devices are listed under annex VIII chapter III, rule 11 MDR. Software can fall into risk class I. However, due to the new interpretation rules this will likely be an exception only. Most software as medical device will be classified as class IIa or higher. This is important from a practical point of view because such software then needs to undergo a conformity assessment procedure applied by a notified body.  

The German authorities, courts and notified bodies are rather restrictive in this regard. The interpretation rule is, generally speaking, interpreted rather narrowly. In principle, only software that will not collect information which is intended to be shared with a healthcare professional may still be classified as class I. In the DiGA register there are several such medical devices which also qualify as class I under the MDR.  

The risk classification can become relevant when in connection with the reimbursement of the software. For instance, so far in Germany only medical devices of risk classes I and IIa may qualify as a DiGA and therefore be eligible to the DiGA reimbursement process. There is currently a political debate happening in Germany according to which also medical devices of risk class IIb should be included as eligible medical devices.  

Apart from the qualification of the product as such, often companies active in this space also wish to offer services or service components, such as coaching or elements of telemedicine. Here the question arises whether this is legally possible or whether – as is the case for instance in Germany, such healthcare services may not be provided unless the manufacturer uses physicians. This requirement can have a big impact on the design of the software and the level of service offered in a country.  

Under German law, German Health Care Practitioners' Act (Heilpraktikergesetz – "HeilprG") defines what is to be considered a medical treatment/healthcare ("Heilkunde"). According to the provision, healthcare shall be "any professionally or commercially performed activity for the determination, healing or alleviation of illnesses, suffering or bodily harm in humans, even if it is performed in the service of others". The provision of healthcare requires a license either as a physician or as another licensed healthcare practitioner. 

The distinction between the healthcare/practice of medicine and other activities that do not require a license is not absolute and not clear-cut, which is why expert opinions are regularly obtained on this question in practice. 

As a main consequence, the applicability of the HeilprG results in the acting persons or service provider being required to have the necessary license to practice medicine/healthcare according to German law as they would be practicing medicine in Germany (towards German patients).  

As an example, this would, inter alia, require them to have obtained medical or psychotherapist education and continuing training as well as successful completion of the necessary examinations in Germany or to have undergone a corresponding recognition procedure.  

As digital services are not able to obtain such license, it is crucial that a DTx without involvement of natural persons does not engage in providing healthcare services to customers.

In practice, it is thus important to take into account before entering the German market that a medical software may on the one hand qualify as a medical device – entailing the need to a quality management system and the conformity assessment of the device – and on the other hand be aimed at facilitating the provision of healthcare. In the latter case the persons delivering such services must be sufficiently qualified under German law, i.e. normally be doctors qualifies in Germany or at least Heilpraktiker.  

It is also important to note that in principle the healthcare services may not be provided by companies which are not owned by doctors, a hospital or a private clinic. This means that the provision of healthcare services by companies employing doctors is in general not in line with German law.

Since DTx will always create and use health data, data protection and data security are areas of key concern in this context. Any medical software to be offered on a given market will need to comply with local requirements in this regard. For instance, in Germany it is very difficult to use servers located in the US for the storage of data used by a health application used in Germany. Also, the German authority has set up strict rules in relation to data security.  

If Software processes personal data of the users/patients, it must comply with the applicable data protection regulations, in particular with the EU General Data Protection Regulation (“GDPR”). When processing personal data, the principles contained in art. 5 GDPR, such as the lawfulness and purpose limitation of data processing, data minimization, and the integrity and confidentiality of processing, must be taken into account. 

These rules only apply to the processing of data of individuals (regardless of citizenship) residing in the European Union (art. 3 GDPR). If they use the app outside of their jurisdiction, GDPR will still apply if the provider is a company established in the EU.  

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device. 

In addition, location tracking is also subject to consent provided it is not an essential part of the service provided. 

The GDPR always applies in B2C scenarios. The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing personal data of other individuals via the app. If the business user is processing personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent). 

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device. 

A consent is required in accordance with Art. 9 para. 2 letter a) in conjunction with Art. 7 GDPR. It should be noted, however, that according to Art. 7 para. 1 GDPR, the person responsible for data processing must be able to prove the consent of the data subject – regardless of any formal requirements. Since recordings of the video consultation hour are not permitted, at least electronic documentation of the declaration of consent will be required if the written form is not used. 

Special requirements exist in relation to DiGA. In order to qualify as DiGA, the software must fulfill additional criteria in relation to data protection and data security, which goes beyond the GDPR requirements. These include the use of servers located primarily in Germany or in the European Union, but not in the US and the adherence to strict standards of data security. Companies in this field are well advised to carefully check early on in the product design phase whether these conditions are met.

Depending on the actual purpose of the DTx and the reimbursement route (see below under point 3), several further legal requirements need to be adhered to. One important point related to the design of the DTx is that – in order for such software to become a DiGA – it is not allowed to include advertising for further products of the same legal manufacturer or other products of other legal manufacturers in the DiGA. Advertising is not allowed. This applies to product placement, for instance, but also to links to other third party products.  

A further important point to consider is the use of data. The collection and use of data may, generally speaking, be an important aspect in the design and remuneration mechanism of a medical software. However, if the aim is to place the software on the market as a DiGA later on, the collection and use of data may not be part of the revenue generation model. For, German law prohibits such model in DiGAs.  

Advertising measures within the healthcare sector are regulated under the German Healthcare Advertising Act (Heilmittelwerbegesetz – "HWG"). For products qualifying as medical devices the stipulations of the MDR also apply directly. According to German courts Art. 7 MDR on misleading advertising applies takes precedence over the German healthcare advertising act (HWG). 

The following principles need to be considered and complied with by a DTx provider: 

DTx and other medical devices may be promoted to healthcare professionals and also to the general public in Germany. There is no prohibition to promote medical devices towards laypersons. This also applies to DiGA, i.e. DTx prescribed by doctors. 

The key stipulation for the promotion of medical device is article 7 MDR, which stipulates: 

“In the labelling, instructions for use, making available, putting into service and advertising of devices, it shall be prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user or the patient with regard to the device's intended purpose, safety and performance by: 

1. ascribing functions and properties to the device which the device does not have; 
2. creating a false impression regarding treatment or diagnosis, functions or properties which the device does not have; 
3. failing to inform the user or the patient of a likely risk associated with the use of the device in line with its intended purpose; 
4. suggesting uses for the device other than those stated to form part of the intended purpose for which the conformity assessment was carried out.” 

The German courts largely apply article 7 MDR directly and consider this article to take precedence over the HWG as far as it reaches. However, more specific regulations in the HWG continue to be applied. 

In the area of medical devices, it is for instance possible to use testimonials and reports of experiences, provided that these are not made in an abusive, repulsive or misleading manner. Also, advertising with thank you letters, experience sharing or other forms of gratitude are allowed as long as such advertising is not done in a misleading way. Any advertising measure must also not disguise the advertising character.  

When it comes to the advertising of remote treatment, the regulation is still rather strict. The HWG in principle prohibits the advertising of remote treatments, such as video consultations. These may only be advertised in exceptional cases, provided that personal contact with the person to be treated is not required for the remote treatment according to generally recognized professional standards. 

Under German healthcare advertising law, the provision of benefits in the context of promoting medical devices is in principle prohibited. According to Section 7 HWG, it is not permitted to offer, announce or grant benefits and other promotional gifts (goods or services) to healthcare professionals or to laypersons, unless any of the exceptions provided in the same article apply. Such exceptions exist, in particular, for benefits or promotional gifts that are of low value. Such low value is defined by the German courts at 1 Euro. The limit is therefore rather low. Another exception are rebates, be it in numbers (e.g. a lower price), be it in products of the same kind (buy one get one free) or customary accessories to the goods or customary ancillary services.  

Applying these rather strict rules to the marketing of DTx in Germany leads to the conclusion that the offering of benefits to healthcare professionals or to patients is only possible to a very limited extent. It would therefore not be allowed to combine the purchase of a DTx with a present, such as a shopping voucher or a combination with a free product. There is also a debated in Germany whether test access is permissible in light of Section 7 HWG. It seems that the majority of legal commentators considers the provision of such test access to be exceptionally permissible. As long as the test period is rather short and the purpose of such test access is to get to know the product, such access seems permissible. 

Apart from the healthcare advertising rules, the provision of benefits to healthcare professionals can also create issues under the professional code of doctors and even the criminal code. According to these rules, providing material and immaterial benefits to healthcare professionals is considered critical, in particular if such benefit is provided in order to make the healthcare professional prefer the respective product in an undue manner. 

In Germany, there are several possible routes of distributing a DTx, both to healthcare professionals and to patients. 

One possibility is to provide downloads for patients. A DTx product which complies with German law requirements may be provided via an app store and can be downloaded by patients who pay for such product. Software aimed at healthcare professionals may also be distributed like this or also via healthcare organizations.  

Another possible route is the provision of a DTx to employees by way of employee benefit programmes. The manufacturer would then offer the DTx to an organization, e.g. a large company, which would enable access for its employees.  

Distribution via cooperation partners, such as pharma companies or specialized promotion companies, who would know the German market and have access to potential customers – be it healthcare professionals be it companies – is a further route. 

Moreover, insurers, be it public be it private ones, are further potential customers who can provide the DTx to their insured. In this scenario, special contracts can be concluded with insurance companies who then recommend the DTx to their insured. One example is a contract according to Section 140a Social Security Code Fifth Book (“SGB V”).  

Finally, developing the app and registering it as a DiGA – an app on prescription – is a further way of distributing and getting reimbursed a medical app in the German healthcare system.  

Professional decision support tools are often provided to hospitals and purchased by them, be it directly in tenders.  

This Section shall further explore the different options of partnering and cooperating in the distribution and promotion of medical software/DTx and the legal considerations to take.  

One example is using a cooperation partner for the promotion of the DTx vis-à-vis physicians, hospitals or insurers. In Germany such cooperation models are on the rise, and it is important to have the right contracts in place for that.  

For example, a legal manufacturer of a medical device may want to cooperate with a pharmaceutical company. The latter has experience in addressing healthcare professionals and the necessary staff. This can be an important service provided to the legal manufacturer of the software that does not have the resources to reach healthcare professionals. The typical basis for such cooperation is a contract which has certain elements of a co-promotion agreement known from the pharmaceutical industry.  

Also, when it comes to development of new features or indications partnering with a strategic or financial investor may help. This then goes into the direction of onboarding investors.  

Another aspect are white label solutions with insurers who may wish to offer the product as part of their portfolio or even under their own name.  

This Section shall give a concise overview of possible customers and payors financing the software.  

One rather obvious route is the payment by the patient. In Germany, this route is rather difficult because patients in Germany are traditionally rather reluctant to pay for such products. This is mainly due to the high number of patients being insured with the public health insurance system. However, in certain fields, where there is a shortage of care, patients may be prepared to pay themselves for digital applications.  

Also, it is possible to find ways to get reimbursement from insurance companies, be it public or private ones. As stated above, this can be done, for instance, by way of a special contract in accordance with Section 140a SGB V or with agreements with private insurance companies. 

We have also seen projects in which insurance companies integrate certain DTx into their portfolio and offer such solutions in certain packages to their insured.  

Also, platforms may provide access to DTx products and include them in their offerings. 

Another payment model that has gained momentum in Germany recently is offering DTx in employment benefit programmes. An employer can include a medical app as a benefit to its employees. It is then the employer who pays a certain amount – be it a lumpsum per patient or a certain amount per use – to the provider of the app. For the provider of the DTx this can result in a stable flow of income and enable access to a rather large patient base.  

Lastly, in Germany there is the possibility to have the DTx recognized as DiGA. Such DiGA is then part of the normal public reimbursement system. Once the medical app is recognized and authorized as DiGA by the BfArM, it can be prescribed by a doctor and is then reimbursed by the public healthcare system and in an analogous manner by the private health insurance companies. The system is rather complex, and it takes quite some resource and time to provide all necessary study data to be recognized as DiGA.

This Section shall focus on the monetisation by sales to private parties/payors as opposed to public payors in the public healthcare system.  

At least in Germany there is a big difference between this route of reimbursement and the public route.  

One big advantage is that there is a high degree of flexibility in pricing. There are no specific rules defining the prices for medical devices paid by private parties. This is up to the negotiations of the parties and the principle of supply and demand. Unlike for healthcare services, which are regulated by the fee statute for healthcare professionals, there is free price setting in the area of medical devices.

Since roughly 90% of patients in Germany are insured with public sick funds, it is attractive for a manufacturer of a DTx to gain access to this system. Once the product is recognized by at least some of the German public health insurance companies, especially the big ones, it can be expected that there will be a certain flow of patients and related payments. Such payments are then done by the sick funds. Even though the prices may be lower than in the private sector, one considerable advantage is that the payment comes directly from the sick funds. and that the credit risk in the direct to patient segment is not relevant here.  

In order to be able to take this route, a special contractual arrangement must be concluded with the public sick funds. The Social Security Code Fifth Book (SGB V) contains regulations in this regard. The flexibility of the sick funds is limited – which is due to them being financed by the state – but there are certain ways of including innovative products, such as DTx, into the system. The usual route is the conclusion of a special care contract in accordance with Sec. 140a SGB V. The details of such contracts are rather complex, and in practice it is not that easy to convince a public sick fund to enter into such an agreement. However, if this step is taken, this can open the public route of reimbursement as several examples in the German market show

This Section shall focus on the “app on prescription”. In Germany, a DTx which qualifies as a DiGA – after a complex approval process – can be prescribed by a doctor and is then reimbursed by the public sick fund or, in an analogous manner, by private health insurance companies.  

The app on prescription, digital health applications, was introduced in Germany in 2019.  

A DiGA is a CE-marked medical device that has the following characteristics: 

• Medical device of risk class I or IIa according to MDR or, within the scope of the transitional regulations, according to MDD (guidance on the question "when is an app a medical device?" can be found here). 
• The main function of the DiGA is based on digital technologies. 
• The medical purpose is essentially achieved through the main digital function. 
• The DiGA supports the detection, monitoring, treatment or mitigation of disease or the detection, treatment, mitigation or compensation of injury or disability. 
• The DiGA is shared by the patient or by the healthcare provider and the patient. 
• The requirements are defined in Section 33a SGB V. 

The coming into force of the Digital Healthcare Act (Digitale-Versorgung-Gesetz, DVG) on 19 December 2019 marked the introduction into the healthcare system of the "app on prescription" for patients (Sections 33a and 139e of the German Social Code Book V). This means that approximately 73 million persons covered by the German statutory health insurance are entitled to use a DiGA prescribed by a physician or psychotherapist and are reimbursed by the health insurance. 

Prerequisite for the above is that a DiGA must have successfully completed the assessment of the BfArM leading to a listing in a directory of reimbursable digital health applications (DiGA directory). The Federal Ministry of Health (Bundesministerium für Gesundheit, BMG) has regulated the details of this procedure in the supplementary legal regulation, the Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, DiGAV).  

According to Section 33a(1) SGB V, insured individuals have the right to be provided with digital health applications if they meet the requirements and procedures for inclusion in the directory for digital health applications (DiGA directory) maintained by the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte – BfArM) under Section 139e SGB V, and if they are prescribed by a doctor or psychotherapist or approved by the health insurance company. 

To be eligible for reimbursement, the respective digital health application must be included in a list maintained by the BfArM. 

They can be reimbursed, if the Digital Health Application has a proven so-called positive health care effect. This means either a medical benefit or patient-relevant structural or procedural improvements in care. Furthermore, the Digital Health Application shall—among other things—be designed in accordance with data protection regulations and guarantee adequate data security. 

The procedure is designed as a fast-track process: Within a three-month period at most, starting with the filing of the complete application, the BfArM has to assess the DiGA. The essence of this assessment is the examination of the manufacturer’s statements about the product qualities – from data protection to interoperability and user friendliness – and the examination of the evidence of the positive healthcare effect of the DiGA provided by the manufacturer. These are effects through which the state of a patient's health or his/her possibilities for dealing with his/her disease are improved using the DiGA. 

The list of recognized DiGA can be accessed here: https://diga.bfarm.de/de 

In practice, achieving an approval and a satisfactory reimbursement price is not an easy task. Experience shows that both the application procedure, in particular in view of the necessary study data, and the negotiations on the reimbursement price require careful preparation and strategic implementation.