Digital health apps and telemedicine in Germany

Software as a medical device

Software within digital health apps can be classified as medical devices, if the intended purpose (Zweckbestimmung) relates to one of the following pursuant to article 2 of the Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, which applies from 26 May 2021 (“MDR”):

• diagnosis, prevention, monitoring, treatment or alleviation of disease,
• diagnosis, monitoring, treatment, alleviation or compensation of injuries or handicaps,
• investigation, replacement or modification of the anatomy or of a physiological process,
• control of conception. 

The differentiation between a medical device and a consumer product – which does not fall within the scope of the MDR – can largely be influenced by the manufacturer based on the intended purpose which is defined by him.

Not only is the explicitly described intended purpose relevant, e.g., for an authority decision on qualification as a medical device, but so are the instructions for use and the promotional materials (e.g., website, information in App Store) regarding the specific product.

Possible indicative terms in connection with the intended use of corresponding functions can be, for example: alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying.

Indicative functions for classification as a medical device can be, amongst others, the following:

• decision support or decision-making software, e.g., regarding therapeutic measures,
• calculation, e.g., of dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves),
• monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy.

Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in classification as a medical device.

Classification

Medical devices are — generally speaking — assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to classes I, II a, II b or III, whereby class I comprises those products with the lowest risk potential.

A key difference between the former regulations of the German Medical Device Act ("MPG") and the MDR are the classification rules for software medical devices.

According to rules 9 to 12 most medical apps belonged to risk class I under the MPG. The classification rules for software devices that apply now are listed under annex VIII chapter III, rule 11 MDR. In principle, it is still possible for a software medical device to fall into class I under the MDR. However, the applicable rules tend to be interpreted widely in Germany.  The Higher Regional Court in Hamburg has stated in a widely discussed decision dated 20. June 2024 (no. 3 U 3/24) that the relevant classification rules need to be interpreted broadly.  Applying such a broad view risks undermining the role of class I, even in the context of software products that resemble more of a communication tool than a decision support medical device.  In practice, it is therefore challenging to argue that medical software still is classified as class I under the MDR.  On the other hand, there are several medical devices and digital health applications that are qualified as class I products.

If a product is considered a medical device, it is necessary to affix it with a CE marking, cf. Article 20 and Annex V of the MDR.

CE-Mark

If the manufacturer brings a medical device onto the market or puts it into operation without the required CE marking, this constitutes an administrative offence in case of negligence and a criminal offence in case of intent. According to article Article 113 MDR, member states lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. In Germany, sanctions are regulated in section 92 et seq. Medical Devices Implementation Act. (See also Q6). Furthermore, this is a so-called “unfair act” within the meaning of the German Unfair Competition Act (UWG, Gesetz gegen den unlauteren Wettbewerb), so that the manufacturer can be sued for stopping distribution and for damage.

Software within digital health apps as medical devices can be qualified as “products” to which liability can attach.

The term “products” often refers only to movable, physical objects. There are some doubts in the legal literature whether software can also be covered by the product definition.

However, these doubts are now likely to be cleared with the Product Liability Directive (EU 2024/2853) that came into force in December 2024. The Product Liability Directive generally includes Software in its product definition. The fact that software is explicitly mentioned in the MDR in our opinion also speaks in favour of including software in the scope of application of product liability law.

Currently, the applicable rules are section 1 Product Liability Act (Produkthaftungsgesetz), sections 823 para. 1 and 831 as well as section 823 para. 2 of the German Civil Code (Bürgerliches Gesetzbuch) in connection with Article 5 para. 1 and 2 MDR. It is now up to the national legislators in Germany to implement the provisions of the Product Liability Directive into German law.

Special provisions that focus on liability regarding artificial intelligence within the software of digital heath apps does not – so far – exist in German law. The AI-Act (EU 2024/1689) that came into force in 2024 does not contain comprehensive product liability regulations. Alternatively, the EU Commission used a risk-based approach based on three levels:  unacceptable risk, high risk, and low risk.  AI systems that violate fundamental rights (EU Charter of Fundamental Rights) are prohibited (i.e., unacceptable risk).

In September 2022, the EU Commission drafted a proposal for an Artificial Intelligence Liability Directive (proposal COM (2022) 496 final), proposing a strict liability regime for operators of high-risk AI systems. However, in February 2025, the EU Commission withdrew the Artificial Intelligence Liability Directive from consideration.  According to the Annex of the EU Commission's 2025 work programme, the Commission will assess whether another proposal will be tabled or another type of approach will be chosen.

There aren't exclusions or limitations of liability that apply solely to the liability of software medical devices.

Rather, the liability exclusions that also apply to other products are applicable.

The liability according to the German Civil Code requires, for example, negligence. According to the Product Liability Act, the manufacturer's obligation to pay compensation is excluded under certain conditions, cf. section 1 para. 2 Product Liability Act.

Furthermore, the duties of vigilance and observation apply to both medical products and other products.

• So-called digital health applications are software medical devices that can be prescribed by a doctor in Germany and whose costs for patients are covered by the statutory health insurance funds. Which software medical devices can be reimbursed by the health insurance funds in Germany depends on whether the software is listed as (i) a DiGA in the so-called "DiGA Directory" of the Federal Office for Drugs and Medical Devices (BfArM) or (ii) a DiPA in the so-called "DiPA Directory" of the BfArM. For this purpose, the manufacturer must carry out an extensive application process, which, in addition to the requirements for the software's status as a medical device, also includes comprehensive data protection requirements. In addition, studies on a so-called "positive supply effect" for DiGAs and "proof of nursing benefits" for DiPAs must be submitted for a permanent listing. The BfArM published new test criteria for data protection in digital health applications and digital care applications. The criteria are to serve as a basis for certificates issued in the future, with which manufacturers are to prove the data protection conformity of their applications. An accredited body certifies them. Only after "successful implementation, testing and auditing" will the certificate be issued. As soon as manufacturers apply for inclusion in the DiGA or DiPA directory, the certificate shall be submitted to the BfArM. The DiPA Directory is currently not accessible as no application has been approved as of March 2025. The care insurance funds in Germany only cover EUR 53 per month per patient for a DiPA including any additional support that may be needed.
• If Software processes personal data of the users/patients, it must comply with the applicable data protection regulations, in particular with the EU General Data Protection Regulation (“GDPR”).
• When processing personal data, the principles contained in art. 5 GDPR, such as the lawfulness and purpose limitation of data processing, data minimization, and the integrity and confidentiality of processing, must be taken into account.
• The new Regulation (EU 2025/327) on the European Health Data Space ("EHDS") that came into force in March 2025 can also have an effect on digital health apps.  With the EHDS, the European legislator aims to promote the prevention, detection and cure of diseases, as well as informed, evidence-based decisions to improve the accessibility, effectiveness and sustainability of health systems.  The EHDS shall inter alia enable the manufacturers of digital health apps to efficiently and securely access a large number of data (e.g., medical images) to train the AI algorithm and optimise its accuracy and effectiveness before applying for market approval.
• Since 1 July 2024, digital health software that is financed by public health insurance companies and provided via a cloud computing system requires a C5 attestation (section 393 SGB V).  C5 is framework published by the German Federal Cybersecurity authority (“BSI”) and the C5 framework is based on but going beyond requirements of ISO 27001.  The C5 attestation must cover the infrastructure (such as Azure or AWS) but also the software.  Substitutes for the required C5 attestation are specified in an Ordinance which allows companies to replace the C5 attestation with an ISO DIN EN ISO/IEC 27001:2022 certification provided that the digital health software provider has adopted a roadmap to obtain C5 attestation within the next 24 months.  In addition, health data of patients may only be processed in the EU or a third country subject to an adequacy decision of the EU Commission under GDPR.

The costs of the DiGA and DiPA are only covered by statutory health insurance funds/ care insurance funds for their members.  Where the DiGA or DiPA is used (within their jurisdiction or outside their jurisdiction) has no effect.

The rules in Q2 only apply to the processing of data of individuals (regardless of citizenship) residing in the European Union (Art. 3 GDPR and Art. 1 EHDS). If they use the app outside of their jurisdiction, GDPR will still apply if the provider is a company established in the EU.

B2B/B2C

• DiGAs and DiPAs are B2C services.
• The GDPR always applies in B2C scenarios.
• The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing personal data of other individuals via the app. If the business user is processing personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent).
• In addition, special requirements may arise regarding the information content of instruction manuals according to annex I chapter III number 23 MDR. For example, medical devices that are only intended for the end user are subject to higher requirements regarding the scope of the instructions for use than products that are only used between physicians (B2B).

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device.

In addition, location tracking is also subject to consent provided it is not an essential part of the service provided.

• Yes, the physician is responsible for the selection of methods how to treat patients and thus also for the selection of the right app/software in relation to its intended purpose, just as the physician is responsible for the selection of the appropriate therapy or medicine.
• The manufacturer is liable according to the principles of product liability on the basis of section 1 Product Liability Act and section 823 German Civil Code if the product has a default. However, the medical decision at the end cannot (and must not) be made by the software but by the physician.

• Under the article 113 MDR member states shall lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. In Germany the legal consequences for non-compliance regarding the CE marking are regulated in sections 92, 93, 94 and 95 Medical Devices Implementation Act and may include imprisonment, fines and the seizure of goods. The respective sanction depends above all on whether negligence or intent is involved.
• In the event of product defects, claims for damages against the manufacturer may arise in accordance with section 1 Product Liability Act. Claims for damages may also arise in accordance with sections 823 para. 1, 2 German Civil Code and art. 82 GDPR.
• In case of breaches of data protection law and if the manufacturer is “controller” of personal data, the manufacturer can be subject to fines (art. 83 GDPR).

In Germany, there are in principle two major expected future developments the further implementation of the European product liability law and changes in the remuneration of digital health applications.  Another major expected future development, - the plan for an EU wide AI Liability Directive, - was withdrawn by the EU Commission in February 2025 (see Question 1.1).

• The reform of European product liability law through the Product Liability Directive (EU 2024/2853) means a significant tightening of product liability for companies and aims to increase the level of protection for consumers in Europe.  The Member Sstates must implement the directive into national law by 9 December 2026.  For products placed on the market before the new directive is implemented, the previous rules will apply.
• From 2026, 20% of the amount of remuneration for a digital health application (DiGA) shall depend on its successful application.  Success shall be determined by so-called "application-based performance measurements", cf. section 134 para. 1 SGB V.  How exactly the success measurement shall be applied has not yet been conclusively clarified.  Under the previous government, a draft bill from the Federal Ministry of Health was published in January 2025.  It remains to be seen whether the draft bill will also be passed by the new parliament in this form.

German physicians are subject to their own professional code of conduct (Berufsordnung der Ärzte). 

Each physician must be a member of a medical association in order to practice medicine. In Germany every chamber district has one Medical Association (Landesärztekammer) that is the regulator. On top there is the German Medical Association (Bundesärztekammer).

Each Medical Association has its own Professional Code of Conduct. All Professional Codes are oriented on a so-called Model Professional Code of Conduct by the German Medical Association. In the following responses, we refer to the regulations of the Model Professional Code of Conduct by the German Medical Association.

In the past, the Professional Codes of Conduct contained strict rules regarding telemedicine.

Under section 7 para. 4 Professional Code of Conduct by the German Medical Association exclusive remote treatment where a patient was solely treated via telemedicine was prohibited for a long time.

However, the relevant regulation regarding the prohibition of remote treatment was relaxed in 2018.

Now section 7 para. 4 sent. 2 and 3 Professional Code of Conduct by the German Medical Association regulates that under certain circumstances further specified under question 10 physicians may treat patients via telemedicine.

Besides the Professional Codes of Conduct, Telemedicine is also regulated in the German Drug Advertising Act (Heilmittelwerbegesetz).

Advertising the use of telemedicine was prohibited for a long time, cf. section 9 Drug Advertising Act.

Since 2018, advertising for remote treatment is possible under certain circumstances, cf. section 9, sent. 2, Drug Advertising Act. As a rule, a ban on advertising for remote treatments still applies. Exceptionally, however, remote treatments may be advertised using communication media if personal medical contact with the person to be treated is not required by generally accepted professional standards.

On 9 December 2021, the German Federal Supreme Court (BGH) made an important decision regarding section 9, sent. 2 German Drug Advertising Act: The term "generally accepted professional standards" used in section 9 sent. 2 and that must be met in order to be allowed to advertise telehealth treatment shall be interpreted with regard to section 630a, para. 2, German Civil Code and the principles and guidelines developed in this context. According to this, such standards can also develop over time, e.g., from the guidelines of medical societies.

The interpretation of section 9, sent. 2, will be subject to a dynamic development. It can be assumed that remote treatments will become more established and will become recognised as the so-called "gold standard" in certain areas in the next few years. Model trials have already been conducted.

The circumstances under which physicians can use telemedicine in order to treat patients are regulated in section 7, para. 4, sent. 2, 3 Professional Code of Conduct by the German Medical Association: “They may use communication media to support their work.  In individual cases, exclusive counselling or treatment via communication media is permitted if this is medically justifiable and the necessary medical care is provided, in particular with regard to the manner in which findings are recorded, counselling, treatment and documentation are carried out, and the patient is also informed about the special features of exclusive counselling and treatment via communication media."

Essentially, the following aspects must be observed:

• According to section 7, para. 4, Professional Code of Conduct by the German Medical Association, the physician can decide whether he or she considers remote treatment to be justifiable in the individual case.
• Such treatment can also include making a diagnosis.
• Under certain conditions, a valid certificate of incapacity to work can also be made after a video or telephone consultation.  In both cases, this applies to illnesses that do not show severe symptoms. The treating physicians decide whether this applies in individual cases. It is at the physician's discretion to decide whether the determination of incapacity to work can be made by telephone or whether an examination by video or in person is required.
• Physicians are allowed to provide their SHI medical services in the form of video consultations outside of the SHI doctor's office (section 24, para 8, Physicians Licensing Regulation (Ärzte-ZV)).  However, physicians must continue to fulfil their existing obligations to offer minimum consultation hours and open consultation hours at the SHI physician's practice site.
• Since 1 April 2025, doctors are able to treat up to 50% of their cases per quarter exclusively via telemedicine, provided that the patients are known to the doctor.  The limit for unknown patients remains at 30%.
• According to the German National Association of Statutory Health Insurance (Kassenärztliche Bundesvereinigung), video consultation hours can be used by almost all groups of doctors.
  • The only exceptions are laboratory physicians, nuclear medicine specialists, pathologists and radiologists.
• For psychotherapists, telemedicine should in principle only be used if there was already a personal first contact for entrance diagnostics, indication position and explanation. Moreover, if from a therapeutic view no direct personal contact is necessary.

While treatment with personal contact is still considered the so-called “gold standard,” exclusive remote treatment has been allowed by way of exception of the general rule according to the Professional Code of Conduct by the German Medical Association.  Civil law obligations under the treatment contract between doctors and patients, in particular regarding information and clarification (section 630 e German Civil Code), the requirement for consent (section 630 d German Civil Code), and the documentation obligations (section 630 f German Civil Code), also apply to treatments using telemedicine.

The general regulations for the clarification are to be considered sections 630e, 630h para. 2 German Civil Code and section 8 Professional Code of Conduct.

Patients must be informed about the special characteristics of remote treatment, cf. section 7, para. 4, sent. 3 Professional Code of Conduct. Verbal clarification is sufficient but should be documented in the patient's file.

Regarding data protection rules a consent is required in accordance with Art. 9 para. 2 letter a) in conjunction with Art. 7 GDPR. It should be noted, however, that according to Art. 7 para. 1 GDPR, the person responsible for data processing must be able to prove the consent of the data subject – regardless of any formal requirements. Since recordings of the video consultation hour are not permitted, at least electronic documentation of the declaration of consent will be required if the written form is not used.

No, the same standards regarding due diligence obligations are applicable.

For liability reasons, the remote treatment should be carefully documented in the patient's file.

The provisions of sections 630f and 630h para. 3 German Civil Code as well as section 10 Professional Code of Conduct must be observed.

The measures essential for current and future treatment and their results must be documented, such as:

• the master data of the patients;
• the information that the consultation took place via video;
• the medical history, diagnoses, examinations, therapies and their effects, interventions, findings, consents and clarification (also with regard to the specifics of remote treatment);
• the recommendations for further treatment and repeat referrals;
• if necessary, referral to another health care provider.

Previously, it was forbidden to prescribe any medication via telemedicine. In August 2019, the general prohibition of medicine delivery by remote prescription was abolished by deleting the previous sentences 2 and 3 of section 48 para. 1 German Medicinal Products Act (Arzneimittelgesetz).

From 1 January 2024, the electronic prescription (“e-prescription”) was introduced as a mandatory standard in the provision of medicinal products.  The e-prescription is created and signed digitally only.  The prescription code can be redeemed on a smartphone or by printout at any pharmacy in Germany.  Since 1 September 2022, pharmacies in Germany must be technologically able to fill the e-prescription.

Physicians can get reimbursement for the video consultation only after they indicated to their Association of Statutory Health Insurance Physicians that they intend to use a video service provider certified according to Annex 31b to the Federal Collective Agreement for Physicians (Bundesmantelvertrag-Ärzte). For the volume limits regarding the reimbursement of telehealth consultation see under Q10.

A list of the certified video service providers can be found online.

The video consultation hour is reimbursed via the respective insured, basic or consultation flat rate. The lump sum plus surcharges is paid in full if personal contact is made with the patient within the same quarter.

If this is not the case and the contact takes place exclusively via video, the flat rate and, if applicable, the related surcharges will be reduced.

In addition, doctors and psychotherapists can charge for services for conversations that take place via video consultation. They also receive a flat rate for technology to finance the costs.

For the additional work involved in authenticating new patients in the video consultation hour, doctors' surgeries receive a surcharge on the basic, insured or consultation flat rate.

In accordance with the German Digital Care Act (Digitale-Versorgungs-Gesetz), which has been in force since December 2019, costs for Digital Health Applications are reimbursable under national law.

To be eligible for reimbursement, the respective digital health application must be included in a list maintained by the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte).

They can be reimbursed, if the Digital Health Application has a proven so-called positive health care effect. This means either a medical benefit or patient-relevant structural or procedural improvements in care. Furthermore, the Digital Health Application shall—among other things—be designed in accordance with data protection regulations and guarantee adequate data security.

The manufacturer has to prove data protection conformity and sufficient data security.

The costs are covered by the statutory health insurance.

In addition to medical confidentiality, which means that the video consultation is not allowed to be recorded, reference can be made to Q2 regarding data protection.

The use of electronical prescriptions (E-Rezept) according to the Law for more safety in drug supply (GSAV) which came into force on 16 August 2019, is to be gradually expanded further in the context of digital health applications, care services and remedies (Section 360  SGB V).  

The introduction of the electronic patient record (“ePA”) began on 15 January 2025 for all those with statutory health insurance who did not object to the provision of the ePA.  From the time their respective health insurance company provides the electronic health record, insured persons can upload documents to their electronic health record or have them uploaded by the health insurance companies and view their medication list or the billing data via the electronic health record app.  Likewise, from 15 January 2025, participating doctors and other service providers in the model regions of Hamburg and the surrounding area, Franconia and parts of North Rhine-Westphalia began using the electronic health record.  During this controlled introductory phase, their systems are being carefully checked for reliable usability.  After the successful completion of the introductory phase in the model regions, the ePA will then be used by service providers throughout the country.

The National Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung) must set up an electronic system by June 2025 that records the referral of treatment appointments for telemedical services (370a para. 1 sent. 2 SGB V)..