Digital health apps and telemedicine in Germany

Software as a medical device

Software within digital health apps can be classified as medical devices, if the intended purpose relates to one of the following pursuant to section 3 no. 1 Medical Devices Act (“MPG”, Medizinproduktegesetz) and article 2 of the Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, which shall apply from 26 May 2021 (as established by Regulation (EU) 2020/561) (“MDR”):

1. diagnosis, prevention, monitoring, treatment or alleviation of disease,
2. diagnosis, monitoring, treatment, alleviation or compensation of injuries or handicaps,
3. investigation, replacement or modification of the anatomy or of a physiological process,
4. control of conception.  

The differentiation between a medical device and a consumer product - which does not fall within the scope of the MPG and MDR – can largely be influenced by the manufacturer based on the intended purpose which is defined by him.

Not only is the explicitly described intended purpose (Zweckbestimmung) relevant, e.g., for an authority decision on qualification as a medical device, but so are the instructions for use and the promotional materials (e.g., website, information in App Store) regarding the specific product.

Possible indicative terms in connection with the intended use of corresponding functions can be, for example: 

• alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying.  

Indicative functions for classification as a medical device can be, amongst others, the following:

1. decision support or decision-making software, e.g., regarding therapeutic measures,
2. calculation, e.g., of dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves),
3. monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy.

Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in classification as a medical device.

Classification

Medical devices are—generally speaking—assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to Classes I, II a, II b or III, whereby Class I comprises those products with the lowest risk potential.

A key difference between the regulations of the MPG and the MDR are the classification rules for software medical devices.

According to the MPG, the classification of medical devices is based on section 13 para. 1 MPG in conjunction with Annex VIII of the Directive 93/42/EEC (“MDD”). According to rules 9 to 12 most medical apps belong to risk class I. 

They can, however, also be classified as Class IIa or IIb medical devices, for example when diagnosing or controlling vital functions since the health risks for the user are increased.

Under annex VIII chapter III, rule 11 MDR, the classification rules for software devices are listed. In principle, it is still possible for a software medical device to fall into Class I. However, according to the views expressed in the German legal literature, it is assumed that software medical devices will have to be upgraded in principle and will generally fall under Class IIa.

CE-Mark

If a product is considered as medical device, it is necessary to affix it with a CE marking, cf. section 6 MPG, article 20 and annex V MDR. 

If the manufacturer brings a medical device onto the market or puts it into operation without the required CE marking, this constitutes an administrative offence in case of negligence and a criminal offence in the case of intent, sections 41 no. 2, 42 para 1 MPG, article 113 MDR according to which member states lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. Member States may submit these provisions to the Commission by 25 February 2021. In Germany, sanctions are regulated in section 92 et seq. Medical Devices Implementation Act. (See also Q6). Furthermore, this is a so-called “unfair act” within the meaning of the German Unfair Competition Act (“UWG”, Gesetz gegen den unlauteren Wettbewerb), so that the manufacturer can be sued for stopping distribution and for damages

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

Software within digital health apps as medical devices can be qualified as “products” to which liability can attach.

The term “products” often refers only to movable, physical objects. There are some doubts in the legal literature whether software can also be covered by the product definition. 

The fact that software is explicitly mentioned in the MDR is a justified basis for this discussion and in our opinion speaks in favour of including software in the scope of application of product liability law.
Thus, strong arguments support the fact that the general rules on product liability apply also to software medical devices. 

The applicable rules are section 1 Product Liability Act (Produkthaftungsgesetz) , sections 823 para 1and 831 as well as section 823 para 2 of the German Civil Code (Bürgerliches Gesetzbuch) in connection with section 4 MPG. 

Special provisions that focus on liability, e.g., regarding artificial intelligence within the software of digital heath apps does not– so far–exist in German law.

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

There aren't exclusions or limitations of liability that apply solely to the liability of software medical devices. 
Rather, the liability exclusions that also apply to other products are applicable. 

The liability according to the German Civil Code requires, for example, negligence. According to the Product Liability Act, the manufacturer's obligation to pay compensation is excluded under certain conditions, cf. section 1 para 2 Product Liability Act.

Furthermore, the duties of vigilance and observation apply to both medical products and other products.

• If Software processes personal data of the users/patients, it must comply with the applicable data protection regulations, in particular with the EU General Data Protection Regulation (“GDPR”).
• When processing personal data, the principles contained in art. 5 GDPR, such as the lawfulness and purpose limitation of data processing, data minimization, and the integrity and confidentiality of processing, must be taken into account.

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

The rules in Q2 only apply to the processing of data of individuals (regardless of citizenship) residing in the European Union (art. 3 GDPR). If they use the app outside of their jurisdiction, GDPR will still apply if the provider is a company established in the EU. 

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

B2B/B2C

• The GDPR always applies in B2C scenarios.
• The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing personal data of other individuals via the app. If the business user is processing personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent).
• In addition, special requirements may arise regarding the information content of instruction manuals according to annex I chapter III number 23 MDR. For example, medical devices that are only intended for the end user are subject to higher requirements regarding the scope of the instructions for use than products that are only used between physicians (B2B). 

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device. 

In addition, location tracking is also subject to consent provided it is not an essential part of the service provided. 

• Yes, the physician is responsible for the selection of methods how to treat patients and thus also for the selection of the right app/software in relation to its intended purpose, just as the physician is responsible for the selection of the appropriate therapy or medicine.
• The manufacturer is liable according to the principles of product liability on the basis of section 1 ProdHaftG and section 823 if the product has a default. However, the medical decision at the end cannot (and must not) be made by the software but by the physician.

• Under the current law, the legal consequences for non-compliance regarding the CE marking are regulated in sections 40, 41, 42, and 43 MPG and contain imprisonment, fines and the seizure of goods. The respective sanction depends above all on whether negligence or intent is involved.
• Under the article 113 MDR member states shall lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. Member States may submit these provisions to the Commission by 25 February 2021. In Germany, sanctions are regulated in section 92 et seq. Medical Devices Implementation Act.
• In the event of product defects, claims for damages against the manufacturer may arise in accordance with section 1 ProdHaftG. Claims for damages may also arise in accordance with sections 823 para. 1, 2 BGB and art. 82 GDPR.
• In case of breaches of data protection law and if the manufacturer is “controller” of personal data, the manufacturer can be subject to fines (art. 83 GDPR).

The legal framework applicable to Digital Health Apps/Software will be affected by the application of the new EU Regulation 2017/745 (“MDR”), which will apply from May 2021.

Please see the answers to questions Q1 to Q6 for the relevant regulatory provisions.

German physicians are subject to their own professional code of conduct (Berufsordnung der Ärzte). 

Each physician must be a member of a medical association in order to practice medicine. In Germany every chamber district has one Medical Association (Landesärztekammer) that is the regulator. On top there is the German Medical Association (Bundesärztekammer).

Each Medical Association has its own Professional Code of Conduct. All Professional Codes are oriented on a so-called Model Professional Code of Conduct by the German Medical Association. In the following responses, we refer to the regulations of the Model Professional Code of Conduct by the German Medical Association.

In the past, the Professional Codes of Conduct contained strict rules regarding telemedicine.

Under section 7 para 4 Professional Code of Conduct by the German Medical Association exclusive remote treatment where a patient was solely treated via telemedicine was prohibited for a long time.

However, the relevant regulation regarding the prohibition of remote treatment was relaxed in 2018. 

Now Section 7 para. 4 sent. 2 and 3 Professional Code of Conduct by the German Medical Association regulates that under certain circumstances further specified under question 10 that physicians may treat patients via telemedicine.

Besides the Professional Codes of Conduct, Telemedicine is also regulated in the German Drug Advertising Act (Heilmittelwerbegesetz). 

Advertising the use of telemedicine was prohibited for a long time, cf. section 9 Drug Advertising Act. 

Since 2018, advertising for remote treatment is possible under certain circumstances, cf. section 9 sent. 2 Drug Advertising Act. As a rule, a ban on advertising for remote treatments still applies. Exceptionally, however, remote treatments may be advertised using communication media if personal medical contact with the person to be treated is not required by generally accepted professional standards.

Very interesting in the context of a more global approach is a recent judgment of the Higher Regional Court of Munich from July 2020, after a ban on advertising remote treatments - at that time still the strict remote treatment advertising ban before the change in the law - even exists if the treating physicians are located in a different country (here Switzerland) and the advertisement is accessible in Germany.

10.1 What are the requirements?

The circumstances under which physicians can use telemedicine in order to treat patients are regulated in section 7 para. 4 sent. 2, 3 Professional Code of Conduct by the German Medical Association: “Exclusive consultation or treatment via communication media is permitted in individual cases if this is medically justifiable and the necessary medical care is ensured in particular by the manner in which findings are collected, consultation, treatment and documentation and the patient is also informed about the special features of exclusive consultation and treatment via communication media.”

Essentially, the following aspects must be observed:

• According to section 7 para 4 Professional Code of Conduct by the German Medical Association, the physician can decide whether he considers remote treatment to be justifiable in the individual case.
• Such treatment can also include diagnosing a patient.
• However, it is still disputed under which circumstances physicians can issue a valid certificate of incapacity to work in remote treatment scenarios. For example, in 2018, the German Physicians' Congress rejected the issuing of a remote sick note for unknown patients that they have never treated before.
• According to the German National Association of Statutory Health Insurance (Kassenärztliche Bundesvereinigung), video consultation hours can be used by almost all groups of doctors.
• The only exceptions are laboratory physicians, nuclear medicine specialists, pathologists and radiologists. 
• For psychotherapists, telemedicine should in principle only be used if there was already a personal first contact for entrance diagnostics, indication position and explanation. Moreover, if from a therapeutic view no direct personal contact is necessary.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Up until the Sars-CoV-2-pandemic, the number of treatment cases and medical services provided by a doctor via a video consultation should be limited to 20% in order to be reimbursed through the public health insurance funds.

Due to the Sars-CoV-2-pandemic, physicians are currently allowed to treat their patients unlimited via video consultation.

The background to this was that patients with symptoms of illness should be able to stay at home if possible, to reduce the risk of infection.

The German Federal Joint Committee (Gemeinsamer Bundesausschuss.) had also temporarily relaxed the rules for issuing sick leave certificates for work, cf. section 4 Abs. 1 S. 3 AU-RL (Arbeitsunfähigkeits-Richtlinie). 

Until June 2020, in certain cases, a telephone call was sufficient for sick leave. When the number of cases during the pandemic dropped, this option was revoked. 

However, in winter 2020 after the numbers increased again, the option is possible again since 7 October 2020. A time limit was not defined. The patient can only be put on sick leave once via video consultation - and for a maximum of one week. If he is still unable to work afterwards, he has to go to the medical office.

While treatment with personal contact is still considered the so-called “gold standard,” exclusive remote treatment has been allowed by way of exception of the general rule according to the Professional Code of Conduct by the German Medical Association.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

The general regulations for the clarification are to be considered sections 630e, 630h para. 2 German Civil Code and section 8 Professional Code of Conduct.

Patients must be informed about the special characteristics of remote treatment, cf. section 7 para. 4 sent. 3 Professional Code of Conduct. Verbal clarification is sufficient but should be documented in the patient's file.

Regarding data protection rules a consent is required in accordance with Art. 9 para. 2 letter a) in conjunction with Art. 7 GDPR. It should be noted, however, that according to Art. 7 para. 1 GDPR, the person responsible for data processing must be able to prove the consent of the data subject – regardless of any formal requirements. Since recordings of the video consultation hour are not permitted, at least electronic documentation of the declaration of consent will be required if the written form is not used.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

No, the same standards regarding due diligence obligations are applicable. 

For liability reasons, the remote treatment should be carefully documented in the patient's file. 

The provisions of sections 630f and 630h para. 3 German Civil Code as well as section 10 Professional Code of Conduct must be observed. 

The measures essential for current and future treatment and their results must be documented, such as:

• the master data of the patients;
• the information that the consultation took place via video;
• the medical history, diagnoses, examinations, therapies and their effects, interventions, findings, consents and clarification (also with regard to the specifics of remote treatment);
• the recommendations for further treatment and repeat referrals;
• if necessary, referral to another health care provider.

Previously, it was forbidden to prescribe any medication via telemedicine. 

In August 2019, the general prohibition of medicine delivery by remote prescription was abolished by deleting the previous sentences 2 and 3 of section 48 para. 1 German Medicinal Products Act (Arzneimittelgesetz).

Physicians can get reimbursement for the video consultation only after they indicated to their Association of Statutory Health Insurance Physicians that they intend to use a video service provider certified according to Annex 31b to the Federal Collective Agreement for Physicians (Bundesmantelvertrag-Ärzte). 

A list of the certified video service providers can be found online.

The video consultation hour is reimbursed via the respective insured, basic or consultation flat rate. The lump sum plus surcharges is paid in full if personal contact is made with the patient within the same quarter. 

If this is not the case and the contact takes place exclusively via video, the flat rate and, if applicable, the related surcharges will be reduced.

In addition, doctors and psychotherapists can charge for services for conversations that take place via video consultation. They also receive a flat rate for technology to finance the costs.

For the additional work involved in authenticating new patients in the video consultation hour, doctors' surgeries receive a surcharge on the basic, insured or consultation flat rate.

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

In accordance to the new German Digital Care Act (Digitale-Versorgungs-Gesetz) costs for Digital Health Applications are reimbursable under national law. 

To be eligible for reimbursement, the respective digital health application must be included in a list maintained by the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte). 

They can be reimbursed, if the Digital Health Application has a proven so-called positive health care effect. This means either a medical benefit or patient-relevant structural or procedural improvements in care. Furthermore, the Digital Health Application shall—among other things—be designed in accordance with data protection regulations and guarantee adequate data security. 

The manufacturer has to prove data protection conformity and sufficient data security.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

The costs are covered by the statutory health insurance.

In addition to medical confidentiality, which means that the video consultation is not allowed to be recorded, reference can be made to Q2 regarding data protection.

The above mentioned temporary special arrangement has been extended due to the ongoing Sars-CoV-2 pandemic. 

Physicians can offer unlimited video consultations. This means that the number of cases and service quantity are not limited. 

Due to the coronavirus pandemic, the regulations on video consultation are currently relaxed to the extent described above.

In addition, an electronical prescription (E-Rezept) will be available from 2021 onwards according to the Law for more safety in drug supply (GSAV) which came into force on 16 August 2019.