Data protection for health apps: this applies to digital health applications

What do providers of health apps need to consider from a legal perspective?

The GDPR brings with it many challenges. In particular, companies that process health data must comply with and implement strict requirements.

In this article, we explain the most important points.

Digital health applications (DiGA) include, for example, health apps that can be used on smartphones and are used to identify and treat illnesses, injuries or disabilities.

The apps are considered medical devices and must also be entered in the BfArM register. A 12-month trial phase is possible. They can then be prescribed by a doctor and reimbursed by the health insurance company.

In principle, the processing of personal data containing information about a person's state of health is prohibited. However, this does not apply in certain cases.

For example, if the person concerned has expressly consented to the data processing or if the processing is necessary to protect vital interests (and the person is physically or legally unable to consent).

Various data protection and data security requirements are regulated in Section 4 DiGAV. The legal requirements for data protection and the requirements for data security according to the state of the art must be complied with.

First of all, consent is required, which in case of doubt must be obtained separately for each purpose of data processing.

DiGA data may only be processed for the following purposes:

• for the intended use by the user, e.g. for the treatment of diseaseszum Nachweis in der Erprobungsphase, dass die App einen positiven Effekt hat,

• to provide evidence for reimbursement contracts with health insurance companies

• to permanently guarantee technical functionality, user-friendliness and further development

Processing for advertising purposes is expressly prohibited.

The DiGAV contains stricter location regulations than the GDPR: The data generated by DiGAs may only be processed within the EU, the EEA, Switzerland and third countries with an adequacy decision.

In contrast, the GDPR also permits data processing in third countries without an adequacy decision under certain conditions.

The BfArM has compiled important instructions for the review procedure for entry in the DiGA directory on its website. Among other things, the providers of the app must prove that they comply with the requirements for data protection and data security according to the state of the art.

The special requirements include technical rules defined by the German Federal Office for Information Security (BSI). From 01.01.2025, corresponding certification is to become mandatory.

Questions open? Do you need support?

We specialize in data protection and IT security consulting for companies and public institutions in Germany and Luxembourg.