(Post updated 09 August 2020 after release of official English language guidance).

In late 2019, Germany took the lead on health app reimbursement when it passed its Digital Care Act (‘Digitale Versorgung Gesetz’). Since then, Germany has established the term 'DiGA' for reimbursable prescription apps and digital therapeutics (DTx). On 17 April 2020, Germany’s Federal Institute for Drugs and Medical Devices ('BfArM') issued its guidance on the ‘Fast-Track’ evaluation procedure. The 120-page document (since April 2020 available in German and since August 2020 also in English) clarifies key requirements related to product design, proving efficacy, and getting listed.

Looking at the guidance, it becomes clear, that Jens Spahn, Germany’s minister of health, and his team have done their homework. Detailed requirements ensure that prescription apps are safe, effective, and secure for patients to use. For innovators looking to get reimbursed with new or existing health apps, it is essential to understand what pre-requisites they need to bring in place and how much lead time to plan before entering the three-month evaluation procedure. Looking at the newly released guidance, we see five main hurdles that need to be prepared for – and which will only rise over time.

Hurdle 1: Quality Management

Being a certified medical device, each DiGA must have a Quality Management System (QMS) in place. German authorities already require DiGA manufacturers to implement quality-controlling maintenance procedures like management of third-party software (so-called 'SOUP' for software of unknown pedigree). Under Europe's new Medical Device Regulation (MDR), most manufacturers will need to get their medical device software approved by a notified body, effectively requiring them to certify their QMS according to ISO 13485. While the COVID-19-triggered postponement of MDR to May 2021 has bought innovators some time, they better make use of it; putting an ISO 13485 compliant QMS in place can easily take 6-12 months and should happen before starting product development. QM experts consider it scarcely possible to retrofit ISO-compliant documentation and quality management standards to an existing product.

Hurdle 2: Information Security Management

DiGAs often capture and/or process sensitive personal health information, making information security a key concern. This is why, from 2022 onward, any new DiGA needs to be covered by an ISO 27001-compliant Information Security Management System (ISMS). Similar to a QMS, implementation of an ISO-compliant ISMS takes several months, and its maintenance requires continuous resources. The underlying concept is ‘security as a process’. As digital products are evolving, so too are security threats, making a static ‘checklist’ approach to information security insufficient. And while an ISO-certified ISMS only needs to be in place from 2022, key elements like a risk-based approach, change and configuration control, and vulnerability monitoring for third-party software are required from the get-go.

Hurdle 3: Germany-Specific Design Requirements

Can existing health apps get into the German health app reimbursement scheme? They certainly can, but they will likely need some modifications. DiGAs must derive from established medical sources, such as peer-reviewed studies or guidelines. From 2021, listed DiGAs must support accessibility standards as well as interoperability with Germany’s yet-to-be introduced electronic patient record.

In addition to Europe’s GDPR regulations, DiGAs must protect privacy even further. Health app providers must not use the data for any purpose other than running the application or improving it. Using data for improvement requires explicit consent that may not be mandatory for using the app. Depending on the app and its business model outside of Germany, these requirements may drive the need for significant changes to product and business model to meet the requirements for health app reimbursement in Germany.

Hurdle 4: One Study per Indication; German Patients Only

In terms of efficacy, DiGAs must show evidence for a positive impact on the standard of care. This can be either improved medical outcomes or patient-relevant improvements to the process or structural environment of patient care. While preliminary approval is possible without study results being available, evidence for a positive impact on the standard of care is a prerequisite for reimbursement beyond year one. Any evidence must be specific to one or several groups of patients/indications, defined by a 3- or 4-digit ICD-10 code. After approval, a prescription is only possible for patients within this indication. Moreover, every indication requires a dedicated study, which needs to follow clearly defined criteria. Last but not least, as studies need to be representative of German patients, they must have been performed with German patients. For most potential entrants this requires investing time and money into generating Germany-specific evidence.

Hurdle 5: No Side Business Allowed

German regulation makes it difficult for health apps to get into reimbursement while hedging their bets with other advertising-, transaction-, or data-driven business model. Effectively, manufacturers cannot capitalize on the potential reach of their prescription app, meaning ads within the app are prohibited and in-app purchases may only be linked to through informational, non-promotional elements. As laid out in hurdle 3, privacy restrictions strictly prohibit any data-driven business model. Last but not least, the manufacturer cannot rely on direct-to-consumer online marketing to grow their sales. As DiGAs are medical devices, the same strict advertising restrictions apply. Consequently, there are no cross-selling opportunities for manufacturers, so their business case must largely rely on reaching critical mass as a reimbursed health app.

The Upshot: An Opportunity Requiring Time, Capability, and Resource

With 73 million people publicly insured in Germany, allowing for prescription health app reimbursement creates a tempting opportunity for developers. Well-conceived requirements safeguard patients by ensuring efficacy, safety, security, and privacy. For app providers, these represent significant hurdles. Existing apps and new entrants both need to carefully plan the required time and resources for building or modifying their app, putting required processes in place, and generating evidence with German patients.

With a roadmap of requirements rising over time, time-to-market matters more than ever. At smartpatient, we implement DiGAs and DTx using MyTherapy, a disease management app with millions of users and global regulatory compliance. Having the technology and the processes in place, we enable partners to quickly launch digital therapeutics while adhering to various local market requirements. Sounds interesting? Don't hesitate to reach out.