Since 2020, the German legislature has allowed the reimbursement of digital health applications (DiGA). DiGA manufacturers must fulfill several requirements for this.
This article describes the steps required to do so.
Step 1: Define the business case
a) Determine the intended purpose of the DiGA
The intended purpose is the basis for all further steps. It answers the following questions, among others:
- What medical purpose does the product serve? Is it for diagnosis, therapy, monitoring, or prediction? For what disease, injury, or other health condition is it to be used?
- What other benefits is the product intended to provide?
- Which patients, users, and third parties is the product intended to serve?
- Which user groups should use the product?
- In what environment (context of use) should the product be used?
- How is the product intended to enable these claimed benefits? What is the physical principle underlying? (For DiGA, these must be essentially digital technologies.)
In this article on the medical purpose and intended use, you will learn how to document this information in a legally compliant and sufficiently complete manner.
b) Clarify financing and calculate profitability
If you know the intended purpose, you know whether your product can be a DiGA. You can also use it to estimate how large the market is and what reimbursement forms may be available.
You can estimate reimbursement rates and volumes if the product is likely reimbursable as a DiGA.
Once you have a project plan and an initial expense estimate, you can calculate expected revenues and profitability.
c) Identify project risks
Before manufacturers begin the development of a DiGA, they should identify project risks. These include:
- Direct and indirect competition
Providers of alternative forms of diagnosing and therapy count as indirect competition. - Failure to proof the claimed benefits
The requirements for this proof are high. It is often not possible to prove the expected benefit with the necessary statistical significance. - Failure of the project
Many young companies underestimate the challenges of software development and building a business, as well as the regulatory requirements. - Insufficient acceptance by physicians and patients
At the same time, they regularly overestimate the acceptance of DiGAs by physicians and patients.
Step 2: Identify the regulatory requirements
a) Carry out qualification and classification
Based on the intended purpose, manufacturers must check whether the product actually counts as a medical device.
If this is the case, you must determine the class of the medical device.
Read more here about class I software medical devices.
b) Ensure that the device counts as DiGA
DiGAs may only be class I and IIa medical devices. In addition, it must be ensured that the main functions of these products are “substantially based on digital technologies.”
c) Identify applicable legal and normative requirements
For DiGA, essential regulatory requirements typically include the following:
- requirements for medical devices in general
- MDR, IVDR with requirements for products and economic operators
- IEC 62304 (software lifecycle processes)
- IEC 62366-1 (usability)
- ISO 14971 (risk management)
- ISO 13485 (quality system)
- Specific requirements for DiGA
- SGB V § 33a, § 135, § 139e (prerequisite for reimbursement)
- SGB XI § 40 DiGA ordinance
- ISO 27001 (IT security management system)
- BSI test criteria for security (see also TR 03161 1-3)
- BfArM test criteria for data protection (only available in German)
Most DiGA manufacturers will also be affected by the EU Data Act.
Many changes to the Social Code, among others, were introduced via the Digital Care Act DVG and the Digital Care Modernization Act DVPMG.
Please also note
- the BfArM guide DiGA,
- the requirements of the DiGAV (chapter 6 of the article),
- the article on security and data protection specific to DiGA with an extensive list of regulatory requirements, and
- our article with an overview of the regulatory requirements for data privacy and health IT security.
Step 3: Determine the evaluation concept and clinical evaluation strategy
The DiGAV requires evidence of positive health care effects. The regulation defines these as
either [a] medical benefit or patient-relevant structural and procedural improvements in care.
DGV
You can read more about these requirements in chapter 3 of this article.
a) Determine claims
To be able to prove positive health care effects, the manufacturers must first specify the performance and acceptance criteria (“claims”) (as quantitatively as possible). This sounds trivial. But this is precisely where manufacturers regularly make mistakes. For example, the claims are
- not sufficiently specific (and quantitative) to design a study with,
- formulated too broadly or/and too demanding, which is why the proof cannot be provided, not on time, or not within the scope of the given means,
- formulated too narrowly or/and not sufficiently demanding. Thus, the benefit is too small to allow DiGA to be included in the DiGA directory.
b) Decide on the timing
Once these claims are specified, manufacturers must decide whether to seek direct listing or only provisional listing in the DiGA directory. The latter gives manufacturers an additional year to complete the clinical study but no certainty of final acceptance.
One advantage of the “trial year” is that the statutory health insurance funds must already reimburse the DiGA, and the manufacturer is allowed to determine the price itself. Negotiations with the SHI funds do not take place until after the trial year. In this way, the expensive study can be at least partially counter-financed.
c) Plan study
Subsequently, the study has to be planned and the evaluation concept including the study design has to be defined.
The article on clinical investigations lists important aspects of such a study design in chapter 2.c).
Manufacturers should contact the BfArM at the latest at the end of this third step (as described in step 7).
A prerequisite for the DiGA main study is a pilot study with systematic data evaluation.
The Johner Institute assists DiGA manufacturers in designing the study so that manufacturers can simultaneously meet both the requirements for this evidence under DiGAV and the clinical evaluations and inspections under MDR without undue burden.
Feel free to contact us to find out more.
Step 4: Establish an integrated management system
Two areas of law require DiGA manufacturers to have management systems in place:
- Medical device law (especially the MDR in Article 10) requires a quality management system (typically compliant with ISO 13485).
- Social law (in particular, the DiGAV) requires an IT security management system (typically compliant with ISO 27001).
The requirements for these management systems overlap greatly, as the following examples show. Both require:
- Establishment of corporate goals (regarding quality or IT security)
- Evaluation of the systems by top management (management review)
- Internal audits
- Control of documents and records
- Resource management (employees, infrastructure)
- Process-oriented approach
These similarities are also reflected in the Standard Operating Procedures (SOPs):
| QMS according to 13485 | ISMS according to 27001 |
| quality management manual | (x) |
| quality objectives | (x) |
| organisational chart, definition of roles | x |
| SOP management review / SOP performance measurement | x |
| SOP analysis of data / SOP performance measurement | x |
| SOP control of documents and records | x |
| SOP CAPA (incl. ISMS) | x |
| SOP internal and external audits | x |
| SOP reporting of incidents and recalls EU | (x) |
| SOP IT infrastructure | x |
| SOP computer system validation | x |
| SOP recruiting and training | x |
| SOP purchasing and supplier management | x |
| SOP software development | x |
| SOP support, feedback handling, complaint handling | (x) |
Therefore, DiGA manufacturers should not establish two isolated but one integrated management system and have it audited and certified together.
Especially for DiGA manufacturers, the Johner Institute has designed templates for an integrated management system. Interested? Then contact us right away.
As of 2024, manufacturers are not only required to have a certified IT security management system but also data security and data protection certification.
Step 5: Create the technical documentation
a) Provide general evidence
DiGA manufacturers create technical documentation in accordance with the specifications of their own quality system. In this way, they provide evidence that their products meet the regulatory requirements for medical devices.
This article on technical documentation provides you with an overview of the typical content and structure of technical documentation.
The technical documentation of DiGAs differs little from that of other medical devices:
- Additional evidence for accessibility and usability
- More detailed evidence of IT security
- Evidence of positive health care effects (which often goes beyond evidence in clinical evaluations)
b) Demonstrate IT security of the DiGA
However, certification of the management system is not proof of the IT security of the products. Penetration tests are an important and mandatory component of this proof.
The Johner Institute performs penetration tests for DiGA manufacturers. Read more about this offer here.
So far, Johner Institute’s security experts have always identified vulnerabilities in the backend infrastructures or the products themselves (e.g., apps).
However, penetration tests do not replace other measures, such as adherence to coding guidelines and threat modeling. Instead, they complement these measures.
See also the article on security and data protection at DiGA.
Step 6: Provide a proof of benefit
Proof of the positive health care effects is provided – as described in the study plan (see above) – by collecting the (clinical) data within the framework of corresponding “comparative studies,” as required by the DiGAV in § 10 (only available in German).
If the manufacturers want to go into trials first, they start with a systematic data evaluation or pilot study. This should already correspond to the main study in all essential study details. Only the number of cases may be somewhat smaller. The manufacturers then submit the outputs of the pilot study together with the evaluation concept when submitting the application.
The manufacturers must register the study with the BfArM.
The DiGAV even obliges the manufacturers to publish the outputs in full on the internet.
Step 7: Request for listing in the DiGA directory
a) Conduct initial interview
The Johner Institute advises DiGA manufacturers to benefit from the BfArM’s offer of consultation and not to wait until the application is submitted before contacting the authority. A good time for an initial consultation is toward the end of the third step.
Preparation
To ensure the best possible coordination with the authority, manufacturers should prepare the interview and their documents well:
- Product presentations, including intended use specification
- Justification for qualification and classification
- List of “claimed” positive health care effects
- Project plan (product development, certification, study, marketing)
- Study plan, at least for the pilot study
- List of questions to the BfArM
Manufacturers should assemble their own expert group (product, regulatory, study design/statistics, medical) to sit opposite the BfArM expert group.
Conversation management
To facilitate the most efficient and effective interview, manufacturers should at least
- coordinate their questions and agenda with BfArM in advance,
- introduce the DiGA in the interview and solicit feedback on whether it seems interesting,
- solicit feedback on the study plan (pilot and/or main study) during the interview.
b) Submit the application
If all previous steps have been successfully completed, the DiGA manufacturers may submit the application. For this purpose, the BfArM has provided a completion-guide (only available in German).
Further details on the costs and the contents of the applications are provided in this article on the DiGAV.
The BfArM’s tips for applicants are also helpful.
Summary and conclusion
Germany was one of the first countries to create the possibility of reimbursing digital health applications. However, the hurdles for this are high.
In particular, demonstrating positive health care effects through studies (along with or in addition to clinical evaluation and clinical investigation, if applicable) is challenging for many DiGA manufacturers.
Following the seven steps outlined in this article should make it easier to overcome the hurdles.
The Johner Institute safely guides DiGA manufacturers through the entire process: from the initial idea to the inclusion in the DiGA directory.
Get in touch right away.
Change history
- 2023-04-24: Links to the publications of the BfArM supplemented and updated
