Health IDs for digital health applications temporarily inadmissible

Since the beginning of January, there is no longer a legal basis for manufacturers of digital health applications (DiGA) that can be prescribed by doctors to use health IDs. DiGA manufacturers must offer their insured persons the health IDs for authentication. However, according to the BfArM, this does not change anything for DiGAs that are already approved and listed in the register of the Federal Institute for Drugs and Medical Devices (BfArM). The reason for this, according to the BfArM's response, is that "the requirement was previously contained in Annex 1 of the DiGAV and therefore also applied to DiGAs that were already listed anyway. The requirement therefore remains in place".

Forgotten your health ID?

Following changes to the Digital Health Applications Ordinance (DiGAV), which came into force with the Hospital Care Relief Act, DiGAs must "deviate from the data security requirements [...] and meet the data security requirements specified by the Federal Office for Information Security [...]", according to the DiGAV. However, the fact that the self-declaration according to Annex 1 of the DiGAV, according to which DiGAs must actually support health IDs in order to be approved, was not initially taken into account.

Insured persons must be able to authenticate themselves in the DiGA "by means of the health ID", as the Federal Office for Drugs and Medical Devices (BfArM) informed heise online. However, the legislator seems to have forgotten to take the health ID into account following the changes in the DiGAV.

Draft bill takes health ID into account

"For this reason, the requirement 'Digital health applications must enable authentication of SHI-insured persons as the persons using the digital health application via the secure digital identity in accordance with Section 291 (8) of the Fifth Book of the German Social Code' will be added outside of Annex 1 in the DiGAV," said the BfArM with reference to the draft bill for the second ordinance to amend the DiGAV (PDF), which is dated 3 January.

"With the draft of the Second Ordinance amending the Digital Health Applications Ordinance, the regulation will be moved from Annex 1 to the direct regulatory part of the ordinance," a spokesperson for the Federal Ministry of Health said in response to an inquiry. When asked whether the amendments to the DiGAV also affect the obligation of DiGA manufacturers to write insured persons' data to the electronic patient record (EPR) with their consent or at their request, the BMG replied: "The use of digital identities also remains a technical prerequisite for the obligation of DiGA manufacturers to enable the export of therapy-relevant data to the electronic patient record (EPR) at the request of insured persons".

"It is important that the future government swiftly takes up the current government's plan to revise the DiGA regulation. After all, the draft bill for the appropriate amendment was already available. Currently, authentication via health ID by DiGA providers should not be used for purely formal reasons," explains lawyer Dr. Tilmann Dittrich. Manufacturers are already obliged to transfer the data generated in the DiGA to the electronic patient file via an interface with the patient's consent, for which the health ID is also required.

(mack)