Health apps: data protection and data security

The function of health apps is based on the processing of personal data. This data is often sensitive health data. Appropriate data protection standards and mature data security concepts are therefore of great importance to supervisory authorities and users.

Legally, the applicable regulations differ depending on the apps' scope of functions: the regulations of general data protection law, i.e. the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), apply to all health apps. If operators wish to have an app recognised by the state as a reimbursable digital health application (“digitale Gesundheitsanwendung” - DiGA), the specific requirements of the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung - DiGAV) must be met. Finally, depending on the individual case, additional area-specific data protection regulations may have to be taken into account.

General data protection law & health apps

According to the GDPR, the app operator must be able to show a legal basis for any processing of personal data. Here, health data is subject to the strict requirements of Art. 9 GDPR. Therefore, the user's informed consent regularly has to be obtained, at least for parts of the processing conducted. If "only" regular personal data are available, the processing may be based on the performance of the respective usage contract insofar as this is necessary for its fulfilment (cf. Art. 6 (1) sentence 1 lit. b GDPR).

In order to comply with the transparency obligations under Art. 13, 14 GDPR, health apps - like other apps and websites - must contain data protection notices that explain the relevant data processing, legal bases, etc. to users in more detail. It should be possible to access the data protection information in the app at any time.

In addition to complying with the general basic principles of the GDPR, app operators are obliged to conduct and document a data protection impact assessment (DPIA). According to Art. 35 (1) sentence 1 GDPR, this applies to processing operations involving a particularly high risk for the data subjects. However, the Data Protection Conference (Datenschutzkonferenz - DSK), the central body of the German data protection supervisory authorities, has clarified that the use of mobile applications that process health data regularly constitutes such a high risk.

Of particular importance is the obligation to ensure adequate data security to ensure the integrity and confidentiality of the processing. For this, technical and organisational protective measures must be implemented. The GDPR does not contain any precise requirements in this context. The requirements are based on the specific risk potential, which is significantly higher due to the sensitivity of the data processed in the healthcare sector.

Requirement according to the DiGAV

Health apps can be included in the register of reimbursable digital health apps. The prerequisite for this is that the respective app successfully passes a regulatory review process. This is based on the regulations of the DiGAV.

Section 4 DiGAV is central to the data protection requirements. The provision serves only to specify the described general regulations of the GDPR. In practice, it leads to a considerable limitation of the scope for app operators, but also to a significantly increased level of legal certainty.

To begin with, Section 4 (2) DiGAV permits the processing of personal data in the context of a digital health application (DiGA) only on the basis of consent and for four conclusively defined purposes. The intended use of the app by the users and the permanent guarantee of its technical functionality must be emphasised. Thus, according to the wording of the provision, the aforementioned partial processing without consent - insofar as this does not involve health data - is ruled out. This is questionable in view of the regulations of the GDPR which, according to the will of the legislator, is actually only intended to be concretised in the DiGAV. A processing for advertising purposes is expressly excluded. Processing in a third country for which there is no adequacy decision by the EU Commission pursuant to Art. 45 GDPR is also excluded. One such third country is currently the USA, for example.

The details of the requirements according to Section 4 DiGAV can be found in Annex 1 of the Ordinance: this contains a detailed checklist on aspects of data protection and data security. App operators may deviate from the above criteria only in justified exceptional cases. In part, Annex 1 merely contains clarifications regarding the general obligations under the GDPR, e.g., the obligation to provide complete data protection notices.

In some places, the Annex contains unusually clear requirements on aspects that are only rudimentarily regulated in general data protection law. Particular attention is paid to preventing data leakage to third-party services, such as operators of mobile device operating systems like Google's Android, for example. This is due to the fact that apps are often closely interlinked with services of the respective provider within the scope of such operating systems.

As of 1 January 2023, the checklist in Annex 1 DiGAV will be replaced with regard to data security-related points by newly defined requirements of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI). With regard to data protection-related points, the checklist will be replaced by newly defined examination criteria of the German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte - BfArM) as of 1 April 2023.

Area-specific data protection regulations

Finally, operators of health apps may have to comply with area-specific data protection regulations. These include, for example, the hospital laws of the federal states. These contain rules on how hospitals are to handle patient data and may be applicable if the app's function is aimed at the clinical sector. In addition, the provisions of the data protection laws of the federal states and the data protection provisions of social law must be observed.

Conclusion

Health apps are now part of healthcare provision. They have the potential to significantly change the doctor-patient relationship. In particular, patients can be significantly more actively involved in individual treatment steps through the use of such apps.

Before their products are ready for the market, manufacturers and operators of health products must comply with a multitude of legal standards in a complex regulatory environment. These harbour a high potential for conflict and thus liability. Of central importance - not least with regard to the acceptance of health apps by patients - is compliance with complex data protection and data security requirements. Here, it is important to ensure compliance with the applicable regulations and official requirements by implementing tailored technical and organisational measures.

With the help of well thought-out concepts, however, the risk of unpleasant legal surprises can be minimised. Our experts would be happy to advise you.

Also read here in our post everything you need to know about the regulatory classification of health apps and the associated liability issues.

Back to list