Digitization is not stopping at the health and care sector. It is possible that digital health and care applications could be the solution to the challenges facing the German health and care system. But these applications also raise a lot of data protection issues.

Find out here what data protection requirements must be met by digital health and care applications.

What are digital health and care apps?

In the area of health and care applications, a distinction can be made between digital health applications (DiGA) and digital care applications (DiPA).

Digital health applications are applications available online, such as apps, that are designed to support the diagnosis and therapy of diseases. These applications are thus intended to help patients lead their lives in a health-promoting and self-determined manner. The focus is thus on a medical purpose and users are not only patients but also treating physicians. According to the EU Medical Device Regulation (MDR), apps of this type are considered medical devices of risk class I or IIa and must therefore be approved. They must be prescribed by a physician.

Digital care applications, on the other hand, are applications available online that are used in care. They provide supplementary support for family caregivers. For the applications to bear the designation, they must have a nursing benefit and also be approved by the German Federal Institute for Drugs and Medical Devices (BfArM). The focus is on improving home care. A DiPA can be used without a prescription. In this context, users can be reimbursed up to 50 euros per month for use in care.

Approval as a digital health or care application

Both digital health and care applications undergo a test procedure by the German Federal Institute for Drugs and Medical Devices (BfArM) for approval. If this is successful, the applications find a place in a corresponding directory of all approved digital health or care applications. This directory is intended to create trust and transparency and, depending on the application, contains certain comprehensive information such as date of admission, proven effect, studies submitted, prices and additional costs, and necessary medical services.

In this directory, patients or family caregivers can search and filter for appropriate applications.

Data protection requirements

First of all, the protection standards of the GDPR apply to both digital health and care applications. However, more stringent additions can be found for digital health applications in the Digital Health Applications Ordinance (DiGAV) and for digital care applications in the Digital Care Applications Ordinance (DiPAV).

In addition, of course, the increased requirements of information security must always be taken into account.

Digital Health Applications Ordinance (DiGAV).

The DiGAV limits the circle of possible purposes of data processing to the following purposes: the intended use of the application by the user, the keeping of records in accordance with the Social Code and the permanent guarantee of the technical functionality, user-friendliness and further development of the application.

Moreover, the user's consent must always be given explicitly, especially against the background of billing with the health insurance company.

The DiGAV defines the permitted locations of data processing to the entire EU, the European Economic Area, Switzerland and all states with adequacy decisions under the GDPR. Thus, the DiGAV is stricter than the GDPR.

Digital Care Applications Ordinance (DiPAV)

The DiPAV limits the range of possible purposes of data processing to the following purposes: the granting of the provision of the supplementary support services and the intended preventive care in accordance with the Social Code, as well as the permanent guarantee of safety, functional capability, age-appropriate usability and quality-oriented further development. If the processing serves both purposes, separate explicit consents must be obtained for them.

The DiPAV also interprets the storage locations just as strictly as the DSGVO.


Both digital health and care applications have the potential to relieve the burden on the health and care system. However, the nursing applications have not yet been used to any significant extent.

For manufacturers of both applications, it is important to deal with the stricter data protection requirements in any case. The corresponding regulations also contain helpful checklists in the appendices. In addition to data protection, information security must not be lost sight of. The ISO 27001 and ISO 27701 standards can also be helpful here.

Do you need support in the area of data protection and/or information security? Our team of experts will be happy to help you. Contact us here.

DSB buchen