A study guide about the DiGA fast-track process

ByDr. Mega Boo Boo
DiGA Fast-Track Process — GIVEMEA Study Guide
GIVEMEA Study Guide · Digital Health Regulation

The Fast-Track Process for Digital Health Applications (DiGA)

BfArM (Federal Institute for Drugs and Medical Devices) · Germany · Section 139e SGB V

Regulatory Guide Digital Therapeutics German SHI Reimbursement App on Prescription
3Months
73MSHI Insured
I / IIaDevice Class
126Pages
Central Principle
The DiGA fast-track process enables digital health applications to be listed in a reimbursable directory within three months, making them prescribable by physicians and reimbursable by statutory health insurance for 73 million Germans, provided they demonstrate positive healthcare effects and meet comprehensive quality, safety, and data protection requirements.

What is DiGA?

Digital Health Applications (Digitale Gesundheitsanwendungen) are medical devices of Class I or IIa that achieve their main function via digital technologies and are used by patients alone or jointly with healthcare providers. DiGA can be prescribed by physicians and psychotherapists or approved directly by health insurers upon proof of indication.

The Fast-Track Pathway

Introduced by the Digital Healthcare Act (DVG) in December 2019, the fast-track process allows manufacturers to apply to the BfArM (Federal Institute for Drugs and Medical Devices) for listing in the DiGA directory. The BfArM has three months from complete application submission to assess the product and render a decision on listing.

Provisional vs. Final Listing

Manufacturers can apply for final listing (with completed studies proving positive healthcare effects) or provisional listing (with an evaluation concept for a trial phase up to 12 months, extendable to 24 months). Provisional listing allows market entry while evidence is being generated, provided plausibility of benefit is demonstrated.

Scope and Purpose

This 126-page guide serves manufacturers, service providers, and users navigating the DiGA application process. It details what qualifies as a DiGA, comprehensive requirements across safety, data protection, security, interoperability, and quality, evidence standards for positive healthcare effects, and procedural steps including fees, deadlines, and consulting options.

■ Core Concepts   ■ Regulatory Framework   ■ Evidence & Quality   ■ Procedural Terms

Core Concepts

DiGA
tap to define
DiGA
Digital Health Applications (Digitale Gesundheitsanwendungen). Medical devices of Class I or IIa that achieve their main function via digital technologies and are used by patients alone or jointly with healthcare providers.
Fast Track
tap to define
Fast Track
The three-month assessment process by BfArM to evaluate a DiGA application and decide on listing in the DiGA directory, starting from receipt of complete application documents.
DiGA Directory
tap to define
DiGA Directory
The official directory maintained by BfArM according to Section 139e SGB V. Only DiGA listed in this directory can be prescribed by physicians and psychotherapists or approved by health insurance companies for reimbursement.
App on Prescription
tap to define
App on Prescription
The colloquial term for the DiGA reimbursement system introduced by the Digital Healthcare Act. Allows physicians and psychotherapists to prescribe digital health applications that are then reimbursed by statutory health insurance.

Regulatory Framework

DVG
tap to define
DVG
Digital Healthcare Act (Digitale-Versorgung-Gesetz). Law enacted December 19, 2019 that introduced the fast-track process and established the right to prescription of digital health applications within German statutory health insurance.
DiGAV
tap to define
DiGAV
Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung). Ordinance specifying procedures and requirements for deciding on reimbursability of digital health applications within statutory health insurance.
SGB V
tap to define
SGB V
Social Code Book V (Sozialgesetzbuch V). The section of German social law governing statutory health insurance (SHI). Section 139e SGB V specifically addresses DiGA.
BfArM
tap to define
BfArM
Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte). Independent federal superior authority within the Federal Ministry of Health portfolio that manages the DiGA directory and decides on all DiGA listing applications.
MDR
tap to define
MDR
Medical Device Regulation (EU 2017/745). European regulation establishing requirements for medical device safety and performance. DiGA must comply as Class I or IIa medical devices.

Evidence & Quality Requirements

pVE
tap to define
pVE
Positive Healthcare Effect (Positive Versorgungseffekt). The required evidence demonstrating either medical benefit (mN) or patient-relevant improvement of structure and processes (pSVV). Core requirement for DiGA listing.
Medical Benefit (mN)
tap to define
Medical Benefit (mN)
One category of positive healthcare effect. Includes therapeutic effects that cure disease, reduce symptoms, prevent progression, extend life, or improve health-related quality of life. Measured via clinical endpoints or validated patient-reported outcomes.
pSVV
tap to define
pSVV
Patient-relevant Structural and Process Improvements (Patientenrelevante Struktur- und Verfahrensverbesserung). The second category of positive healthcare effect. Includes health literacy, self-management, treatment adherence, safety, coordination, and coping with illness.
ISMS
tap to define
ISMS
Information Security Management System. Required management framework defining instruments and methods for comprehensibly managing information security tasks (plan, use, execute, monitor, improve). Must align with BSI-Standard 200-1.
BSI-Grundschutz
tap to define
BSI-Grundschutz
Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) baseline protection standards. Methodological approach for identifying and implementing IT security measures. Required for DiGA with normal or increased protection needs.

Procedural Terms

Provisional Listing
tap to define
Provisional Listing
Temporary listing in the DiGA directory for up to 12 months (extendable to 24) while evidence of positive healthcare effect is being generated. Requires evaluation concept demonstrating plausibility of improvement and study protocol. Allows market access before evidence completion.
Final Listing
tap to define
Final Listing
Permanent listing in the DiGA directory. Requires completed study demonstrating positive healthcare effect according to internationally accepted standards, conducted in Germany or with proven transferability to German healthcare context.
Trial Phase
tap to define
Trial Phase
The period during provisional listing (maximum 12 months initially, extendable to 24 total) in which the manufacturer must generate evidence of positive healthcare effect according to their submitted evaluation concept.
Interoperability
tap to define
Interoperability
Required capability to export health data in standardized formats according to Section 6 DiGAV cascade. Must support data exchange with electronic patient records (ePA), telematics infrastructure, and follow international standards (FHIR, HL7, DICOM, etc.) where applicable.

Comprehensive DiGA Requirements

Safety and Suitability for Use

DiGA must comply with Medical Device Regulation (MDR) requirements as Class I or IIa devices. Manufacturers must demonstrate conformity assessment, maintain technical documentation, implement post-market surveillance, and report serious incidents. The device must function reliably under normal conditions of use.

Data Protection (GDPR & DiGAV Section 4)

Permitted purposes: detection, monitoring, treatment, relief of disease/injury; patient documentation and therapy support. Processing must be limited to these purposes. Users must have full control over data sharing with third parties. Data processing outside Germany requires GDPR adequacy decisions or appropriate safeguards. DiGA must enable granular consent management and data portability (Article 20 GDPR).

Information Security (BSI Standards)

Required: Information Security Management System (ISMS) based on BSI-Standard 200-1. Implementation must follow security as a process approach with continuous improvement cycles. Normal protection needs require BSI-Grundschutz components. Increased protection needs (high confidentiality, integrity, or availability requirements) demand additional technical guides, penetration testing, and security audits. Must address: authentication, authorization, encryption, data transmission security, backup, and incident response.

Interoperability (Section 6 DiGAV Cascade)

DiGA must export health data in structured, machine-readable formats. Mandatory standards cascade: (1) Use Medical Information Objects (MIO) if applicable; (2) If no MIO, use approved standards/profiles from recognized standards organizations; (3) If neither, use established industry standards; (4) If none applicable, manufacturer-specific format with full documentation. Must support data exchange with electronic patient records and telematics infrastructure where relevant.

Further Quality Requirements

Robustness: reliable performance under intended conditions, error handling, data integrity protection. Consumer protection: transparent information about functions, limitations, data use; no misleading claims. Ease of use: accessible design following accessibility standards; comprehensible for target patient group. Healthcare provider support: provide professional information, integration guidance. Medical content quality: evidence-based, current, reviewed by qualified experts. Patient safety: risk management, clear warnings, age-appropriate safeguards.

Positive Healthcare Effect Evidence

Required study types: comparative studies (RCT, cohort, case-control); prospective data collection preferred; retrospective acceptable with justification. Study must be conducted in Germany or transferability proven. Entry in study registry (DRKS or WHO ICTRP) required. Publication of complete results mandatory regardless of outcome. Studies must follow internationally accepted standards (CONSORT, STROBE, SPIRIT). Diagnostic functions require separate test accuracy evidence (sensitivity, specificity) for the defined patient population.

Life Cycle Obligations

After listing: manufacturers must notify BfArM of significant changes, implement mandatory further development based on latest medical knowledge, maintain quality and security standards, respond to BfArM inquiries within set deadlines. De-listing occurs if requirements no longer met, manufacturer requests removal, reimbursement agreement not reached, or trial phase evidence insufficient.

Key Regulatory Documents & Standards

The DiGA fast-track process is governed by German and European legal frameworks and technical standards. This section lists the primary sources cited throughout the BfArM guidance document.

Primary Legislation

DVG — Digital Healthcare Act

Digitale-Versorgung-Gesetz (December 19, 2019). The foundational German law that established the DiGA fast-track process and created the legal right for physicians and psychotherapists to prescribe digital health applications, with reimbursement through statutory health insurance. Introduced Section 139e into SGB V.
Available: BGBl (Federal Law Gazette)

SGB V — Social Code Book V

Sozialgesetzbuch V. The section of German social law governing statutory health insurance. Section 139e SGB V specifically addresses digital health applications and mandates BfArM to maintain the DiGA directory and decide on all listing applications.

Implementing Regulations

DiGAV — Digital Health Applications Ordinance

Digitale Gesundheitsanwendungen-Verordnung. The ordinance specifying detailed procedures and requirements for deciding on reimbursability of digital health applications within statutory health insurance. Defines requirements across data protection (Section 4), information security (Section 5), interoperability (Section 6), robustness (Section 7), and quality standards.
Available: BGBl (Federal Law Gazette)

European Medical Device Regulation

MDR — Medical Device Regulation (EU 2017/745)

European regulation establishing comprehensive requirements for medical device safety, performance, clinical evaluation, and post-market surveillance. DiGA must comply as Class I or Class IIa medical devices. Entered into force May 26, 2021, with transitional provisions from the previous Medical Device Directive (MDD 93/42/EEC).

Data Protection & Privacy

GDPR — General Data Protection Regulation (EU 2016/679)

European regulation on data protection and privacy applicable to all personal data processing. DiGA must comply with all GDPR requirements including purpose limitation, data minimization, user consent management (Articles 6-9), data subject rights (Articles 12-22), and data portability (Article 20). Processing outside Germany requires adequacy decisions or appropriate safeguards.

Information Security Standards (BSI)

BSI-Standard 200-1: Information Security Management Systems

Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security). Defines the framework for establishing, implementing, operating, monitoring, and improving an ISMS. Required for all DiGA. Follows security-as-a-process approach with continuous Plan-Do-Check-Act cycles.

BSI IT-Grundschutz (IT Baseline Protection)

Methodological approach for identifying and implementing appropriate IT security measures. Required for DiGA with normal protection needs. Components include: BSI-Standard 200-1 (ISMS framework), BSI-Standard 200-2 (methodology), BSI-Standard 200-3 (risk analysis), and IT-Grundschutz Compendium (specific security requirements). Increased protection needs require additional technical guides, penetration testing, and security audits.

Interoperability Standards (Section 6 DiGAV)

MIO — Medical Information Objects

Standardized data formats developed by KBV (Kassenärztliche Bundesvereinigung) for electronic health records in Germany. First priority in the DiGAV interoperability cascade. DiGA must use MIO where applicable for their data type.

International Interoperability Standards

Second and third tiers of the DiGAV cascade when MIO not applicable: HL7 FHIR (Fast Healthcare Interoperability Resources) for structured health data exchange; HL7 v2/v3 for messaging; DICOM (Digital Imaging and Communications in Medicine) for medical imaging; IHE (Integrating the Healthcare Enterprise) profiles for workflow integration. Manufacturer-specific formats permitted only as last resort with full documentation.

Evidence & Research Standards

Study Registry Requirements

All DiGA evidence studies must be registered in DRKS (Deutsches Register Klinischer Studien / German Clinical Trials Register) or WHO ICTRP (International Clinical Trials Registry Platform). Registration required before study commencement. Complete results must be published within 12 months of study completion regardless of outcome.

Reporting Standards

CONSORT (Consolidated Standards of Reporting Trials) for randomized controlled trials; STROBE (Strengthening the Reporting of Observational Studies in Epidemiology) for cohort and case-control studies; SPIRIT (Standard Protocol Items: Recommendations for Interventional Trials) for study protocols. DiGA evidence must follow internationally accepted standards for study design, conduct, and reporting.

Administering Authority

BfArM — Federal Institute for Drugs and Medical Devices

Bundesinstitut für Arzneimittel und Medizinprodukte. Independent federal superior authority within the portfolio of the Federal Ministry of Health. Manages the DiGA directory, decides on all listing applications within the three-month fast-track timeline, and provides guidance to manufacturers. Issues this 126-page guidance document and maintains ongoing consultation services for applicants.
Web: www.bfarm.de

Test Your Knowledge

Challenge yourself with these questions about the DiGA fast-track process. Click an answer to check if you’re right.

— / 5 Your Score
Question 1 of 5
How long does the BfArM have to assess a DiGA application after receiving complete application documents?
Correct! The fast-track process is designed as a three-month assessment period starting from receipt of complete application documents, making it significantly faster than traditional medical device approval processes.
Not quite. The BfArM has three months from receipt of complete application documents to assess the DiGA. This is the defining feature of the fast-track process.
Question 2 of 5
What are the two categories of positive healthcare effects (pVE) that a DiGA can demonstrate?
Exactly right! Medical benefit (mN) covers therapeutic effects, symptom reduction, and quality of life improvements. Patient-relevant structural/process improvements (pSVV) cover health literacy, adherence, self-management, and care coordination.
Incorrect. The two categories are medical benefit (mN) and patient-relevant structural/process improvements (pSVV). These represent the clinical and organizational dimensions of healthcare improvement.
Question 3 of 5
What medical device classes can qualify as DiGA?
Correct! DiGA are limited to Class I and IIa medical devices. These are lower-risk categories appropriate for digital applications, excluding higher-risk Class IIb and III devices that require more stringent regulatory oversight.
Not correct. DiGA can only be Class I or Class IIa medical devices. Higher risk classes (IIb, III) are excluded from the fast-track process due to their more complex safety and regulatory requirements.
Question 4 of 5
What is the maximum duration of a provisional listing trial phase, including any extension?
Perfect! Provisional listing allows 12 months initially to generate evidence, with the possibility of extending to 24 months total. This gives manufacturers market access while completing their studies.
Incorrect. The trial phase is 12 months initially and can be extended to a maximum of 24 months total, giving manufacturers up to two years to generate the required evidence of positive healthcare effect.
Question 5 of 5
Which standard must DiGA implement for information security management?
Exactly! DiGA must implement an ISMS based on BSI-Standard 200-1, and for normal protection needs must apply BSI-Grundschutz components. Increased protection needs require additional technical guides and security measures.
Not quite. DiGA specifically require BSI-Standard 200-1 for the ISMS framework and BSI-Grundschutz components for implementation. These are German federal information security standards mandatory for DiGA.

Key Takeaways

  • Fast-Track Creates Market Access Window

    The three-month assessment timeline and provisional listing pathway fundamentally change digital health market entry in Germany. Unlike traditional medical device pathways requiring complete evidence before launch, manufacturers can achieve market access with an evaluation concept, generating real-world evidence while commercially available. This bridges the innovation valley of death but requires disciplined study execution during the 12-24 month trial phase.

  • 🔒

    Security and Privacy Requirements Are Non-Negotiable

    The comprehensive BSI-Standard 200-1 ISMS requirement, BSI-Grundschutz implementation, GDPR compliance, and purpose limitation rules create significant technical barriers. DiGA cannot monetize health data, cannot share data without explicit consent, and must implement robust encryption, access controls, and incident response. Increased protection needs trigger penetration testing and security audits. This protects 73 million insured but demands substantial security investment from manufacturers.

  • 📊

    Evidence Standards Mirror Clinical Research

    Positive healthcare effect evidence requires comparative studies (preferably RCT), prospective data collection, study registry entry, and publication of complete results including negative findings. Studies must be conducted in Germany or demonstrate transferability. Diagnostic functions require separate test accuracy validation. This elevates digital health evidence standards to match pharmaceuticals, legitimizing the field but requiring manufacturers to build clinical research capabilities or partnerships.

  • 🔄

    Interoperability Is Mandated, Not Optional

    The Section 6 DiGAV cascade requires data export in standardized formats following a strict hierarchy: Medical Information Objects (MIO) when applicable, then recognized standards (FHIR, HL7), then industry standards, and only manufacturer-specific formats as last resort with full documentation. Integration with electronic patient records and telematics infrastructure is required where relevant. This prevents data lock-in and enables care coordination but demands technical implementation beyond standalone app development.

  • ⚖️

    Post-Listing Obligations Create Ongoing Compliance Burden

    Listing is not approval and forget. Manufacturers must notify significant changes, implement mandatory updates based on latest medical knowledge, maintain quality and security standards, respond to BfArM inquiries, and face de-listing if requirements lapse. The life cycle approach treats DiGA as living products requiring continuous improvement, creating sustained regulatory overhead but ensuring patient safety and efficacy maintenance in a rapidly evolving digital landscape.

  • 🌍

    German Model Influences Global Digital Health Regulation

    As the world’s first national reimbursement pathway for digital therapeutics at scale, the DiGA framework provides a tested model for evidence requirements, security standards, and market access mechanisms. The balance between innovation enablement (provisional listing) and evidence rigor (mandatory studies, publication requirements) offers a middle path between permissive app store models and restrictive pharmaceutical-style approval. Other countries and health systems studying DiGA outcomes to inform their own digital health policies makes this guide relevant beyond Germany’s borders.

© KMS / GIVEMEA
Created as a personal study aid in accordance with Art. 19 URG (Swiss Copyright Act — private use exception).
Incorporates summarised content from BfArM regulatory guidance for non-commercial educational purposes only.
Not for redistribution, reproduction, or commercial use.
⚖ The original structure, design, and framing of this material constitute original intellectual work protected under Swiss law. Unauthorised copying or redistribution may constitute infringement under the URG and applicable international copyright conventions.

Similar Posts

Leave a Reply