Digital Therapeutics (DTx): how to get reimbursed in the EU, UK and the US. An overview of the existing regulatory frameworks.

Introduction and takeaways

Digital therapeutics (DTx) are a growing trend in the EU and worldwide. It offers considerable opportunities for companies to deliver innovation to the healthcare sector while having a reliable revenue model.

However, approval rules for DTx are being created by single countries, proposing their processes, requirements, and regulatory standards. The resulting fragmentation creates huge challenges, increasing costs, delays and complexity for companies developing DTx.

With this article, we aim at:

• Providing an overview of the current status of the DTx reimbursement frameworks in the EU, UK, and US.
• Clarifying what are the main challenges when you apply for reimbursement pathways.
• Provide straightforward suggestions to DTx manufacturers about how to overcome regulatory challenges.
• Show how Chino.io can help you shorten your timeline and solve regulatory compliance challenges for all target markets at once.

If you are in the digital health ecosystem, thinking about developing a DTx and entering the EU market, well… This is the right place for you.

How to get your DTx approved and reimbursed in the EU

This is the current list of countries in Europe that have set or planned a reimbursement framework for DTx:

• Germany
• France
• Belgium
• Italy

The European Commission is working on a common regulatory framework for digital transformation in all EU member states. The high-level working framework relies on regulations already in place, such as GDPR regarding data protection or MDR regarding medical software and devices certifications, in addition to the newest activities on AI - trust in artificial intelligence, EU HDS - Health Data Space, or HTA - health technology assessment.

The goal? Creating a unique and centralised set of frameworks to drive digital transformation in Europe and digital health is a consistent part of this process. However, the EU has not released a centralised approval process for DTx.

As a result, every EU country is unique and the reimbursement framework must fit its existing healthcare systems.

Germany’s DiGA is often cited as a model for other countries to replicate in the way it fast-tracks reimbursement following certification. Belgium and France are both following in DiGA’s footsteps. The UK is characterised by having a regional implementation of reimbursement processes. EU countries like Italy are showing interest in a DiGA-like framework but haven’t started a legislative process yet.

Despite the progress, significant barriers to reimbursement remain. In addition, payment models and payment levels vary widely, with different maturity levels in other countries.

Although every country has a different framework, some requirements are shared among EU members:

Reimbursement frameworks available in Europe

Germany: DiGA’s Fast-Track Process

A DiGA is a digital health application eligible for reimbursement under Germany’s DVG law. Germany classifies DTx as digital health apps, and the Bunderinstitut für Arzneimittel und Medizinprodukte provides assessments for access to national reimbursement.

To achieve the reimbursement status in Germany, DTx companies need to:

• Provide CE marking as a medical device and privacy-GDPR compliance.
• Provide proof of general requirements (including data protection, information security, interoperability, and ease of use).
• Prove a scientific evidence evaluation through clinical trials by improving the user's health.

Want to know more about DVG? Don’t miss the article in our blog, The DVG: an opportunity for digital health.

Currently, applications can be listed on the directory via a Fast-Track scheme. After that, they can be prescribed by doctors and funded by health insurers.

DiGA’s must meet specific criteria for the Fast-Track. If it does, DVG allows for its release on the market for a temporary period of 12 months to gather scientific evidence that proves its efficacy and safety in a real-world setting.

The newest DiPA framework

Even though it's not strictly related to DTx, it's worth mentioning that Germany has created the DiPA framework for digital health apps developed for care and nursing, especially in long-term care. The framework looks similar to DiGA with a few differences:

• The reimbursement has a limit of 50 euros/m. Patients will pay additional costs
• The long-term insurer is responsible for enabling the solution for the patient.
• The app is not needed to be approved as a medical device to be listed in this directory.

Did you know? Germany provides financial support for companies and startups developing digital therapeutics through the Innovation Fund (Innovationsfonds), funded by German Health Insurance (Gestzlicher Krankenversicherung, GKV).

How to solve regulatory compliance challenges for DVG? Proving general requirements is mandatory before you can be fast-track listed on the BfArM website. Therefore, BfArM introduced a list of 140+ data protection and security requirements and frequently updated them over time.

If you are building a DiGA, Chino.io offers tailored solutions to meet the latest BfArM General Requirements mandated for DVG Fast-track listing and help you reduce the time and costs to get your product to the market.

France: following Germany’s Fast-Track Process

President Macron announced in late 2021 that France is working on a fast track to making digital therapies accessible to patients and reimbursable by the public health system. According to Nina Bufi, eHealth projects director for the Ministry of Health, this would be a valid “turning point” for the French healthcare sector, a real “weapon” for diversifying the care offered.

She explained it in the panel discussion ‘Hi, I’m an SME, where is my fast track?’, organised by Biocat, where she also announced that the strategy is going to receive €650 million in funding and divided into five focal points. They hope that DTx can start reaching the French population in late 2023.

To be eligible for reimbursement in France, DTx will need to provide:

• CE marking as a medical device and privacy-GDPR compliance
• General Health Technology Assessment carried out by CNEDIMT and HAS
• Actual medical benefit assessment
• Clinical Evidence Evaluation
• Demonstration of clinical and socio-economic added value.

How to solve regulatory compliance challenges for France? France is well known for strict regulatory frameworks for healthcare digitalisation with the establishment of HDS (Hébergeurs de Données de Santé (HDS) certification), which among other things, mandates the usage of certified and approved service providers. The certification scheme is an addition to the GDPR-related requirements highly defined and monitored by the national Data Protection Authority - CNIL.

Want to enter the French DTx market? See at the end of the article how Chino.io can help you solve all data protection and security requirements and ensure GDPR compliance and conformity to French national standards.

Belgium: the mHealth validation pyramid

Belgium is following the same path as France and Germany, with the first DTx solution already being reimbursed for a temporary period while carrying out a clinical study.

The NIHDI (National Institute for Health and Disability Insurance) launched a framework to approve digital therapeutics for reimbursement. However, to get the approval, they must reach the top level of Belgium’s mobile health (mHealth) validation pyramid and pass the evaluation by the Federal Agency for Medicines and Health Products (FAMHP):

• M1 level - Evaluation of CE marking as a medical device and privacy-GDPR compliance
• M2 level - Evaluation of risk assessment for data security, medical confidentiality, connectivity and interoperability assessment to ensure safe data exchange between all healthcare stakeholders
• M3 level - Demonstration of clinical evidence and socio-economic added value.
  
  Currently, there are 34 health apps at levels M1 and M2 of the Belgian validation pyramid. The health apps that pass the M3 level are eligible to receive reimbursement through the National Institute for Health and Disability Insurance (NIHDI).

Interested in the Belgian digital health market? See the last chapter on how to solve regulatory challenges on levels 1 and 2, and be ready to apply for reimbursement in Belgium.

Italy

In Italy, although not in law yet, a movement has initiated an analysis of German law and how it could adjust to the Italian specificities to reach a broad consensus necessary for approval and closing the current gap.

AIFA (Italian Medicine Agency) has started the first steps toward regulating DTx. A potential scenario could be that DTx products selected and tested by HTA processes can be placed within dedicated Care Pathways (CPs).

Currently, there are still some open questions about a potential reimbursement pathway act. For example, it is still uncertain if a DTx product covers the same therapeutic indications as a reimbursable drug and will benefit from the same reimbursement conditions. Moreover, it is still not defined who establishes the need for a medical DTx prescription.

However, thanks to the Recovery Plan, telemedicine and digital health will be strengthened, promoting digitalisation and innovation within the Italian National Health System. A part of the €15.83 billion funding will be reserved for this purpose, to develop and integrate a reimbursement framework for digital therapeutics.

Other European countries

So, with Germany’s DiGA acting as a model to other countries, what is next for Europe’s DTx ​​ecosystem?

According to a Sitra paper, “countries need to foster innovative companies, build transparent pathways to market and deployment, and to integrate DTx as part of care pathways.”

Having two of the major economies of the EU following the same framework brings a clear road and what to expect in the upcoming years. Jessica Schull, lead of the European branch of the Digital Therapeutics Alliance, confirms it stating that “We’re working to harmonise recognition across Europe, which is also critical for scalable growth.”

Ireland, Finland, Luxembourg, Sweden, Denmark, Switzerland, and Estonia follow the path Germany and France started to implement a standardised reimbursement framework. In fact, health representatives from these European countries have expressed interest in implementing a DiGA – like process. In addition, the Netherlands and Austria have started developing recommendations based on existing frameworks.

United Kingdom: from NHS Apps Library to DTAC

It was back in April 2017 when the NHS launched its Apps Library. The goal? To provide a database of digital health tools accessible to patients to help them make better choices about care and digital health. However, it was decommissioned almost one year ago, in December 2021.

In its place, we can find the Digital Technology Assessment Criteria (better known as DTAC) that ensure apps and digital health tools meet NHS’s clinical safety, data protection, technical security, interoperability, usability, and accessibility standards.

DTx products in the UK require a CE mark and/or UKCA mark, in addition to being GDPR compliant and meeting Digital Technology Assessment Criteria requirements. DTx are recognised as Digital Health Technologies (DHT) under the National Institute for Health and Care Excellence’s (NICE) Evidence for Effectiveness framework. Apps may benefit from undergoing a NICE Technology Appraisal to demonstrate health and economic benefits.

At the moment, there are no dedicated pathways to receiving reimbursement on a national level in the UK. However, local NHS organisations play a leading role in funding and reimbursing DTx solutions.

How to solve regulatory issues in the UK

Ensuring data protection and compliance with UK GDPR for general requirements assessment is an essential step on your way to the reimbursement of your digital therapeutics app. UK GDPR is still fully compatible with and essentially equal to GDPR regarding data protection and security principles and rules.

Chino.io helps you ensure perfect legal and tech compliance to create streamlined data protection and security processes enabling you to reduce the risks and cut the time to market.

The US - insurance coverage for DTx

The US defines DTx as “mobile software applications used to diagnose, treat, alleviate and prevent diseases or other issues affecting the human body,” with most DTx applications labelled as class II medical devices in the United States.

Based on this fact, DTx products are subject to regulation by the Food and Drug Administration (FDA) and classified according to the product’s intended use, and level of risk and subject to different degrees of oversight.

New DTx are reviewed by the Medical Technology or Digital Formulary Committees who consider:

• FDA submission data - is a prerequisite but does not guarantee coverage
• Peer-reviewed clinical data - reliable clinical data to achieve coverage and thus justify the pricing.
• HEOR data to show cost offsets or cost savings.

Today, the Public Insurance Coverage can be listed as follows:

• Medicare does not pay for software products due to no existing appropriate benefit category for this type of solution.
• Medicaid programs and care plans can consider fee-for-service product coverage via specific benefit programs on a state-by-state basis.
• The Department of Defence (i.e., Veterans Affairs) is beginning to cover some digital therapeutic products with a hardware component.

Regarding Private Insurance Coverage, the reimbursement path can be described as in the following table:

In addition to FDA approvals, digital health applications must be HIPAA compliant to exchange Personal Health Information (PHI) with covered entities (hospitals or insurances).

Chino.io helps companies ensure HIPAA compliance and, where needed, combine other regulations such as GDPR or additional national requirements in the EU to create streamlined data protection and security processes across your organisation.

How you can smooth the market entry of your DTx

Here we provide a summary of requirements you should consider when developing DTx solutions. It’s an evolving and fragmented regulatory framework that may seem challenging for companies and startups. The associated risks can affect the speed and costs of product development and, thus, the overall market access. Time is crucial when developing a digital health product: unexpected delays can have huge financial and trust impacts on companies and enterprises.

If you decide to enter these countries with your DTx product, be sure to have a solid compliance baseline set. It will help you to reduce time and costs when marketing your solution.

This is a list of regulatory and clinical requirements you should consider to set up:

Data protection, security, and technical assessment

Compliance with GDPR for the EU and UK areas is essential to get your DTx product to the market. This is because GDPR represents the core regulations of all approval processes in the EU and UK, even though providing proof of compliance can be done in different ways (portals, checklists, assessments).

The same is not necessarily valid for HIPAA and the US market, where certain products (e.g., B2C solutions that don’t transmit, receive, or record health information) don’t always require HIPAA compliance. We recommend talking to an expert since it can be a highly impactful decision to make.

To become compliant, you should implement appropriate organisational (legal/administrative) and technical security requirements and ensure that your service providers (also called Data-Processors in the EU or Business Associates in the US) comply with the GDPR or HIPAA as well.

If you want to read more about GDPR for digital health apps, be sure to check our previous resources: GDPR and Digital Health Apps compliance | 9 key things about GDPR that eHealth App developers should know.

In addition to the GDPR, specific technical and security assessments are required to ensure patient data safety and protect any personal data collected, stored, and transmitted through your DTx app. These requirements are defined at the national level but follow the latest best practices for software security (e.g., encryption, data transfers, logging).

You may want (or need, in some cases) further external proof of your compliance. For example, in some cases (e.g., Germany), ISO 27001 is required. Additionally, to make things even more complex, 3rd party vulnerability scanning and penetration testing may be necessary or beneficial - these are essentially security tests of your systems to reveal areas of potential risk and improvement.

Don’t forget that all the regulations and certifications require constant updates and assessments from your side. So keep in mind this time allocation to sell your product smoothly.

Chino.io offers 360° compliance support for digital health. Feel free to reach out to us if you need help!

Safety, medical certifications, and clinical evidence

The other category of regulatory requirements is given by medical safety, certifications, and evidence proof. Since DTx are considered medical devices, they must comply with MDR, which came into effect in May 2021, or FDA requirements for the US market.

The MDR regulation requires that companies have a QMS in place when applying as a medical device. For this purpose, the EU created a set of harmonised standards, including ISO 13485:2016 and IEC 82304-1:2016. However, if not set up appropriately, achieving ISO 13485:2016 certification usually takes 4-6 months for companies with fewer than 50 employees.

On the clinical side, products must demonstrate clinical efficiency based on clinical data and evidence. It is no longer possible to show that the product only works, yet you must provide documentation of statistically significant efficacy in delivering the intended use of your product. To gather real and tangible evidence, you need to consider an adequate clinical investigation, as it is not always possible to collect sufficient data only based on medical literature.

Don’t forget to prove the usability of your DTx. Design the product using a human-centered approach, accounting for the users’ needs, abilities, and device interface (e.g., ISO 9241-210)

4 tips to solve your data protection and security compliance

As you may have noticed, many of the regulations described in this article have some points in common regarding data privacy, security, and GDPR compliance. Thus, businesses need to be aware of the importance of establishing and maintaining a compliance system within the organisation. Taking care of compliance means selling better and growing less painfully.

Below are the four leading suggestions we believe your company may benefit from when approaching the go-to-market in European countries:

1. Be compliant from the start: start with GDPR basics from day 0. National regulations like DiGAV bring additional data security, privacy, and overall data management conditions. However, the starting core is always GDPR, and getting your data handling sorted out from the start is critical. In addition to the reimbursement process, users, partners, and investors are increasingly aware of privacy risks, and they will demand high compliance standards from you. If you don’t get compliance right, you can expect a significant impact on client acquisition, partnership deals, and user retention.
2. Collaborate with trusted partners: the regulatory framework is evolving very fast, as the availability of market opportunities. This means more challenges but also more opportunities and tougher competition. Time-to-market and efficiency will be the essence of being able to compete with lower price points and innovation, so consider collaborating with trusted partners that can leverage your efforts and support you in your journey with strategic contributions.
3. Plan a clear roadmap: if your goal is to target a process such as the DVG’s Fast-Track, the first 12 months will be your initial main focus, and having a clear roadmap where all aspects, including compliance, are covered, are a deciding factor. Be sure to prevent months-long approvals and certifications - some may take up to 6-12 months - by planning ahead. Other European countries might need 1-2 years before they can implement the standard reimbursement process.
4. Choose a trusted cloud provider: reimbursement rules and the EU healthcare system, in general, are very strict regarding using cloud providers. For example, the DiGAV states that personal data can only be processed in a 3rd country if there is an adequate decision in place. This makes it very complex to rely on US processors for handling your application and the data you collect (you can read here for more info on DVG and Germany). These restrictions can significantly impact your roadmap, costs, overall market access, and sales.

Chino.io, your trusted compliance partner

Working with experts can reduce time-to-market and technical debt and ensure a clear roadmap you can showcase to partners and investors (see our latest case study).

At Chino.io, we have been combining our technological and legal expertise to help hundreds of companies like yours navigate through EU and US regulatory frameworks enabling successful launches and reimbursement approvals.

We offer tailored solutions to support you in meeting the GDPR, HIPAA, DVG, or DTAC mandated for listing your product as DTx.

Want to know how we can help you? Reach out to us and learn more.

Want to know more?

Subscribe to the Chino.io newsletter to get monthly updates on compliance, data privacy and security.