DiGA in the telematics infrastructure
Since 2019, patients have been entitled to the provision of digital health applications (DiGA), which are reimbursed by the statutory health insurance funds as part of standard care. The prerequisite for reimbursement is inclusion in the DiGA directory of the Federal Institute for Drugs and Medical Devices (BfArM). To this end, manufacturers must provide evidence of the data protection, security, interoperability and quality of their DiGA.
From May 2024, both already listed and prospective DiGA manufacturers will be obliged to connect their systems to the telematics infrastructure (TI) and ensure secure authentication of users via the digital identities (health ID) provided by the health insurance funds.
As proof of implementation, DiGA manufacturers must successfully complete a gematik confirmation procedure and submit the corresponding proof to the BfArM. BAYOOMED provides you with comprehensive support – from the technical implementation to the optional takeover of the submission.
The health ID challenge
The health ID regulated in Section 291 (8) SGB V has been issued by the statutory health insurance funds for their insured persons since 2024. This usually involves an identification procedure – e.g. with the eGK or ID card. Since the beginning of 2024, every statutory health insurance fund has had to provide an identity provider and an authenticator app, which regulated applications such as the ePA client, the ePrescription app and DiGA in particular can use to carry out secure two-factor authentication of the insured person. Together with the applications authorized for use, the identity providers of the various health insurance funds form the trust space of a so-called identity federation.
The implementation of the connection of a DiGA to the services for authentication via health ID poses various challenges for the manufacturers: mechanisms such as PKCE, PAR and OIDC Federation are used via the core specification of OpenID Connect, which makes the protocol for the interaction of the DiGA with various services quite complex. To participate in gematik’s Identity Federation, each DiGA must generate and provide a JSON Web Key Set with various key information in addition to an entity statement describing the DiGA’s interfaces.
HealthID as a “black box” – The BAYOOMED HealthID service
BAYOOMED offers DiGA manufacturers a compact support package for connecting the HealthID – provided as a developer license for the gematik reference environment. This allows the required authentication tests to be carried out and proof to be successfully provided to the BfArM.
The solution can be installed both in a cloud environment and in your own data center using Docker Compose. It is positioned between DiGA, gematik’s Federation Master and the health insurance companies’ identity providers.
All interactions with the gematik federation and the identity providers are encapsulated by the service – the DiGA itself communicates exclusively with the BAYOOMED service via the standardized OpenID Connect protocol.
In the basic version, a preconfigured Keycloak IAM server is provided as an interface to DiGA. This can be used free of charge or installed directly. Alternatively, an existing authorization component can also be connected via a documented REST API – e.g. for the further use of existing user accounts.
The flexibly integratable service offers DiGA manufacturers the opportunity to implement current interoperability requirements of the telematics infrastructure (TI) in a timely, efficient and future-proof manner.
