In response to the recently updated requirements for proof of certification for telemedicine for video service providers, EuroPriSe announces their availability to support the updated requirement.

Recently, the National Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung – KBV) and the National Association of Statutory Health Insurance Funds (GKV-Spitzenverband) released an annex to the original guidelines on the certification of video consultation hours. Requirements for the technical procedures for the execution of telemedicine or video consultation hours are set forth to ensure that the video service provider and contracted physicians must observe the legal framework for the processing of personal data. Annex 31b to the BMV-Ä establishes the additional obligations for the video service provider certification.

In accordance with updated regulations put forth, doctors or psychotherapists can only bill for services in the context of an online video consultation if they have previously notified their Association of Statutory Health Insurance Physicians that they are using a certified video service (VS) provider. The video service provider must provide a current certificate in accordance with § 5(2)(b) of Annex 31b BMV-Ä.

EuroPriSe is the only certification body currently eligible for offering the required services for delivering a certification for telemedicine and registration with the KBV in Germany. These services are not provided as a separate, new type of certification, but under the umbrella and in accordance with the current EuroPriSe programme for the certification of IT products and IT-based services.

To inquire about the telemedicine certification, contact EuroPriSe at:
Sebastian Meissner
Phone: +49 228 763 679 30
E-Mail: contact@euprivacyseal.com
Kontakt

Häufig gestellte Fragen

How long does the certification procedure take?

This depends on the complexity of the VS/VCH service and its maturity in terms of data protection compliance. If the provider of a service with little complexity ensures that the service is good to go in terms of our readiness check and if the legal and technical evaluation should confirm this, it is possible to complete the certification procedure as such within a month. If the provider is new to the certification process or there is more complexity in the nature of the service (e.g., the VS provider wants the certification to cover corresponding apps, too), the process may take longer.

What do I need to do to prepare for the audit?

You should study our readiness check below carefully and make amendments to your VCH service and its documentation (if required). E.g., it only makes sense to go for certification if a pen test regarding the VCH service has been conducted recently and if you are in the position to submit a test report on this.

Does the certification render an examination according to the German Medical Devices Act unnecessary?

No. If an examination according to the Medical Devices Act should be required, it is not rendered unnecessary by the certification of the VCH service according to EuroPriSe. The EuroPriSe certification does not assess or confirm compliance with the Medical Devices Act.

What costs will I expect for the certification?

The certification cost for VCH services depends on the complexity (e.g., the provider of a web-based VCH service may also offer an app for the use of that service and may want this app to be covered by the certification as well or the VCH service may offer functionalities going beyond the basic functionalities required for the use of a VCH service).

What do I need to do to prepare? Please see our readiness checklist below:

• Does your video consultation hours (VCH) service provide for peer-2-peer connections? If you should deviate from the peer-2-peer procedure: Do you inform the communication partners hereof in a transparent manner?
• Do you ensure that all contents are end-2-end encrypted during the entire transfer process and that the implemented encryption is state of the art (BSI TR-02102)?
• Do you comply with the requirement that you may not be able to access and/or store the contents of the video consultation hours?
• Do you use meta data only for the procedures that are necessary to provide the VCH service and do you delete all meta data after three months at the very latest?
• Does the processing only take place in the European Economic Area? If not: Is an adequacy decision by the European Commission in place for each third country in which relevant processing activities may take place?
• Do you have a sample contract for your customers readily available? Does it include a data processing agreement (DPA) that fully complies with Art. 28 GDPR?
• If you should make use of any sub-contractors: Is a signed DPA in place with each of them?
• Are any relevant IT security certifications (e.g., ISO/IEC 27001) in place?
• Have you recently commissioned a pen test regarding your VCH service and is a respective test report available?
• Are your records of processing activities (for your activities as a processor: Art. 30(2) GDPR) current and complete?
• Do you have a Data Protection Officer (DPO) appointed?
• Is the privacy notice for your VCH service current and complete? Is a legal notice in place that is current and complete?
• Are website cookies and tracking tools utilized in a data protection compliant manner? Is a cookie banner in place (if required)?
• Are web forms GDPR compliant for gathering consent?
• Are social media plugins in compliance?

Additional requirements must be met if you want the certification to also cover corresponding apps. Please contact us for further information.