...
| Info |
|---|
This guide will be iteratively developed. If relevant aspects and/or questions are missing, please provide us feedback via the following e-mail address: diga@gematik.de Update on 06.09.2023: Information was added on testoptions, which are now available for integrating the Health ID resp. the IDP-Federation. Update on 22.11.2023: Information on the next steps after the successful testing of the Health ID has been added. |
Outline
| Table of Contents |
|---|
Manufacturers of digital health applications (DiGA) will in the future have to comply with various obligations in the context of telematics infrastructure (TI). The present guide aims to assist DiGA manufacturers in implementing the TI use cases by providing all necessary information in a consolidated and clear manner. In particular, it is intended to:
...
Implementation of the Use Case
DiGA are "Fachanwnedungen" (Relying Parties) in the sense of the IDP-Federation. All relevant information for "Fachanwendungen" in the IDP-Federation is bundled in the IDP knowledge base: Fachanwendungen der TI-Föderation
In principle, the DiGA manufacturer must go through a registration process at the gematik, in which it is ensured in cooperation with the BfArM that they are a manufacturer listed in the DiGA directory. During the registration process, it is determined which attributes the DiGA manufacturer may retrieve from the IDPs - usually only a pseudonym and the KVNR for setting care-relevant DiGA data into the ePA. In addition, further information of the DiGA manufacturer is stored with the Federation Master. The DiGA manufacturer must then be able to process the ID token that they receive from the IDP federation after successful user authentication.
As proof of the successful integration of the IDP federation, the DiGA manufacturer must present a decrypted ID token from the test environment during registration.
Testing Opportunities/Offers
DiGA manufacturers can now test the integration of the IDP Federation. For this purpose, both a reference implementation of the Federation Master and an implementation of a sectoral IDP developed by gematik are available. In order to carry out end-to-end tests, registration in the test environment is necessary. All information on this can be found under "Zugang zur Testumgebung" here: Fachanwendungen der TI-Föderation
To integrate the HealthID/TI-Federation, the following specific steps are necessary:
1. Implementation of the HealthID in the test/reference environment:
First, the Health ID/TI-Federation must be integrated into the test/reference environment. TI-Federation professional services can use reference implementations and environments provided by the gematik for interoperability testing of their application. Information on this can be found in the IDP knowledge database: Fachdienste Test-Umgebungen.
As shown on the linked page, for some integration tests, it is necessary to register the Authorization Server of the DiGA in the TI-Federation. Only then will the professional service be recognized as a participant in the federation by all sectoral IDPs in the federation. Details on registration in the test/reference environment can also be found in the IDP knowledge database: Registrierung eines Fachdienstes in der TI-Föderation (für die Testumgebung (TU) und/oder Referenzumgebung (RU))
As also described on Fachdienste Test-Umgebungen, the reference implementation of the gematik sectoral IDP is located in a restricted access network of the gematik. For this reason, the outbound IP of the DiGA manufacturer must be on the gematik's allowlist, or alternatively, the DiGA manufacturer must use an X-Auth header in their requests. This will be communicated by the gematik upon request at diga@gematik.de.
If an ID token issued by a sectoral IDP can be successfully decrypted, then the authentication process in the test environment has also been successfully completed. The final tests should not be performed against the gematik sectoral IDP with its GSIA app, but against a sectoral IDP approved by the gematik and its authenticator app in the test environment. Since the sectoral IDPs of the health insurance companies are still in the approval process, not all sectoral IDPs of the companies are registered in the test environment yet. It is also not currently possible to gain access to the authenticator apps of the IDP-providers. Further information will follow.
2. Confirmation as DiGA in the TI-Federation by the gematik
Once DiGA manufacturers have successfully tested the HealthID and retrieved an ID token, they must be confirmed by the gematik as DiGA in the TI-Federation. According to §327 SGB V, confirmation by the gematik is required when components or products of the TI are used by additional applications. The goal is to ensure that the manufacturers meet the requirements specified by the gematik and maintain them for the duration of the confirmation.
The requirements a DiGA manufacturer must meet are summarized in an application profile (Anwendungssteckbrief). This is currently awaiting approval by the shareholders' circle of the gematik and will be published soon with all further information on the application and the fees incurred for the confirmation. The manufacturers will have to provide evidence of the met requirements through self-declarations during the confirmation process. The gematik itself will not test implementations of DiGA manufacturers. Information on this will be added here in this guide as soon as it is available.
3. Proof of successful integration of the HealthID to the BfArM
In coordination with the BfArM the confirmation issued by the gematik in step 2 is to serve as proof of the implementation of the Health ID to the BfArM. The BfArM will define a transition period in 2024 during which the evidence should be submitted to the BfArM. The gematik is in close contact with the BfArM to allow DiGA manufacturers enough time for implementation. Further information on this will be published by the BfArM shortly.
4. Registration of the DiGA in the productive TI-Federation after successful listing in the DiGA directory
After DiGA manufacturers have demonstrated successful integration of the Health ID to the BfArM through the confirmation issued by the gematik, they will be listed in the DiGA directory - provided all other requirements of the BfArM are met. After successful listing, the DiGA manufacturer can be registered in the (productive) TI-Federation. Since the sectoral IDPs of the health insurance companies will only be rolled out from January, registration of DiGA in the TI-Federation will also only be possible from January. This approach is coordinated with the BfArM. Further information on the registration application will follow soonShould you be interested in participating in the further development of the testing and support services and providing input, we look forward to receiving a message at diga@gematik.de.