Legal considerations in EU-4 that governs data protection / data privacy in digital health software

Software as Medical Device (SaMD)

Software within #digital #health apps can be classified as #medical #devices, if the intended purpose relates to one of the following pursuant to article 2 of the Regulation (#EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, which applies from 26 May 2021.

To be used for human beings for the purpose of:

• #Diagnosis, prevention, monitoring, #treatment or improvement of #disease or compensation of injuries.
• Investigation, replacement or modification of the anatomy or of a physiological process.
• Control of conception.?
• #Communication of #information through in-vitro examination of samples from the human body, including organ, blood, and tissue donations.

Compliance with EU-MDR #regulation is mandatory for medical device #companies that want to sell their products in the European #marketplace. The EU-MDR replaces the EU’s previous Medical Device Directive (#MDD) and Active Implantable Medical Devices Directive. Under the new medical device regulation, manufacturers need to provide more in-depth #clinical data to demonstrate their #safety and #performance claims.

Germany

Digital health applications (#DiGA) are software medical devices that can be prescribed by #doctors and covered by #health #insurance funds. To be eligible for #reimbursement in #Germany, the #software must be listed in the "DiGA Directory" of the Federal Institute for Drugs and Medical Devices (#BfArM). Manufacturers must undergo a thorough application process, meeting criteria for #medical #device status, #data protection, and submitting studies on positive supply effects. The #BfArM has established new test criteria for #data protection in #digital #health applications, serving as a basis for future certificates. These certificates, issued by accredited bodies, attest to the data protection conformity of the applications. Compliance with the #EU General Data Protection Regulation (#GDPR) is crucial, considering principles like lawfulness, purpose limitation, #data minimization, and confidentiality when processing personal data. Manufacturers must submit these certificates to the #BfArM when applying for inclusion in the #DiGA or #DiPA directory.

France

Digital health #software should comply with the following in #France:

1. Data protection rules, i.e., The French Data Protection Act, Law n° 78-17 dated 6 January 1978 and #GDPR.
2. Pursuant to article L.1111-8 Public Health Code, any person hosting personal #health data collected in the course of prevention, diagnosis, care or social and medico-social aftercare on behalf of the #patient or the #healthcare professionals must be a certified health data hosting service provider (Hébergeur de Données de Santé or #HDS).
3. According to the same article, any act of transferring identifying #health #data for consideration, directly or indirectly, including with the consent of the person concerned, is prohibited under penalty (Article 226-21 of the Criminal Code).?

Italy

Data Protection Authority, through measure no. 55 of March 7, 2019, clarified the application of data #protection #regulations to digital health software. In #Italy, the guidelines specify exceptions to processing "special categories of data," including health data, based on Article 9 of the #GDPR. Exceptions include processing for public interest reasons, #public #health, preventive #medicine, #diagnosis, and health or social care. For processing requiring explicit consent, such as with #medical #apps collecting health data for non-telemedicine purposes or accessible to non-health professionals, obtaining consent is mandatory under the Italian Privacy Code. Device manufacturers and e-health app developers must adhere to #GDPR principles, ensuring that individuals provide free, specific, informed, unequivocal, and explicit consent.

Spain

Adherence to the following #legal frameworks is essential for developers and providers of digital health software in #Spain. The legal framework outlines various legal considerations related to data protection, e-commerce, consumer law, and advertising for digital health software in #Spain.

Data Protection

• Compliance with #GDPR and Spanish Data Protection #Act is necessary if the software processes users' personal #data.
• Analysis of data flows, determination of #legal positions, identification of processed data and purposes, and implementation of measures for special categories are required.
• Informative clauses addressing data protection #regulations should be drafted and implemented in the app.

E-commerce

• The Spanish e-Commerce Act may apply to digital health #apps that are not #medical #devices.
• Providers must fulfill obligations related to information provision, identification, and consent in #electronic contracts.
• Applicability depends on the location of the #software provider.

Consumer Law

• If the #software is made available to consumers, the Spanish Consumer Law applies.
• Consumers have rights related to #health and #safety, protection against unfair practices, compensation for damages, and access to information.
• Specific information and clauses in #agreements are required.

Advertisement

• If the software is considered a medical device, promotion must adhere to Royal Decree No. 1/2015, prohibiting certain advertising to the general public.
• General Advertisement Law No. 34/1988 also applies to digital apps' advertising.

In conclusion

The legal regimes governing data protection and privacy in #digital #health #software across #Germany, #France, #Italy, and #Spain emphasize compliance with specific #regulations and principles. The classification of digital health software as a medical device has implications for #reimbursement eligibility, with each country having its own set of requirements. Adherence to GDPR and national data protection laws is consistently emphasized, and manufacturers must navigate certification processes and comply with the #guidelines outlined by #regulatory #authorities. Additionally, each country has specific legal considerations related to data hosting, transfer of health data, and consumer rights. Overall, developers and providers of digital health software need to carefully navigate and align with these diverse legal frameworks to ensure lawful and ethical practices in their respective #markets.

? Related read: The Future of Europe’s Medical Technology Regulations

About Author

Avisek Ghose is a healthcare market researcher, driven by marketing passion. A seasoned consultant and trained bio- imaging specialist who shares his insights and outlook about recent trends, challenges and opportunities about early market access strategies, HEOR and HTA issues in Medtech and Pharma industry.

?? Engage, Connect and Collaborate with Avisek Ghose

?? Subscribe and follow Healthcare-Market-Insight for latest news updates

?? Healthcare-Market-Insight

Disclaimer

This #newsletter is based on the web-publication by CMS on "CMS Expert Guide to digital health apps and telemedicine". Reference was made to country specific statement in the report for the particular aforesaid topic. For more details, readers must refer to CMS official web page.

?? The author took extreme care for citing credits wherever applicable, however, in case of missing citation(s) and/or any other discrepancies, please inform Avisek Ghose immediately indicating the same with valid documentation(s).

#digitaltherapeutics #regulatoryaffairs #medicaldevices #medtech #medtechindustry #regulatoryframework #softwareasmedicaldevice #digitalhealthtech #cybersecurity #dataprotectionact #EUMDR #SAMD #IVDR #IVD #legalframework #HCP #datasecurity