In the EU, digital health technologies such as medical apps or wearable sensors can fall within the scope of the medical devices directives. These directives provide the basic definition of a medical device and lay down the technical and procedural obligations that must be followed by the manufacturer of a medical device prior to affixing a CE mark to the product. The EU definition of a medical device is quite similar to that in the U.S. and is as follows:
“any instrument, apparatus, appliance, material or other article, whether used alone or in combination, including the device necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of:
–– diagnosis, prevention, monitoring, treatment or alleviation of disease,
–– diagnosis, monitoring, treatment, alleviation, or compensation for an injury or handicap,
–– investigation, replacement or modification of the anatomy or of a physiological process,
–– control of conception,
and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means.”
As in the U.S., determination of whether a product is to be considered a medical device is based on the product’s intended purpose. Generally any “medical purpose” falls within the medical device definition. Furthermore, in deciding whether a product falls within the scope of the medical devices directives, particular attention should be given to the principal mode of action of the product. Products classified in the EU as medical devices typically function by physical means. This constitutes the main criterion according to which medical devices are distinguished from medicinal products which, in accordance with the Community Code on Medicinal Products,9 generally function by pharmacological, immunological, or metabolic action.
With respect to software specifically, the European Commission has published guidelines to assist manufacturers in determining whether their products should be regulated as medical device/in vitro diagnostic medical device software in the EU. The European Commission guidelines entitled “Guidelines on the Qualification and Classification of Stand Alone Software Used in Health within the Regulatory Framework of Medical Devices” (hereafter MEDDEV 2.1/6) provide the criteria for classification of standalone medical software. This MEDDEV first release was revised in July 2016. The criteria to determine whether a digital health technology such as a software falls within the scope of the medical devices Directives are the following:
–– The product is a software;
–– The software is a standalone software;
–– The software performs an action on data which is different from storage, archival, communication, simple search of lossless compression;
–– The action of the software is for the benefit of individual patients;
–– The software is specifically intended by its manufacturer to be used for any purposes listed in the definition of medical device, i.e.:
–– diagnosis, prevention, monitoring, treatment or alleviation of disease;
–– diagnosis, monitoring, treatment, alleviation, or compensation for an injury or handicap;
–– investigation, replacement or modification of the anatomy or of a physiological process;
–– control of conception.
For all medical devices, whether standalone software or otherwise, the medical devices directives provide that the product cannot be used or marketed in the EU unless a CE mark has been validly affixed to it in accordance with the provisions of the applicable EU legislation. An important element of EU law that distinguishes it from the law in other territories, including that in the United States, is the fact that authorization is not granted by a governmental authority, but rather the CE mark is affixed to the medical devices by its manufacturers following a conformity assessment procedure. For some medical devices, essentially those falling within Class I and those regulated as in vitro diagnostic medical devices, a self-assessment process and a related Declaration of Conformity by the manufacturer is sufficient. In this Declaration of Conformity, the manufacturer certifies that its product complies with the essential requirements provided for in Annex I to the relevant medical devices directives. For other medical devices, including devices considered to be medium or high-risk medical devices such as Class IIa, Class IIb and Class III medical devices, a “notified body” (i.e., Notified Body: means an organization which has been appointed by the competent authorities of an EU member state to conduct conformity assessment procedures and verify the conformity of the manufacturer with the essential requirements laid down in Annex I of the relevant medical devices directive) must undertake an assessment of the conformity of the manufacturer and/or the device in accordance with the applicable provisions of the relevant directive.
Although involvement of a notified body can be required, the final determination of whether the medical device complies with relevant legislation, and the related liability if it fails to do so, lies solely with the manufacturer.
Manufacturers of digital health technologies such as medical apps or wearable sensors must now also consider the new rules and obligations laid down in the Medical Devices Regulation (“MDR”) and the In Vitro Diagnostic Regulation (“IVDR”) which were adopted by the European Parliament and the Council in May 2017. Among other things, the MDR which will apply from 26 May 2020, introduces new classification rules for medical devices software. These new classification rules will significantly affect software currently regulated as Class I medical devices in the EU.
In addition, manufacturers of digital health technologies must consider the implications of the General Data Protection Regulation (GDPR), which will apply in the EU from May 25, 2018 and will replace the current EU Data Protection Directive. The GDPR will introduce new data protection requirements in the EU and will increase the responsibility and liability of entities processing personal data, including personal health data, of individuals in the EU, including through use of software.