In the near future, your smartphone may act as a "portable GP": Analysing the data from a wireless sensor patch on your body to warn you about your imminent coronary, displaying your blood sugar levels that have been read by your contact lenses, and controlling your insulin pump if you are a diabetic. Thanks to the latest developments in mobile technology, this is no longer science fiction. Fitness tracking devices together with health apps installed on smartphones are the latest must-have. They are the focus of extensive research and development efforts by tech companies of all sorts and sizes, as well as major marketing campaigns. Most recently, the introduction of smartwatches by various manufacturers drew worldwide attention. These devices are fitted with various apps ranging from support for workout and training to gathering information on the physical condition of their user. Such health apps, however, are not only offering tracking of fitness and leisure schemes, but are also expected to have a high innovation potential for the healthcare industry: they may serve to improve patient services and may thus offer great potential in reducing costs. Many health apps are out there in the market already. From a German law perspective, the marketing of health apps involves not only regulatory questions, especially their legal classification as medical devices, but also issues revolving around the advertising and use of health apps. Furthermore, aspects of health products advertising and data protection law should be considered as well.
Some regulatory aspects
The importance of health apps in medical treatment is growing appreciably. As more and more diverse health apps reach the market, many legal questions come up that relate especially to their reliability and safety. Many health apps are addressed specifically to consumers and often have a 'lifestyle' focus, for example, apps counting daily steps or giving dietary advice. Lifestyle apps, however, are only one of the possible categories of health apps. There are also health apps with a stronger medical aspect. This is the case when medicinal functions are executed or supported by the app, or where apps are intended for medical specialists, notably also in hospitals. By way of example, an app with a stronger medical aspect would be an app that is capable of reading and displaying a person's body temperature via a clinical thermometer connected to the smartphone. The app also permits storage and transfer of the data. Apps designed for medical conditions, such as diabetes, also have a medicinal purpose. Google has developed a contact lens for diabetics that is said to read the blood sugar level in the patient's tear fluid and then transmit the glucose levels in the tear fluid to the smartphone app. Unlike Europeans, people in the US seem to be less hesitant in using health apps, particularly physicians. Several clinical trial projects are already running in the US already, involving physicians monitoring their high risk patients via portable ECG devices that are integrated in the patient's smartphone. This allows the doctor to read and analyse the patient's heart rate and blood pressure at all times.
When it comes to regulation, Germany, and more specifically the Federal Institute for Drugs and Medical Devices (BfArM), currently has no separate body of legislation or interpretation guidelines on health apps. At EU level, the European Commission responded to the trend in April 2014, publishing a "Commission Staff Working Document on the existing EU legal framework applicable to lifestyle and wellbeing apps". The document describes the relevant European legal regimes and seeks to provide app producers with a guideline for product classification and the resultant applicable legal requirements.
Depending on their working principle and designated purpose, apps are subject to different criteria in assessing whether they conform to existing regulatory requirements in healthcare and medical applications. The first crucial question is whether health apps are subject to regulatory conditions that control market access. A health app may qualify as a medical device, in which case it would be subject to the Medical Devices Act (MPG) and the pertinent regulatory standards. Software qualifies as a medical device if it is intended to fulfil one of the purposes set out in Section 3 MPG. Whether or not a product is a medical device depends on its intended purpose. Section 3(1) MPG defines the intended purpose as the use for which the medical device is intended according to the data of the group of persons referenced in Section 3(15) in the labelling, the instructions for use or promotional materials. This clause makes it clear that the intended purpose of a product depends strongly on the information provided by the manufacturer. If the manufacturer data indicate a medical purpose, this is defining and cannot be changed to a non-medical purpose by way of a disclaimer. Software in the shape of apps designed to support diagnosis, plan treatment, or measure blood sugar or blood pressure has a medical purpose and, consequently, qualifies as a medical device.
What to consider when advertising health products
As soon as medicinal products or medical devices, but also procedures, treatments and objects dedicated to a particular disease or illness are presented or, more precisely, advertised to the public, the requirements of the Health Products Advertising Act (HWG) come into play and may become relevant to health apps. The HWG imposes a wide range of restrictions on the advertising of the said products; for example, it is not permitted to advertise prescription drugs to consumers. Advertising is controlled not only in relation to consumers; advertisements addressed to professionals, such as physicians, pharmacists and hospitals, are subject to restrictions and content control as well. A number of HWG violations may constitute an offence or administrative offence. Further, violations may be subject to unfair competition law claims under Section 4 No. 11 UWG (Act against Unfair Competition) and may result in injunctive reliefs, an order for the removal of the violation and possibly damages against the advertiser. In addition, healthcare professionals must comply with professional regulations and codes of ethics; by way of example, physicians and pharmacists are subject to codes of professional conduct that also provide for penalties.
Health apps that provide access to information about medicinal products or to drug databases not only to professionals but also to consumers may result in a violation of Section 10 HWG, which prohibits any advertising of prescription drugs to the general public. Section 4 HWG requires every advertisement of medicinal products to include specific, legally defined details. This leads not only to questions about the legal requirements on health apps but, above all, also to practical questions as to how those requirements can be implemented technically: the mandatory information has to be clearly separated and distinct from the other advertising claims and be easily legible (Section 4(4) HWG), which is difficult to accomplish on a smartphone display.
Other aspects that become relevant with health apps are the prohibition of misleading advertising (Section 3 HWG), the restrictions on advertising addressed to the general public (Section 11 HWG) and the prohibition of remote treatment advertising. The health app is prohibited from advertising an effect that the product does not actually have, or provide untruthful or misleading information about the composition and quality of the product. In case law, health-related advertising is subject to the "principle of strictness", applying particularly rigorous standards to the truth, unambiguity and clarity of advertising claims. Section 7 HWG can lead to legal issues as well, especially if the app is available for free. Under Section 7 HWG, it is not permitted to offer, promise or give, or to accept as a health professional, any benefits and other promotional give-aways (goods or services), unless one of the exemptions of Section 7 HWG applies to you (which are defined and construed very narrowly).
Taking data protection law requirements into account
From a German data protection law perspective, health apps are subject to specific requirements for internet services according to the Telemedia Act ("TMG") but a number of other requirements may also apply due to the nature of personal data collected, processed and used. According to the Federal Data Protection Act ("BDSG"), for any processing of sensitive information about a user's physical condition, German laws call for a higher threshold of protection and the statutory exemptions are quite narrow. For example, processing of such information may be conducted, inter alia, for scientific purposes or where the data subject's life or health is in danger. Hence, with regard to health apps, processing will usually be based on consent. The BDSG requires that any consent declaration relating to handling of personal health data must raise the awareness of users by specifically calling out the fact that such information is being handled (see Section 4a (3) BDSG). Aside from that, German regulators interpret the provisions of the BDSG on technical and organisational measures (see Section 9 BDSG) - as per a recent statement – to require specific safeguards when it comes to transferring and storing of personal health data: any transfer shall be secured by appropriate certificates in order to prevent compromising the connection between the app and other recipients; further, the user's device as well as the app provider or third parties which receive the personal health data shall use for both the transfer and the location of storage an authentication in order to protect the information from any unauthorised access.
Another aspect to consider is that health apps may – like other apps – grant access to third parties in relation to the personal health data collected, either because the provider of the app has direct access to the storage or because, for example, the app is utilising cloud computing features. For any health data that is stored in the cloud, specific legal requirements apply. Aside from that, however, where personal data is subject to patient secrecy, further aspects need to be taken into account. Under the German Criminal Code ("StGB"), information which is subject to 'professional secrecy' (for example, any communication between doctors, psychologists or other general practitioners and their patients) shall not be disclosed to third parties (see Section 203 StGB). While the law makes an exception for service providers acting within the practitioner's sphere, the regulators support that this shall not count for providers of IT services like cloud computing. According to German regulators, cloud computing providers cannot avoid accessing data stored on their systems in the course of performing maintenance tasks. This type of 'access', however, would qualify as a 'disclosure to a third party' by the practitioner and could lead to criminal liability. One option to resolve this issue is to adopt encryption, which prevents the cloud computing provider from being able to see the content of data stored in the cloud. Hence, for health apps that a patient installs and uses at the proposal of a clinic or instigation of a practitioner and where the app allows access by the app provider or utilises third party cloud features, an encryption system should be implemented.