Telemedicine encompasses a wide variety of services such as teleconsultation, telemonitoring and telesurgery. Telemedicine can also include remote consultation/e-visits or video conferences between health professionals and can be delivered through various forms of IT systems including mobile phone apps.
It is this complexity in delivery that causes headaches for the legal landscape due to the interplay between the regulation of healthcare services, medical devices, intellectual property and data protection when offering telemedicine services.
DEFINITION AND SCOPE OF TELEMEDICINE
The nature and scope of telemedicine can be somewhat difficult to define. At present, most European Union Member States have not adopted legal instruments specifically regulating telemedicine, including Ireland. Therefore, there is no legal definition of telemedicine in Ireland. The European Commission defines telemedicine as "the provision of healthcare services, through the use of ICT, in situations where the health professional and the patient (or two health professionals) are not in the same location. It involves secure transmission of medical data and information, through text, sound, images or other forms needed for the prevention, diagnosis, treatment and follow-up of patients".1 The Irish Health Service Executive and the Department of Health have published similar definitions.2
It is worth noting that phrases such as "telemedicine" "eHealth", "telehealth", "telecare", and "connected health" are all used interchangeably in this context. This has only added to the uncertainty surrounding the scope and nature of telemedicine services.
It is well established that telemedicine is a service and as such falls under the provisions of the Treaty on the Functioning of the European Union (i.e. Article 56 freedom to provide services). This includes the freedom for citizens to receive health services from another Member State, regardless of how the service is delivered, i.e. through telemedicine.
Directive 2011/24/EU which was transposed in Ireland by the European Union (Application of Patients' Rights in Cross-Border Healthcare) Regulations 2015 endorses the right that all EU citizens are entitled to receive health services from another Member State, regardless of how the service is delivered, i.e. through telemedicine. The 2015 Regulations came into operation in Ireland on 1 June 2014.
Patients have the right to be reimbursed for the provision of cross-border health services, which includes cross-border telemedicine services. However, reimbursement will occur only if the telemedicine service falls within the range of healthcare services to which citizens are entitled in the Member State of affiliation. Ireland is the Member State of affiliation for persons insured in Ireland who are receiving medical treatment in another country.
Additionally, cross-border healthcare is to be provided in accordance with the legislation of the Member State of treatment. For the purposes of the 2015 Regulations, the provision of telemedicine is considered to have taken place in the Member State in which the healthcare provider is established.
One issue that arises in this regard is the recognition of professional qualifications. In Ireland, the Medical Practitioners Act, 2007 (as amended) requires all medical practitioners practicing in Ireland to be on the register maintained by the Medical Council of Ireland. However, according to the Directive and the 2015 Regulations, a healthcare provider providing treatment outside Ireland to patients in Ireland is considered to be providing medical treatment in the Member State in which he or she is established. As such, the medical practitioner would not need to be registered with the Medical Council, as he or she would not be providing treatment in Ireland.
MEDICAL DEVICES LEGISLATION
The provision of telemedicine services may also evoke the application of the EU medical devices legislation, namely Directive 93/42/EEC, Directive 98/79/ EEC and Directive 90/385/EEC. This is due to the fact that manufacturers of mobile health applications and devices that support telemedicine services must comply with multiple, and often conflicting, regulatory requirements promulgated by various regulatory authorities.
Qualification of a device or software as a medical device can trigger a number of related regulatory requirements. These include conducting clinical investigations on the device, undergoing a conformity assessment procedure and CE marking the device.
Software embedded or incorporated into medical hardware (e.g. software that controls a CT scanner) is deemed to be a medical device as it is an integral part of the medical device. By contrast, "standalone software" such as medical health apps will be considered a medical device only if it has a "medical purpose". Pursuant to Directive 93/42/EEC, standalone software has a "medical purpose" if it is intended by the manufacturer to be used for the purposes of:
"diagnosis, prevention, monitoring, treatment or alleviation of disease;
diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or handicap;
investigation, replacement or
modification of the anatomy or of a physiological process; or
control of conception."
The information in the instructions for use, labelling and promotional materials related to the device is important when determining the manufacturer's intended purpose.
Software that monitors a patient and collects information entered by the user, measured automatically by the app or collected by a point of care device may qualify as a medical device if the output affects the treatment of an individual. On the other hand, software that provides general information but does not provide personalised advice, although it may be targeted to a particular user group, is unlikely to be considered a medical device.
Manufacturers should consult the various guidelines issued by the regulatory authorities (including the Irish Health Products Regulatory Authority and the European Commission) on the qualification and classification of standalone software to see if your software is in fact a medical device or an in vitro diagnostic device.
The processing of personal data, including personal health data, is governed by the Data Protection Directive 95/46/EC, which is transposed in Ireland through the Data Protection Acts 1988 and 2003. The processing of sensitive information such as health information is subject to stricter requirements than other types of personal data.
Directive 95/46/EC does not define health data. However, according to the Article 29 Working Party, which includes representatives of the national data protection authorities in the EU, health data is not only data which is inherently or clearly medical data, but also includes raw sensor data which can be used in combination with other data to draw conclusions about the health status or risk of a person, irrespective of whether these conclusions are inaccurate, illegitimate or inadequate. Thus, while an app that tracks an individual's steps during a given day may not provide significant substance with regard to a person's health, it may provide information on a health condition when analysed in combination with other relevant personal information.
The processing of health data is prohibited unless it can meet one of the permitted exemptions in Directive 95/46/EC, which includes obtaining the explicit consent of the relevant individual. There are also other requirements beyond the need to obtain consent. All personal data must be processed fairly and lawfully and collected solely for specified, explicit and legitimate purposes. Appropriate technical and organisational measures must be implemented to ensure the security and confidentiality of the data.
It should be noted that the new EU General Data Protection Regulation ("GDPR") will replace the existing Directive 95/45/EC, with a more harmonised approach to data protection across the EU. As a regulation, the GDPR will be directly applicable in the member states, without the need for any implementing legislation.
The new safeguards adopted by the regulation will include the obligation on controllers to introduce data protection by design and default into their processing systems. They will also be obliged to produce a data protection impact assessment ("DPIA") where proposed data processing is likely to result in a high risk to the rights and freedoms of individuals. It is important to note that a DPIA is not mandatory when doctors or healthcare professionals process health data concerning their patients. Additionally, the Irish Data Protection Commissioner is permitted to publish a list of processing operations that do not require a DPIA. Many organisations using health data may, therefore, need to carry out DPIAs before processing personal health data.
While telemedicine has obvious benefits such as improving patient care and healthcare system efficiency, a fragmented legal landscape which involves compliance with the various different legal regimes discussed above could hinder such benefits.
Companies offering telemedicine services must keep this in mind and take a holistic approach when navigating the relevant legal and regulatory requirements. Getting the key players involved at this early stage will also help identify any gaps in assessment. As telemedicine is a moving target, companies should also keep a dialogue with the relevant regulatory authorities to confirm whether the authorities are drafting or preparing any guidance that might be relevant.