The business potential of telehealth is tremendous in a world in which quality and access to care are of growing importance, but the new challenges it poses cannot be addressed within the borders of our traditional areas of the law
Telehealth is a subset of eHealth used to describe the delivery of healthcare at a distance, through the use of information and communication technologies. It covers a variety of clinical and non-clinical practices and services, such as patient support programmes that use a mobile application for treatment adherence or personalised online support, remote patient monitoring, telemedicine booths or platforms, and also electronic health records.
Telehealth solutions may involve sensitive health data, patient consent, medical devices, acts of medicine, etc. As a consequence, they give rise to new and complex business, legal and regulatory issues materialising in the market place. Some recent headlines have reported on cybersecurity vulnerabilities found in medical devices, reimbursement for telemedicine services and the need for interoperability.
The new challenges posed by telehealth cannot be addressed within the borders of our traditional areas of the law. To date, there is no unified and harmonised legal framework for telehealth in Europe. Some countries have adopted local laws on certain telehealth activities, eg, French regulations that define telemedicine activities and organise a framework for their reimbursement by social security. Others have set local restrictions and limitations. Some local authorities have also issued some recommendations, guidelines and white papers.
The European telehealth legal environment is a blurry patchwork. The launch of a telehealth solution in one or several countries will require addressing a variety of legal topics. So one must have a clear roadmap to smoothly anticipate these issues and reduce the risk exposure.
When medical devices get involved
Telehealth services are made possible thanks to software and connected devices. Such material may classify as a medical device. The design of the service must include from the outset the constraints resulting from medical device regulations.
With respect to software, the European Commission has published guidelines to assist manufacturers in determining whether their products should be regulated as medical devices in the European Union. According to the Guidelines on the Qualification and Classification of Stand Alone Software Used in Health within the Regulatory Framework of Medical Devices, stand-alone software qualifies as a medical device when it has a medical purpose performing an action on individual patient data, which action is different from storage, communication simple search or lossless compression. For example, software that diagnoses melanoma skin cancer is a medical device. To the contrary, software that aggregates population data, provides generic diagnostic or treatment pathways, scientific literature, medical atlases, models and templates as well as software for epidemiologic studies or registers does not fall within the medical device definition.
In order to place medical devices on the European market, manufacturers must follow a complex CE marking process in accordance with the provisions of the applicable European legislation. Non-compliance with applicable medical devices law can be subject to administrative and criminal fines under national laws. An important element of European law that distinguishes it from the law in other territories, including that in the US, is the fact that authorisation is not granted by a governmental authority, but rather the CE mark is affixed to the medical devices by the manufacturers following a conformity assessment procedure.
Telehealth organisations should also anticipate the future application of the new European Regulations for medical devices (MDR) and in vitro diagnostic devices (IVDR). Among other things, the MDR which will apply from 26 May 2020, introduces new classification rules for medical devices software and creates new obligations for the economic operators.
Unlocking data protection regulations
Telehealth technologies collect and process as much data as possible to give patients the best care. When processing health data of European citizens, telehealth organisations – regardless of their location outside the European Union – must comply with the General Data Protection Regulation (GDPR) which has implemented a risk-based approach. Processing health data must rely on a solid legal ground which will often be the patient’s consent.
When acting as a data controller or processor, telehealth organisations must comply with processing principles and conditions. The GDPR’s accountability provisions require data controllers to affirmatively prove that they deploy ‘appropriate technical and organisational measures’. Data processing records should be designed with this pre-litigation strategy in mind.
Data subjects have broad rights under the GDPR with regard to their data. Hence, in telehealth projects, patients have the right to obtain confirmation from the data controller concerning whether or not their personal data is being processed, where and for what purpose. Pursuant to the new right to data portability, the data controller must, upon request, provide a copy of the personal data, free of charge, in a ‘commonly used and machine-readable format’.
Is there a doctor on board?
A telehealth solution aiming at performing medical acts will fall under national regulations on the practice of medicine and raise several structural regulatory questions, ranging from pricing and reimbursement and use of artificial intelligence to advertising and the corporate set-up of the legal entity (or entities) hosting the business.
Such telehealth solutions must comply notably with all applicable rules governing the practice of medicine, as well as any special rules governing telemedicine in the concerned jurisdictions. Regulatory constraints arising from the telemedicine qualification are plentiful: information of patients and patients’ consent, authentication of healthcare professionals and required training, security of health data, anti-benefit regulations, and so on.
The healthcare professional delivering telehealth services must be appropriately licensed and registered, and must also have adequate liability insurance covering the said services.
An increasing trend of regulations restricting or organising interactions with healthcare professionals and organisations, coupled with transparency requirements, will need to be taken into account, especially for cross-border telehealth solutions. In application of local sunshine rules, transfers of value may need to be disclosed on the company’s website or on a central platform which can be government-controlled. Thresholds vary from country to country.
Telehealth solutions may be a vehicle to promote products, disease awareness or carry out institutional advertising. Content provided in this context must be assessed under European laws regulating promotional activities.
There are no specific rules at European level about online communication. General rules on advertising apply to telehealth solutions. Hence, advertising must not be misleading, must be accurate, correct and verifiable. Rules applying offline also apply online. Prohibitions and restrictions notably apply to the advertising of medicines and medical devices to the public. These rules apply not only to pharmaceutical companies and medical device manufacturers but to all stakeholders: health technology companies, hospitals, healthcare professionals, etc.
Who is paying?
Telehealth services improve patient access while potentially contributing to lowering costs for existing healthcare infrastructure. Governments have an incentive to extend reimbursement coverage for such services. Reimbursement of telehealth services is up to the member states in the European Union in respect of national competencies. Within member states, reimbursement is currently often decided on a case by case basis.
Reimbursement of telehealth services may follow different paths: the service can be a distinct self-sustaining service with an assessable value and can be reimbursed as such. For instance, teleconsultations in France are reimbursed under certain conditions. The service may, instead, be integrated in a broader offering to enhance the value or performance of another service or product.
Market access strategy for deploying telehealth solutions must anticipate the appropriate reimbursement pathways in each member state, and any health offering provided alongside to which the services may be connected.
As tools powered by AI, data management through blockchain and other new technologies burst into the heavily regulated health industry, mapping out the regulatory framework of each project and related risk exposures remain of utmost importance.
Mikael Salmela is a partner at Hogan Lovells (Paris) LLP