pag. 2 Enabling mHealth – A Lack of Progress on the Legal Front Prof. Dr. Paul Quinn Brussels Free University (Vrije Universiteit Brussel), Belgium
pag. 3 I am a member of LSTS at Brussels Free University (VUB) My areas of research include Data protection in Health Care Legal issues related to eHealth and mHealth Stigmatisation and Discrimination I have worked on a number of EU projects that involved aspects related to mHealth e.g MOVING LIFE (FP7), REACTION (FP7), PICASO (H2020) A little bit about me..
pag. 4 What I am going to talk about… Legal issues relevant to the increased deployment of mHealth 1. Data Protection Issues 2. Issues Related to the Medical Device Framework 3. Changes (from the perspective of mHealth)
pag. 5 mHealth Raises a Number of DP Issues mHealth will make more use of personal health data than conventional forms of medicine. Personal data may be collected continuously. Questions about modality of consent. How is data transmitted and stored. Who has access?.
pag. 6 Health data as personal data Health data is recognised as sensitive data under the data protection framework. Directive 95/46/EC is still in force – Little harmonisation The new Regulation will come this year, hopefully ?!? It will result in a harmonisation of many elements of data protection (but not all).
pag. 7 Key Data Protection Requirements Must have a legal basis for processing. The legal grounds for the processing of health data are outlined in article 8 95/46/EC. Processing must occur in accordance with data processing principles. This include – Minimisation, securely stored, data must be of sufficient quality etc.
pag. 8 mHealth and Sensitive Data The processing of sensitive data is forbidden unless…. (Article 8 of 95/46) – Explicit consent is secured – The processing is in the context of an ongoing treatment relationship. The nature of mHealth processes raises issues with these exceptions.
pag. 9 Explicit Consent Raises Difficulties for mHealth Explicit consent must be informed consent May be difficult in the absence of a physician to explain things Can not be general May have to conform to local legal requirements pertaining to form (may be addressed with new regulation).
pag. 10 Meeting the conditions of an on-going treatment relationship may be difficult for many mHealth processes Directly connected to the provision of medical treatment i.e. does not cover other purposes e.g. billing, scientific research, administration. With a physician or similar individual subject to an obligation of secrecy At present unlikely to apply to technical or administrative staff… Difficulties in transfering data between insitutions and transfering to third party institutions.
pag. 11 Effects of the GDPR - Harmonization of form for consent Does not need to be written (Art 8) Need to keep evidence (Art 7(1)) A Broader range of exceptions for the processing of administrative data in the overall context of health care (e.g. Art 9(2)(h). The possibility for member states to add further protections in the area of health (Art 9(4))
pag. 12 Effects of the GDPR Harmonisation (especially with consent requirements) A right to be forgotten (Art 17) Rights to data portability (Art 18) Breach Notification (Art 31, 32) A new or strengthened duty (highlighted in EU Com green paper of; – data minimisation; -data protection by design; -data protection by default.
pag. 13 Issues Related to Medical Device Regulation Many mHealth solutions depend upon the use of software capable of running on diverse devices and operating systems Many mHealth apps seem to meet the definition of 'medical devices’ i.e. any … software, … intended for one or more of the specific medical purposes of (inter alia): diagnosis, prevention, monitoring, treatment alleviation of disease or diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability, For more on intended use see: Case C-219/11 Brain Products GmbH -v- BioSemi VOF and others
pag. 14 Less Clarity in the US than in Europe The FDA has adopted a more honest approach – reserving discretion to dispense MD requirements for low risk devices In Europe the EU Commission has released guidance on the application the directive to mHealth apps. » A strong focus is placed on intended medical use It is however often difficult to make this call with mHealth apps.. The dividing line between wellness and medical use is still very much blurred….
pag. 15 Medical Device Regulation Most relevant directive is The Medical Device Directive (Council Directive 93/42/EEC) Subject to revision (expected in the form of a regulation) Represents an onerous set of of regulatory requirements that may be time consuming and costly to comply with. May be difficult for apps to comply with given that they often operate under a low cost/low profit business model.
pag. 16 Problematic areas for medical device regulation Practical Issues Instructions CE Markings Requirement to continuously review is problematic May be difficult to reconcile with low-cost model Onerous requirements and potential liability for online vendors e.g. 'app stores’.
pag. 17 Problems of testing software with all possible devices/software platforms. The MDD requires that software be tested with all devices that it is to be used with. This may be problematic for software that is designed to operate on common operating systems e.g. on smartphones. Not feasible to test on all possible devices Wide range of smartphones Can be linked to third devices Operating systems are constantly under revision
pag. 18 Progress of lack of in recent years…. Legally speaking very little has changed… The revision of both the Medical Device Directive and the Data Protection Directive has been much slower than was expected. This has allowed an environment on legal uncertainty to continue. The proposed new regulations will not however remedy the situation described completely.
pag. 19 Harmonization is on the way The formalities surrounding explicit consent should be harmonized The complex requirements of the the MDD should be harmonized Such measures should provide legal certainty and aid development.
pag. 20 Thank you for listening! Paul Quinn