Applications for smart devices continue to rise in popularity and have arguably become a necessity for coping with everyday life. Today many things can be found in app format, available for instant download by anyone with a smart device. The medical and healthcare field is no exception. Consequently, traditional medical device manufacturers, as well as new high-tech developers, are competing and collaborating in the rapidly emerging digital medical device market. Medical devices in app format, or ‘medical apps’, have been a reality for some time and many people, including healthcare professionals, have some sort of medical app on their phone or smart device. This article provides an introduction to the legal areas that manufacturers of medical devices may need to consider before placing a medical app on the EU market, and in particular the Swedish market.
The definition of a medical app is broad, but may be understood as an app intended to be used for diagnostic or therapeutic purposes in relation to a certain illness or condition. The use of medical apps ranges from devices that help diagnose and treat, to devices capable of monitoring, documenting, calculating or analysing diseases, disabilities, treatment advice and more. There are many potential advantages of adding medical apps to traditional healthcare. In general, manufacturers develop medical apps to increase such things as price efficiency, accessibility to health care, speed and accuracy of diagnosis and emergency response and, of course, to improve the health and medical care of individual users. Medical apps can also play a role in managing resources for healthcare and insurance providers.
However, the risks associated with a medical app could be severe and even life threatening. Regulators therefore ensure that all medical apps within the European internal market are safe to use, reliable and comply with set European standards. The regulations facing anyone intending to launch a medical app are extensive and include not only European but also Swedish regulations. The Medical Device Regulation (MDR), soon to come into force, along with other health-related regulations, is an essential consideration. However, there are other applicable factors for the digital sector that need to be taken into account as medical apps may touch on aspects such as data protection regulations.
Each specific situation, and the specific functionality and characteristics of the app in question, requires a thorough examination of the regulatory framework to ensure compliance. Special regulations will apply to the respective medical app, depending on the field in which it is deployed. For instance, medical apps in the fields of pharmaceuticals, dental care or mental health all require attention to different special regulations and the compliance criteria for each medical app may differ widely. With new regulations continuously coming into effect or being amended, the legal landscape may be difficult to navigate, especially for new high-tech developers that traditionally do not have experience of handling regulatory matters in the healthcare sector. Below we focus on generally applicable compliance considerations in relation to the MDR and the General Data Protection Regulation1 (GDPR).
Privacy and data protection considerations
With regard to privacy and data protection, medical apps are likely to contain personal data about users, or where applicable, patients. The key legislation to take into consideration when processing personal data are the GDPR, the Swedish Data Protection Act2 and where applicable, the Patient Data Act3. However, the purpose of this article is to provide an overview of how lawful grounds for processing may be obtained, rather than going into detail or performing a compliance review for a specific medical app.
Personal data refers to any information relating to an identified or identifiable natural person. Personal data may, for instance, include a person’s name, identification number, location data or an online identifier. In addition, other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual are also referred to as personal data.4 Personal data falls under the scope of the GDPR when it is processed wholly or partly by automated means or when it involves other processing of personal data which forms or is intended to form part of a filing system.5 For the purposes of this article, we assume that a medical app containing or fed with personal data meets the ‘processing’ criteria and is consequently subject to GDPR rules. The grounds for lawful processing outlined in Art. 6 of the GDPR will usually be sufficient for lawful processing of personal data under the GDPR.6
However, the data processed in a medical app may indeed fall into the category of health data, genetic data or biometric data. The GDPR poses certain requirements regarding the processing of this ‘special category’ of personal data in Art. 9(1). The main rule following Art. 9(1) is that the processing of such special categories of personal data is prohibited. Thus, the grounds for lawful processing outlined in Art. 6 of the GDPR are not sufficient.7 However, there are exemptions to the main rule on prohibition, which the manufacturer may look into and apply.
For medical apps specifically designed for use within professional healthcare by professional caregivers (Sw. vårdgivare), one possible option could be to investigate the respective legislation at member state level. Member states are to some extent authorised to implement lawful processing of special categories of personal data under national legislation.8 For example, the Patient Data Act allows professional healthcare providers to process certain data under Art. 9.2(h) of the GDPR. The most relevant example for private actors developing medical apps is that caregivers are allowed to process health data to fulfil their obligations to keep patient journals. This could be an option for digital healthcare services, if the company providing the medical app is also a caregiver under the Patient Data Act.9
Other possible derogations from the main rule on prohibition outlined in Art. 9.2 of the GDPR may be considered. One possible such derogation that could authorise the processing of special categories of personal data in a medical app would, for instance, be Art. 9.2(a), which covers an individual having provided explicit consent. Obtaining such valid consent, however, is a delicate matter and several things have to be taken into consideration before such consent is deemed lawfully obtained. For example, consent must be freely given, specific for the purpose, be informed and be an unambiguous indication of the individual’s wishes by way of clear affirmative action. Furthermore, the individual must, without detriment or consequence, be able to withdraw the consent at any time. This possibility of withdrawal needs to be considered not only at the stage of obtaining consent but also in the medical app’s end user licence agreement.
Medical Device Regulation
In the EU, medical devices are currently regulated by the Medical Device Directive (93/42/EEC) as implemented in respective national legislation. The Directive is, however, to be replaced by the Medical Device Regulation (2017/745; MDR) from 26 May 2021, by way of a transition timetable. The MDR introduces new and stricter requirements for medical device manufacturers to consider. Ensuring cybersecurity as well as data protection, including state-of-the-art protection against unauthorised access, are just a few of the new requirements imposed on manufacturers.10
The purpose of the MDR is to ensure the safety and performance of medical devices in general. Medical apps placed on the European market must, like any other medical device, meet the requirements laid out in the MDR. The requirements differ depending on the device and are determined through classification of the medical app, which is based on the potential risks associated with the device, its technical design, and how the device is programmed. Note that medical apps can be classified from Class I, which includes devices that pose the lowest risk, to Class III for those posing the highest risk. The classification of the medical app is important with respect to different responsibilities, in terms of certification requirements, approvals from a ‘notified body’, clinical evaluation requirements, etc., that apply for different classes of medical devices. The classification is therefore essential to ensure the medical app complies with the MDR. For the classification of medical apps, see in particular rule 11 in Chapter III, Appendix VIII of the MDR.
Medical apps must be manufactured taking account of the app’s life cycle, risk and quality management, information security, verification and validation. Furthermore, prior to the launch of a medical app on the European market, an EU declaration of conformity11 must be provided. This is a mandatory document certifying that the requirements stipulated in the MDR have been met by the medical device. The CE mark is also required for any medical device under the MDR.12 The CE mark is, in essence, an assurance that the medical app meets the essential criteria of compliance to which it is subject, that it actually works and that it is clinically safe to use. The CE mark is a way for manufacturers to indicate that products follow mandatory European standards and laws, including those related to health and safety.
Although this article by no means provides an exhaustive list of the many regulations, ordinances, recommendations and guidelines (both at Swedish and European level) that apply to medical apps, it is worth highlighting that the common purpose of the regulations is to protect individual users from anything that could harm them. With that in mind, the special attention required to ensure that a medical app complies with the applicable legislation should mirror the vision of the manufacturer, to create better health and medical care, accessible to all. Do not be discouraged, the future is to be found in an app!
We would be happy to provide further guidance should you need any assistance with your medical app.
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2 Sw: Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning.
3 Sw: Patientdatalag (2008:355).
4 For the full definition of personal data, please see Art. 4(1) of the GDPR.
5 Art. 2 of the GDPR.
6 The legal grounds for processing are: Consent; Contract; Legal Obligation; Vital Interests; Public Task; Legitimate Interest. For further detail on each legal ground for processing, please see Art. 6 of the GDPR.
7 For the full definition of biometric, health and genetic data, please see Art. 4(13)-(15) of the GDPR.
8 According to Chapter 3, Section 5 of the Patient Data Act, special categories of personal data may be processed in accordance with Art. 9.2(h) of the GDPR within the health and medical care sector, provided that the responsible party who processes the personal data is subject to an obligation of professional secrecy under Swedish law, according to Art. 9.3 of the GDPR.
9 The Patient Data Act is supplemented by the Patient Data Ordinance and the guidelines issued by the National Board of Health and Welfare (Sw. Socialstyrelsen), HSLF-FS 2016:40.
10 Appendix I (17.4) of the MDR.
11 Art. 19 of the MDR.
12 Art. 20 of the MDR.