When we record our meals and exercises in our health app; when we indicate our kid’s symptoms in order to decide if to take her to the emergency room; when we check in an expert's forum the ramifications of mammography results ‒ we are conducting routine practices that characterize life in a modern society.
Is it possible that in the near future, our insurance company will notify us that it is increasing our premium due to our unhealthy lifestyle, or that it is not covering our illness since the queries we made online to expert forums reveal that we hid information from it? In legal proceedings on sexual offences, can the victim’s records on a mental health app be revealed? Will employers seek health tracking app reports on current or potential employees?
These questions illustrate how alongside an individual's increasing involvement in managing his or her health, and the accessibility of personal health information, legal questions arise regarding private, sensitive data that have been collected and stored.
It is important to consider the market in which we seek to work when planning a product, as each country has its own laws and regulations. In the U.S., for example, in addition to federal law, each state has its own regulations; in Europe, alongside EU regulation, each country has its national regulations. The following discussion relates to Israel, unless otherwise stated.
Medical device – Certain medical apps are considered to be full-fledged medical devices, or they function alongside them. Medical devices require registration and certification by the regulator (in Israel, through the Ministry of Health, in the U.S. – the FDA, and in Europe the CE and national regulatory bodies). At times, it is unclear if an app constitutes a medical device or not, since there are different definitions in various laws and regulations. Some definitions are also unclear, and it is crucial to obtain regulatory advice before progressing with development.
Prevention of Deception and Disclaimer – Complete and exact information must be provided for health products, to prevent deception; it is important not to include false, inexact or misleading information. Even failure to specify certain information regarding a product might constitute deception. It is important not to attribute to the app a medical purpose (unless it is approved as a medical device for that purpose). It is also necessary to clarify that one must consult appropriate authorized health care providers in case of medical need, and that an app or web site is not intended to replace proper consultation with an appropriate physician.
Likewise, in the explanation of the app's purpose and function, one must avoid any degree of deception of the patients as explained above, and to act in accordance with the provisions of the Consumer Protection Law on advertising products and services. Note that the law prescribes stricter requirements in certain transactions, for example, with regard to an ongoing contract for medical services or advertising aimed at minors. Moreover, at times, there are regulations regarding a specific product or service. This requires detailed consultation concerning the regulations related to that specific product.
As a consequence of the general rules, it is important to specify the purpose and use of a product, and the conditions, exceptions and disclaimers regarding the use of the product. There are, of course, additional rules to be followed regarding the nature of the transaction (such as a distance transaction).
In Israel, policy regarding the protection of information must be determined in conformity with the Privacy Protection Law, Privacy Protection regulations, and the Director General's Directive on tele-medicine. (Other relevant regulations can include, for example, HIPAA in the U.S., in relevant cases, and GDPR in Europe.)
Note that it is quite possible that if the app does not connect to a healthcare provider, a medical institution or a third entity on their behalf, that the app will not be regulated by the Patient’s Rights Act (or HIPAA in the U.S. in relevant cases). Notwithstanding this, the information will be considered sensitive information, and this does accord it some additional protection by virtue of privacy laws and regulations.
Due to the sensitivity of this information, “engineering of privacy” is recommended. This means planning the product a priori such that as little sensitive information as possible will be gathered by the company, and that as far as it is feasible, the sensitive information to be saved will be anonymized or encrypted in a way that doesn't permit attributing data to a specific patient.
Liability – Dealing with medical apps raises questions as to liability, tort claims and mass litigation. Subjects to be dealt with include the division of responsibility between the parties involved in case of harm to the patient. The relevant parties in such cases include the physician or medical institution, as well as the company that produced the app, and sometimes, the patient himself (who registered data or information). In certain cases, it might also entail additional service providers. It is important that commercial agreements stipulate and reflect the division of responsibility between the parties.
Regarding tele-health, see also the previous post on the subject.
As we have shown, the field of medical apps is complex and requires thorough investigation of all the relevant legal aspects and ramifications. Perhaps there will be a legal app in the future that will automatically accomplish this, but until then, for questions or consultation, please contact: firstname.lastname@example.org
This post is intended to present general information only. It should not be construed as legal advice or legal opinion and should not be relied upon as such.