Key legal aspects of implementing digital therapeutics (DTx) in Austria

The qualification of software as a medical device or mere software is crucial because it determines the regulatory framework within which the software must operate. If the software is classified as a medical device, it must comply with specific legal requirements and undergo a conformity assessment process before it can be placed on the market and used for medical purposes. The process requires a lengthy preparation period and is cost-intensive. Therefore, it is important to assess early whether the software qualifies as a medical device. 

For software solutions in the healthcare sector that qualify as a medical device, the EU Medical Devices Regulation (EU) 2017/745 (MDR) and the Austrian Medical Devices Act 2021 (“Medizinproduktegesetz 2021”) are the primary legal frameworks. If a software solution constitutes a medical device, the requirements of the MDR must be observed before the product can be placed on the market in Austria. These include the obligation to implement appropriate quality management processes, to conduct a conformity assessment and to CE mark the software solution.  

The decisive factors in determining whether software qualifies as a medical device in Austria generally align with the criteria outlined in the MDR: Software that is intended by the manufacturer to be used, alone or in combination, for human beings for diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of a disease, injury or handicap, for investigation, replacement or modification of the anatomy or of a physiological process, or for control of conception falls under the definition of “medical device” and hence within the scope of the MDR. 

The explicitly stated intended purpose is not the only relevant factor; the instructions for use and promotional materials (e.g., website, information in the App Store) regarding the specific product also play a crucial role. Potential indicative terms in connection with the intended purpose and corresponding functions may include alarming, analyzing, calculating, detecting, and diagnosing. Indicative functions that could classify a product as a medical device include decision support or decision-making software, particularly concerning therapeutic measures. 

The differentiation between a medical device and a consumer product – which does not fall within the scope of the MDR – can largely be influenced by the manufacturer who defines the intended purpose of the respective product. It is important to note that mere lifestyle or everyday apps (e.g., fitness tracking, nutritional recommendations, resilience exercises, meditation training without a medical purpose) are generally not intended for therapeutic purposes. 

To determine the qualification of their software as a medical device, manufacturers should carefully analyse the characteristics and functionalities of their software and compare them against the criteria provided in the MDR. They may need to consult legal experts with expertise in medical device regulations to ensure an accurate assessment. 

Including a service component in software can create potential legal issues since the provision of healthcare services is regulated to ensure patient safety, quality of care, and ethical standards. Certain requirements and restrictions may apply to the provision of healthcare services, and failure to comply with these regulations can lead to legal consequences. 

The legal framework for providing healthcare services in Austria is provided by the Austrian Doctors Act (“Ärztegesetz”) as well as several other laws applying to other types of healthcare services, such as the Health and Nursing Act (“Gesundheits-und Krankenpflegegesetz”), the Federal law on the regulation of senior medical-technical services (“Bundesgesetz über die Regelung der gehobenen medizinisch-technischen Dienste”), etc. These laws outline the rights and obligations of healthcare professionals, including physicians, nurses and medical-technical professionals, and the requirements for providing healthcare services in various contexts. 

According to the Austrian Doctors Act, the exercise of the medical profession is reserved exclusively for doctors. This includes any activity based on medical findings which is performed directly or indirectly on or for humans. The classification is to be made based on whether the activity requires comprehensive medical knowledge acquired using scientific methods. 

To navigate the legal requirements, manufacturers should carefully analyze the services they intend to offer alongside their software and evaluate whether they fall within the scope of regulated healthcare services. If the services require medical expertise or involvement, it may be necessary to collaborate with licensed healthcare professionals, such as physicians or other qualified healthcare practitioners, to ensure compliance with the legal framework. 

While Austrian law does not expressly prohibit offering medical services online, the requirement in the Austrian Doctors Act that physicians must exercise their profession directly and in person is seen as a potential barrier to the provision of online healthcare services. Although online healthcare service are offered in Austria and enjoy some degree of acceptance, the extent of their permissibility is still unclear. 

The key requirements for data protection and data security in Austria are primarily governed by the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz, DSG). These laws emphasize the protection of personal data and impose obligations on data controllers and processors to ensure appropriate technical and organizational measures to safeguard the data. Any medical software to be offered on a given market will need to comply with local requirements in this regard. 

When processing personal data, it is essential to adhere to the principles outlined in Article 5 of the GDPR, which include lawful and purpose-limited data processing, data minimization, and maintaining data integrity and confidentiality. These rules apply to individuals' data residing in the European Union, regardless of citizenship (Article 3 GDPR). Even if users access the app outside the EU, GDPR will still apply if the provider is an EU-based company. 

If data is stored on the device or collected from users' devices and is not necessary for providing the service, users must give additional consent in line with the EU "Cookie Directive" (Article 5(3) of Directive 2002/58/EU). The Cookie Directive covers not only cookies but any scenario where data is stored on or collected from a device. Additionally, obtaining consent is crucial for location tracking, except when it is an essential part of the provided service. 

The GDPR applies in both B2C and B2B scenarios. In B2B situations, if the business user is a person or if they process personal data of other individuals through the app (e.g., patients), they must ensure compliance with the GDPR. Usually, the legal basis for this processing will be a contract with the individual or their consent. Consent is required as per Article 9(2)(a) in conjunction with Article 7 of the GDPR. It is essential to note that the data controller must be able to prove the data subject's consent, irrespective of any formal requirements (Article 7(1) GDPR). Since video consultation hour recordings are not permitted, electronic documentation of the consent declaration will be necessary if written consent is not used. 

The decisive factors for ensuring data protection and data security in the context of medical software include implementing appropriate technical and organizational measures to protect personal data, conducting data protection impact assessments where necessary, obtaining informed and valid consent from data subjects, encrypting sensitive data, ensuring secure storage and transmission of data, implementing access controls, and regularly updating security measures to address emerging threats. 

Other than the abovementioned legal requirements to be considered when developing DTx and placing it on the market, at the moment, there are no specific key legal requirements under Austrian law. 

If the software constitutes a medical device, the advertising rules of the MDR and the Austrian Medical Devices Act 2021 (“Medizinproduktegesetz 2021”) must be observed. 

There are specific rules applying to advertising that is intended for consumers: 

In Austria, advertising that is intended for consumers is only permissible in relation to certain devices. It is prohibited in relation to prescription medical devices, medical devices intended exclusively for use by health care professionals on or for the patient, and medical devices whose use by consumers, based on the instructions for use, may only take place in connection with medical or dental treatment or monitoring.  

Medical device advertising intended for consumers must be designed in such a way that the advertising character is clearly expressed and the product is clearly presented as a medical device. 

In addition, advertisements directed at consumers are subject to certain content restrictions. For example, it must not contain elements that are exclusively or primarily intended for children or suggest that the effect of another treatment or medical device is equivalent to or superior to the advertised product, or give the impression that medical treatment is unnecessary, particularly by encouraging false self-diagnosis or recommending treatment through correspondence. 

Rules applicable to all advertising: 

Advertising must generally be transparent, clear and unambiguous. Furthermore, it needs to contain mandatory information such as the name of the medical device, a brief description of the intended purpose, information that is indispensable for use of the device and indications if the medical device may also cause undesirable effects or if its use requires special safety precautions. 

Further, pursuant to Article 7 MDR it is prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user or the patient with regard to the device's intended purpose, safety and performance by: 

1. ascribing functions and properties to the device which the device does not have; 
2. creating a false impression regarding treatment or diagnosis, functions or properties which the device does not have; 
3. failing to inform the user or the patient of a likely risk associated with the use of the device in line with its intended purpose; 
4. suggesting uses for the device other than those stated to form part of the intended purpose for which the conformity assessment was carried out. 

Violation of advertising rules can result in unfair competition claims by competitors and consumer associations (including requests for preliminary injunctions). In addition, they can result in an administrative penalty. 

If a software qualifies as a medical device, there are specific restrictions in relation to marketing it to healthcare professionals:  

Austrian medical device law explicitly prohibits - in the context of a promotion - to grant, offer or promise a premium, financial or material benefit to a person, who prescribes, dispenses, procures, establishes, commissions or uses a medical device unless it is of insignificant value and relevant to medical or medical technology practice. As a result, health care professionals may typically not be provided with a medical device free of charge or other incentives or benefits of value in Austria.  

In addition, providing incentives or benefits to public officials (such as healthcare professionals at federal or state-owned hospitals) is prohibited and constitutes a criminal offense. 

Conversely, Austrian law does not provide for any restrictions to grant incentives or benefits to consumers other than the general restrictions that are applicable to all types of products under unfair competition law (for example, a gross imbalance between the advantage provided and the price of the product could render the promotion impermissible under Austrian unfair competition law). However, the general prohibition to advertise certain products to consumers (see b)) must be observed. 

There are several possible distribution routes for DTx products in Austria. Austrian law allows to directly dispense medical devices to patients. Therefore, one option is to offer downloads for patients through app stores, where patients can pay for and download the DTx product. As such offering may at the same time be regarded as advertising, this may not be an option for products that must not be advertised to consumers (see b). 

Another approach is to sell or license the DTx product to cooperation partners, such as employers that provide the DTx product to their employees as part of employee benefit programs, insurance companies that provide the DTx product as part of their services to insured individuals, or to pharmaceutical companies. 

If the provider of the medical device or the cooperation partner is a company that typically offers other products or services, it needs to consider if it fulfills the requirements of the Austrian Trade Act (“Gewerbeordnung”) or is exempted from these requirements: 

Under the Austrian Trade Act, manufacturing, trading, processing, and rental of medical devices is a regulated trade. The operation of a regulated trade is subject to a trade permit, and the operator must provide evidence of qualification. If the provision of medical devices constitutes only an additional service, the provider may be permitted to offer it based on its existing trade permit under certain conditions. 

Due to the EU freedom to provide services, cross-border provision of services is possible, including the temporary and occasional provision of services in a regulated trade. Prior to commencing cross-border activities in a regulated trade, a notification must be made to the Federal Ministry for Economic Affairs and Labour. If the services are provided solely online, there is no notification requirement in Austria if the provider is authorized to provide the services in the country of its establishment. 

Further obligations under Austrian law: 

In addition, there is an obligation under the Medical Devices Act for every distributor to register with the Austrian Medical Devices Registry, providing its (company) name, address, and type of business activity. The implementing rules are currently being elaborated and registration will only be possible once the implementing regulation has been passed. 

Every person or legal entity that supplies medical devices to end users is obliged to pay an annual medical device levy of up to EUR 400 per business premise to the Federal Office for Safety in Health Care according to the Medical Device Levy Ordinance “Medizinprodukteabgabeverordnung”). There is an obligation to self-declare and pay the levy each year; in case of failure to pay the levy, the Office will issue an enforceable decision. 

Various forms of cooperation and partnering arrangements are legally possible in Austria. Some examples include cooperation with physicians, hospitals, or insurers. Development partnerships are also common like partnering with strategic or financial investors for the development of new features or indications for the DTx. 

It is crucial to have the appropriate contracts in place to meet the legal requirements and to protect the interests of all parties involved. Contracts should cover aspects such as intellectual property rights, licensing, liability, warranties, termination conditions, and dispute resolution mechanisms as well as necessary measures to safeguard patient data and ensure compliance with data protection laws. 

If the provider of the medical device or the cooperation partner is a company that typically offers other products or services, it needs to consider if it fulfills the requirements of the Austrian Trade Act (“Gewerbeordnung”) or is exempted from these requirements (see c). 

A possible route of monetization is the route of direct payment by patients: Offering the DTx directly to patients who are willing to pay for such services. However, patient reluctance to pay for healthcare services may make this a challenging strategy in Austria. 

Another option is “payment by data”: Instead of paying with money, users transmit data to the platforms and consent to their processing. The platforms then monetize the data, for example, through resale, creating user profiles, or displaying personalized advertisements. 

In both cases, it is important to ensure that the requirements of consumer law and data privacy law are respected and, where required, the consumer has given valid consent to the processing of its personal data (see 1c). 

Further, providers can partner with healthcare organizations, such as hospitals or clinics, that can integrate and offer the DTx to their patients as part of their services. Another possible customer are insurance companies that would like to offer the DTx as part of their coverage. To implement such partnerships, it is important to establish a clear and comprehensive contractual framework that covers all relevant aspects, such as pricing, payment terms, service level agreements, data protection, liability, and intellectual property rights. 

There are currently a number of DTx that are entirely or partially funded by some social insurance companies and are typically available free of charge for the user. There is no official list of these DTx and no formalized process to obtain such funding. 

As of now Austria does not have a reimbursement mechanism for DTx. There are some plans to introduce reimbursement of certain DTx. However, no concrete proposals have been published yet. 

As of now, the "private route" – offering DTx to consumers in compliance with all the applicable laws – is the only possible route in Austria. One big advantage is that there is a high degree of flexibility in pricing. There are no specific rules defining the prices for medical devices paid by private parties. This is up to the negotiations of the parties and the principle of supply and demand.  

Currently, there is no "public route" such as a standardized reimbursement mechanism for DTx in Austria. There are some plans to introduce reimbursement of certain DTx. However, no concrete proposals have been published yet. 

Currently, there is no standardized reimbursement mechanism for DTx in Austria. There are some plans to introduce reimbursement of certain DTx. However, no concrete proposals have been published yet.