Key legal aspects of implementing digital therapeutics (DTx) in Italy

From a regulatory point of view, DTx are software solutions in the healthcare sector (MDSW). They may therefore qualify as Medical Devices and be  subject to the rules set forth in the EU Medical Devices Regulation 2017/745 ("MDR"). As a consequence, the requirements of the MDR must be observed, including obligations for quality management processes, appropriate conformity assessment procedures and CE marking. Being considered a medical device, the legal manufacturer has to comply with all these obligations before the product is placed on the market in Italy.  

Software will qualify as a medical device in accordance with article 2 of the MDR, if the intended purpose relates to one of the following:  

• diagnosis, prevention, monitoring, treatment or alleviation of disease,  
• diagnosis, monitoring, treatment, alleviation or compensation of injuries or handicaps, 
• investigation, replacement or modification of the anatomy or of a physiological process 

The differentiation between a medical device and a consumer product – which does not fall within the scope of the MDR – can largely be influenced by the manufacturer who defines the intended purpose of the respective product. Mere lifestyle/everyday apps (e.g., for fitness tracking, nutritional recommendations, resilience exercises, meditation training without a medical purpose) are generally not intended for therapeutic purposes.  

Instructions for use and the promotional materials (e.g., website, information on App Store) regarding the specific product are relevant as much as the described intended purpose. Possible indicative terms in connection with the intended purpose and corresponding functions can be, for example: alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying. Indicative functions for classification as a medical device can be, amongst others, the following: decision support or decision-making software, e.g., regarding therapeutic measures; calculation, e.g., of the dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves); monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy. Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in the classification of a medical device. 

Medical devices are assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to Classes I, IIa, IIb or III, whereby Class I comprises those products with the lowest risk potential. 

The classification rules for software devices are listed under annex VIII chapter III, rule 11 MDR. Software can fall into risk class I. However, due to the new interpretation rules this will likely be an exception only. Most software considered as a medical device will be classified as class IIa or higher. This is important from a practical point of view because such software then needs to undergo a conformity assessment procedure applied by a notified body.  

However, since the MDR may not cover all legal aspects of DTx, local provisions and case law may apply and vary between the member states.  

In Italy, no assessment method or criteria have yet been published against which DTx are evaluated and approved for patient care through the Italian National Health System (“NHS”) (including reimbursement by health insurers). The Regulatory Authority which has jurisdiction on MDs is the Ministry of Health; however, question arises as to which authority, between the Ministry of Health or the Drugs’ Regulator (AIFA), would be competent enough in issues such as evaluations for the purposes of reimbursement. 

In Italy, law no. 53/2021 established the guiding principles and criteria that must be met in order to adapt national legislation to the new legislative framework introduced by the MDR. This adaptation took place with Legislative Decrees No. 137 and 138 of 2022. 

The Decrees amend and, in some cases, totally repeal the previous Legislative Decree No. 46/1997 on medical devices, introducing a new legislative framework consistent with the MDR and also regulating aspects that the MDR delegates to Member States. 

However, since in Italy, rules ad hoc for the use of DTx and, generally speaking, software medical devices, still lack, it is unclear whether they should or should not be assessed under the same regime under which healthcare services are provided to patients by HCPs. Indeed, when a service or a performance is included in a healthcare notion, which is currently discussed in Italy, it does not matter in whatever legal form they carry out their professional activity, because law require the attendance of physicians, which are supervised by their Professional Associations too. 

A source which should be taken into account is the soft law document "National Guidelines for the provision of telemedicine services" („Guidelines“) approved following an agreement between the Government and the Regions on 17th December 2020.  

The Guidelines should represent the national unitary reference for the implementation of telemedicine services and the use of such systems within the National Health Service. 

According to the Guidelines, telemedicine services can be divided into four categories: 

• services that can be assimilated to any other traditional diagnostic and/or therapeutic healthcare service, representing an alternative to it; 
• services which, since they cannot replace the traditional healthcare service, support it by making it more accessible and/or increasing its efficiency; 
• services which complement traditional services by making them more effective in meeting patients' needs; 
• services which can completely replace traditional healthcare services. 

Taking into account the above stated lack of specific regulation on DTxs and moving from the Guidelines on telemedicine services, stakeholders agree to the need of starting an internal regulatory investigation for DTxs so as to ensure adequate and uniform standards of efficacy and safety for a therapeutic purpose device. 

Therefore, the following steps have been made: 

First, although there are no local guidelines, the recent consensus of the Istituto di Superiore di Sanità (ISS) on psychological therapies for depression and anxiety recommends promoting the implementation of new technologies as integral parts of care pathways for depressive disorders, across all services. 

Second, it has been proposed within a paper published by Farmindustria (the Italian pharma companies trade association) in May 2023, the creation of a “multistakeholders forum” that can contribute proposals for the establishment of specific national legislation on digital therapies based on five pillars, as in the case for example, in the German model: 

1. Define and fund adequate scientific and economic incentives to support DTx research and development processes; 
2. Outline a clear and fast approval process for digital therapies for proper patient access; 
3. Establish clinical evidence requirements and value assessment processes for DTxs; 
4. Disseminate digital skills specific to the proper prescription of DTxs to the medical profession and the promotion of adequate training in patients for the proper use of digital therapies; and  
5. Create an appropriate funding system (ad hoc fund that does not affect current health care spending ceilings) to ensure free accessibility of digital prescription therapies. 

A first trial was led by the group Digital Therapies for Italy #DTxITA, which has drawn up a document that addresses all the key aspects for the introduction of digital therapies in Italy and that will serve as a basis for discussion with all the actors involved - health institutions, AIFA, the Ministry of Health, the Istituto Superiore di Sanità, and scientific societies. 

To sum up, the watershed is the inclusion of the DTx in the NHS. If DTx were not able to obtain such license, it would be crucial that a DTx without HCP involvement does not engage in providing healthcare services to patients. 

In practice, it is thus important to take into account before entering the Italian market that a medical software may, on the one hand, qualify as a medical device – entailing the need to a quality management system and the conformity assessment of the device – and, on the other, be aimed at facilitating the provision of healthcare. In the latter case, the persons delivering such services must be sufficiently qualified under national law. 

Since DTx will always create and use health data, data protection and data security are areas of key concern in this context. Any medical software to be offered on a given market will need to comply with local requirements in this regard.  

If software processes personal data of the users/patients, it must comply with the applicable data protection regulations, in particular with the EU General Data Protection Regulation (“GDPR”). When processing personal data, the principles contained in art. 5 GDPR, such as the lawfulness and purpose limitation of data processing, data minimization, and the integrity and confidentiality of processing, must be taken into account. 

These rules only apply to the processing of data of individuals (regardless of citizenship) residing in the European Union (art. 3 GDPR). If they use the app outside of EU jurisdiction, GDPR will still apply if the provider is a company established in the EU.  

If data is stored on the device or if data is collected from the users' device, and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device. 

In addition, location tracking is also subject to consent provided it is not an essential part of the service provided. 

The GDPR always applies in B2C scenarios. The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing personal data of other individuals via the app. If the business user is processing personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent). 

A consent is required in accordance with Art. 9 para. 2 letter a) in conjunction with Art. 7 GDPR. It should be noted, however, that according to Art. 7 para. 1 GDPR, the person responsible for data processing must be able to prove the consent of the data subject – regardless of any formal requirements. Since recordings of the video consultation hour are not permitted, at least electronic documentation of the declaration of consent will be required if the written form is not used. 

In order to be placed on the market, medical software/DTx would need to fulfil the mandatory requirements of the EU Regulation. 

Since the qualification as medical device relies on product intended purpose, it is specified by EU Regulation that a software can have a medical purpose when it: 

• directly controls a medical device (hardware) (e.g. software for radiotherapy treatment), 
• provides immediate medical decision-making information (e.g. software for measuring blood glucose), or 
• provides support to healthcare professionals (e.g. an ECG interpretation software on the basis of which the physician decides on diagnosis and therapy). 

Furthermore, art. 9 of the Legislative Decree No. 137 specified that the Ministry of Health may request health institutions established in the national territory to transmit any information it deems to require. 

At the time of writing, no specification has been made.  

Advertising measures about medical devices within the healthcare sector are regulated by the following legal and soft law deeds: 

• Legislative Decree No. 219/2006 (also referred to as the Code of Drugs) implementing Directive No. 2001/83/EC and Directive No. 2003/94/EC, addressing rules and procedures related to the advertising of medicinal products both to patients and HCPs; 
• article 21 of Legislative Decree No. 46/97, art.7 of the MDR, articles 26 of Legislative Decree No. 137/2022 and articles 22 of Legislative Decree No. 138/2022; 
• Guidelines by the Ministry of Health concerning the advertising of medical products through new media; 
• The Digital Chart Regulation which has been recently inserted in the IAP Code, containing guidelines and transparency criteria for commercial communication in order to fulfil the requirement of recognisability required by art. 7 of the IAP Code. In particular it is addressed to influencers, who belong to the category of testimonial; 
• General rules for all advertising set forth by Legislative Decree No. 145/2007. 

In relation to promotion to the general public, two scenarios are possible: (i) whether the DTx is qualified as medical device, the use of which require, by law or by manufacturer, medical prescription and/or the assistance of HCPs to be used, a general prohibition of advertising apply; (ii) whether, instead, the DTx qualified as medical device does not need prescription and/or assistance of a HCP, the advertisement will require authorization by the Ministry of Health, which assesses, within a 45-day period running from the application, both the content of advertisements and the chosen marketing method. 

With reference to the advertising of medical devices towards HCPs, the rules are less rigorous and advertising is generally allowed. Indeed, no prior authorization is required. When disseminated via Internet, on webpages intended exclusively for HCP, a specific warning shall be included with the disclaimer that information therein is exclusively addressed to professional operators.  

Furthermore, all marketing statements must be accurate, up to date, supported by verifiable evidence, complete enough to allow the addressee to be properly informed on the characteristics of the product and its therapeutic effects, and present the product in an objective, non-exaggerated manner. The information must be consistent with the documentation issued to obtain the marketing authorisation and the relevant revisions thereof. 

Insofar as the above-mentioned principles and further relevant specific provisions are complied with, the following kinds of marketing activities are allowed: 

• delivery of verbal information; 
• delivery of promotional material; 
• delivery of free samples; 
• invitations to scientific congresses and conventions; 
• refresher courses; 
• visits to company laboratories; 
• investigators’ meetings; and 
• scholarships and scientific consultancy. 

In light of the above, it should be noted that Italian common orientation is for DTx falling within the scope of medical devices which requires, by law or by manufacturers indications, prescription as well as involvement of HCPs and therefore the first scenario should likely apply. 

It is not permitted to offer, announce or grant benefits and other promotional gifts (goods or services) to HCPs or to laypersons, unless of modest value and pertaining to the health profession. Benefits must never be in the form of cash or cash equivalent (e.g. vouchers).   

In Italy, DTx are distributed in the following ways: 

• by download; 
• by therapeutic video games (tools that can treat certain disorders such as depression and ADHD); 
• by websites; 
• by wearable devices. 

Moreover, insurers, be it public or private ones, are further potential customers who can provide the DTx to their insured. In this scenario, special contracts can be concluded with insurance companies who then recommend the DTx to their insured. One example in Italy is the partnership between a company whose program helps people be more aware of the importance of pressure monitoring and a primal Italian insurance company. 

For all healthcare services provided at a distance, the national/regional regulatory framework regulating access to the same services in traditional form applies. 

One road to be followed could be using a cooperation partner for the promotion of the DTx vis-à-vis physicians, hospitals or insurers. In Italy such cooperation models are on the rise, and it is important to have the right contracts in place for that.  

For example, a MedTech enterprise specialising in services to support clinical research may want support clinical research and real-world evidence-based projects collecting useful data for digital health technologies in Europe. 

This can be an important service provided to the legal manufacturer of the software that does not have the resources to reach healthcare professionals. The typical basis for such cooperation is a contract which has certain elements of a co-promotion agreement known from the pharmaceutical industry.  

Also, when it comes to development of new features or indications, partnering with a strategic or financial investor may help. This then goes into the direction of onboarding investors.  

Another aspect are integrated solutions with insurers who may wish to offer the product made by others as part of their portfolio or even under their own name.

In exploring the creation of revenues, it should be kept in mind that, in Italy, the services provided by the NHS, whether through public or accredited private facilities, are only those identified in the LEAs (Essential Levels of Care), defined by the Prime Minister Decree of 12th January 2017. 

Therefore, if a citizen wishes to benefit from a healthcare service which is not included in the LEAs, the cost would be entirely at his or her own expenses regardless of whether the healthcare service was provided in a public or accredited private facility. Therefore, a DTx service can be reimbursed by the NHS provided that the concerned healthcare service is included in the LEAs. 

However, as a reimbursement matter, no special provisions about DTx are present, so that at the moment DTx expenses burden on the customer. 

There are different routes that could be taken:  

• payment by the patient 
• reimbursement or other deal from insurance companies 
• inclusion in platform offer 
• burden on the public NHS 

This Section shall focus on the monetisation by sales to private parties/payors as opposed to public payors in the public healthcare system.  

The payment by the patient is the first possible track.  

In Italy however, this route is rather difficult because patients are used to rely on NHS and consider less important what it is not qualified as LEA. Additionally, in certain fields, where there is a shortage of care, patients may be prepared to pay themselves for digital applications.  

Also, it is possible to find ways to get reimbursement from insurance companies. As stated above, this can be done, for instance, by way of a special contract or agreements with private insurance companies. 

We have also seen projects in which insurance companies integrate certain DTx into their portfolio and offer such solutions in certain packages to their insured.  

Also, platforms may provide access to DTx products and include them in their offerings. 

As stated before, a DTx service can be reimbursed by the NHS provided that the concerned healthcare service is included in the LEAs. 

There is no definition, but they encompass all the services and activities that the State considers so important that they cannot be denied to citizens. 

In Italy, there is still lack of suitable evaluation, access and reimbursement criteria that can allow access of DTx in the context of the NHS. 

The Ministry of Health and AIFA have started to take the first steps towards regulating digital therapies, but there are still many open points under discussion concerning the potential reimbursement procedure, like under which conditions DTxs can be prescribed, their efficacy compared to the traditional therapies, the entity potentially in charge with their reimbursement as well as the relevant reimbursement’s conditions.