Key legal aspects of implementing digital therapeutics (DTx) in Poland

Under the Polish Act of 7 April 2022 on Medical Devices (the “AMD”) and Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices ( “MDR”), software may be considered a medical device provided it is intended by the manufacturer to be used for human beings for the purpose of: 

• diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease; 
• diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability; 
• investigation, replacement or modification of the anatomy or of a physiological or pathological process or state; 
• providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations; or 
• control or support of conception. 

Please note that the Polish AMD does not currently provide for a separate definition of a medical device and does not set out any specific rules on software as a medical device. Instead it refers to the definition in MDR. 

Therefore, a DTx app could be considered a medical device depending on the purpose for which it has been developed. If it is considered to be a medical device, the specific regulatory rules will apply, and if it is a non-medical device (such as e.g. a lifestyle app), the general rules of law will apply. The relevant qualification has to be assessed on a case by case basis. Please note, however, that in Poland we do not yet have any case law that could be helpful in such assessment. 

Depending on the nature of the services provided by the entity – the activity of the DTx app may be considered either as a mere service, or potentially, a provision of healthcare – the latter however, only under certain circumstances. 

An activity can be considered as a healthcare service if it involves the provision of services by qualified practitioners. It can also be performed via ICT or communication systems – in which case it is called telemedicine. 

The current legislation does not contain detailed regulations on telemedicine; however, there are guidelines set out by the Polish Supreme Chamber of Physicians. We are of course aware that these are not binding; however, they may be useful to understand the model of services provided. The guidelines state, among other things, that: 

• a telemedicine call can be provided with the use of phone, computer, a telemedicine platform or an app - provided that these ensure safety and identity verification; 
• the equipment used for communication does not have to be a medical device; 
• there needs to be a verification of the patient's identity and a determination of their whereabouts and the telephone number from which they are calling; 
• the HCP should obtain an informed consent before the provision of telemedicine services;  
• the communication channel used for the connection should ensure that only persons authorised to participate in the call will have access to it. 

Therefore, if the app enables services such as e.g. personalised diagnoses and communication with doctors, it may be classified as telemedicine and will be subject to additional rules under specific laws governing medical activities. 

In Poland the key requirements for data protection and data security are set out in the EU General Data Protection Regulation (2016/679) (“GDPR”); and the Act on Processing Personal Data dated 10 May 2018, which brings the Polish legal system in line with the requirements of the GDPR. 

Under the above regulations, the following requirements are essential for DTx solutions: 

• Data minimisation and purpose limitation – DTx may only collect personal data that is strictly necessary for its functions. 
• Privacy by design and by default - The privacy implications of the application/software should be considered at every stage of its development and wherever the user is given a choice. The application/software developer should pre-select the least privacy-invasive choice by default. 
• Personal data breach and security measures: As DTx apps processes a high amount of sensitive personal data, a potential data breach can be a major threat for the person concerned. Therefore, DTx owners should be particularly aware of the obligations related to data breaches, such as notification to the authority (in Poland: Urząd Ochrony Danych Osobowych - UODO) and to the data subject -  which may mitigate the risk for DTx users.   

In addition, DTx software/application providers should implement technical and organisational measures to ensure the confidentiality, integrity and availability of the personal data processed and to protect it against accidental or unlawful loss, access or other unlawful forms of processing. This requirement is of particular importance in Poland, as the UODO's decision-making practice has shown its increased imposition of fines for violations consisting of insufficient technical and organisational measures to ensure information security and insufficient fulfilment of data breach notification obligations. The summary of the most crucial cases is available in our CMS GDPR tracker, which you can find here. 

• Profiling - In most DTx, a precise health and/or behavioural profile of the person is created for the solution to work. This practice may entail risks of constant monitoring or the possibility of reusing patient profiles. The DTx developer should therefore take into account the GDPR rule on profiling, e.g. specific legal bases for profiling or that profiling should not be applied to children. 
• Data subject rights and information requirements - DTx should be designed in such a way as to ensure that the user can exercise her/his data protection rights, e.g. to access personal data or to request the correction of data. Also, the app/software provider needs to explain to the user how it will use her/his personal data. 

The mobile apps providers should also pay attention to UODO’s Sectoral Inspection Plan for 2023 (“Plan”). According to this Plan, and similarly to last year, UODO intends to focus its inspections on how companies secure and share personal data processed within mobile and web apps. These inspections might be crucial, especially given the rapid growth of the mobile application market being used in every conceivable area of our lives. 

Additionally, in Poland there are various sector regulations that may regulate the processing of data within DTx technology: 

1. The Act of 18 July 2002 on Electronically Supplied Services (“ESS Act”): 
   1. The ESS Act sets out the rules for protecting personal data of natural persons using Electronically Supplied Services, e.g. the scope of personal data that a service provider may request to provide a service, or consent requirements for sending commercial information.  
2. The Act of 16 July 2004 – Telecommunications Law (“Telco Law”): 
   1. The Telco Law applies in particular to the storage of or gaining access to information already stored in telecommunications terminal equipment (e.g. a smartphone) of a subscriber or end user. 
3. The Act of 6 November 2008 on Patient’s Rights and on the Patient Ombudsman  (“Act on Patient’s Rights”): 
   1. The Act on Patient’s Rights sets out the rules for outsourcing that apply to healthcare entities in addition to those stemming from the GDPR. Given that digital health software providers may be considered as data processors, they could be contractually obliged to comply with those requirements. 

Please note that other regulations may apply in relation to specific healthcare services. Nevertheless, the above requirements provide a baseline that any company should consider both in the development process and in the actual use of this type of application/software. 

Depending on whether we are dealing with a medical device and whether the operation of such an app can be qualified as a health benefit - the regulatory provisions will apply, with a number of additional conditions to be met. Otherwise, only the general rules will apply. 

1.    The Act of 18 July 2002 on Electronically Supplied Services (“ESS Act”): 
   The service provided within the DTx technology can be considered as an electronically supplied service, which is regulated by the ESS Act. The ESS Act imposes a number of obligations on service providers, e.g. requirements to be included in the regulation of the service or a number of information obligations - e.g. to provide information about the provider’s contact details or information about the risks associated with the service and the function and purpose of the software that is not part of the service. The service provider should also enable the user to, for example, (i) prevent unauthorised access to the service, in particular by using appropriate cryptographic techniques, or (ii) terminate the use of the electronically supplied service at any time. The ESS Act also lays down the rules on the exemption of the service provider from liability for electronically supplied services. 
2. The Act on the National Cybersecurity System of 5 July 2018 (“Cybersecurity Act”): 
   Healthcare sector entities may be subject to the obligations set out by the Cybersecurity Act, including those related to cybersecurity risks and incident management, e.g., to implement appropriate security and organisational measures. In consequence, such obligations may influence indirectly digital health software providers’ operations. 

If it is determined that the app is not a medical device, only the general rules on promotion relating to various products apply, such as for example that consumers must be provided with concrete information, and that they cannot be misled.  

For medical devices, the provisions of the AMD apply, as well as the Regulation of the Minister of Health dated 21 April 2023 on the advertising of medical devices.  

Please note that the Polish regulations are far more detailed than the MDR as they provide:  

• A very broad concept of “advertising”,  
• the principle that advertising to the public may not concern devices intended for use by professionals, 
• an obligation to properly display a warning that a product is a medical device. 

Limitations exist if the application is qualified as a medical device - detailed regulations relating to advertising of such products must be followed.  

In addition, when dealing with reimbursed products (the possibility of reimbursement will be discussed later), it is prohibited for an entrepreneur manufacturing or trading in such products to make the conclusion of a contract concerning those products dependent on the other party's performance not related to the subject of the contract, including a financial or personal benefit.  

Likewise, conditional sales, discounts, rebates, discounts, packages and loyalty programmes, donations, prizes, trips, games of chance, betting, all forms of lending, bundled transactions, all types of vouchers and vouchers, as well as the granting of other unnamed benefits of a material or personal nature to recipients and beneficiaries are prohibited for reimbursed products. 

Please note that a regular app (not medical device) may be subject to the general rules protecting against unfair competition. 

As a rule, the general principles based on freedom of contract and economic freedom will apply.  

However, caution should be exercised in such cooperation with hospitals, especially public hospitals and doctors.  

In the case of doctors, according to the Code of Medical Ethics - doctors may not use their influence on patients for any purpose other than a therapeutic one, and therefore should not, in the context of cooperation with an entrepreneur, encourage their patients to purchase products manufactured by the entrepreneur.  

In the case of apps that are not considered to be a medical device, many distribution options are possible - through B2B agreements, offering them directly to consumers, as well as agreements with employers to offer benefits to employees. It all depends on the producer's strategy.  

For medical devices and health services, there are also specific rules and obligations for the manufacturer to comply with.  

As a rule, medical devices that are reimbursed may only be obtained on the basis of an official order, but we do not have any special regulations in Poland for a device that is software, nor do we know the approach that will be taken in practice.  

Please note, however, that the Ministry of Health has announced the creation of a Health Application Wallet and a programme involving the certification of health apps. Both apps serving diagnostic and therapeutic purposes - medical devices - and apps without medical device status can be proposed to it. However, such app must meet a number of conditions, including being entirely free of charge, the fulfilment of those conditions will be verified by the Ministry of Health.  

The submission process has already begun and is expected to last until 2025. The Ministry has said that, depending on the development of the programme and the popularity of such apps, it allows for the possibility of such apps being covered by reimbursement in the future. 

Regular applications that are not medical devices may be free of charge. We also see no objection to an application being paid for or having additional paid modules within it - the choice lies with the entity and its business strategy.  

We also do not rule out the possibility of cooperation or the offering of benefits on the basis of contracts concluded with employers. Similar approach can be taken with regard to the applications that are classified as medical devices. However, the issue of medical applications in Poland has not yet been developed, so we do not have any case law and do not know how the practice will approach this.  

For medical devices, reimbursement from public funds may become possible in the future. For the time being, in the framework of the Certification of Health Applications by the Ministry of Health, it has been announced that such an option is being considered, depending on the development of the market for such applications in Poland. 

At this point, there is no such mechanism as private reimbursement in Poland, and the reimbursement is only possible through public entities.  

However, it is possible to sell finished products to both private and public entities, such as public hospitals. This generally takes place on the basis of normal commercial cooperation.  

Please note that for sales to public hospitals, public procurement rules may apply. 

As discussed above, there is currently no procedure or practice for the reimbursement of such apps from public funds in Poland. 

The Ministry of Health is taking steps to change this – including through a certification programme for health apps. 

Reimbursement of medical devices is possible – they may even be fully subsidised by the National Health Fund, but an order from a qualified person, such as a doctor, is needed for this and the medical device must be on the list of reimbursed devices. However, at this stage we are not aware of cases where software qualified for reimbursement.  

The Ministry of Health has only announced that after a certain period of operation of the application certification programme and depending on its results, it will decide whether reimbursement of such applications will be possible.