Key legal aspects of implementing digital therapeutics (DTx) in Portugal

It is crucial for manufacturers to distinguish between medical and well-being software to determine whether their product falls within the realm of medical device regulations and the associated responsibilities and requirements. This distinction enables manufacturers to navigate the appropriate regulatory pathway, conduct necessary assessments, and meet the expectations of regulatory authorities. By doing so, manufacturers may ensure compliance and secure market access for their products. 

Qualifying a software as a medical device holds significant importance for manufacturers due to various reasons. Once categorised as medical devices, software becomes subject to stringent regulatory requirements to ensure their safety, efficacy, and quality. Consequently, manufacturers must adhere to relevant regulations, such as the Medical Device Regulation (MDR), or national legislation, such as Decree-Law no. 145/2009, of 17 July (“DL 145/2009”). Failure to comply may result in legal consequences and barriers to market entry. Furthermore, medical devices must undergo a thorough conformity assessment process to evaluate their compliance with the aforementioned regulatory requirements. This process entails clinical evaluations and performance studies, essential for obtaining certifications like the CE marking. By completing these assessments, manufacturers demonstrate that their product meets the required standards. Additionally, medical devices are subject to post-market surveillance to monitor their ongoing safety performance. 

Understanding the regulatory framework and complying with the necessary obligations is of utmost importance to ensure the safety and effectiveness of medical devices, and to protect both manufacturers and users. 

To determine whether software is considered a medical device or simply software, it is important to refer to the definition of a medical device under applicable legislation, such as the MDR and DL 145/2009. According to these regulations, software may be classified as a medical device if it is intended for medical purposes. This includes software that is used for activities such as diagnosis, prevention, monitoring, treatment, or alleviation of diseases or injuries. In other words, if software is designed to serve a medical purpose and falls within the definition of a medical device, it may be classified as such under the relevant legislation. 

In order to determine if a product falls under the definition of a medical device, manufacturers should take several important steps. Firstly, they need to conduct a comprehensive analysis of the relevant regulatory frameworks to ensure compliance with the requirements applicable to their products. This involves studying the specific regulations, such as the MDR and DL 145/2009, and understanding the criteria and obligations outlined for medical devices. 

Additionally, manufacturers should carefully consider the intended purpose and functionality of their products. They need to evaluate whether the product is designed and marketed for medical purposes. This assessment plays a crucial role in determining whether the product falls within the scope of a medical device. 

Given the complexity and specific criteria surrounding medical devices, seeking expert guidance and a multidisciplinary approach is highly recommended. These experts may provide valuable insights and assist manufacturers navigate the regulatory landscape, ensuring proper classification and compliance with the requirements applicable to medical devices. 

By following these steps and seeking expert guidance, manufacturers can gain clarity on whether their product qualifies as a medical device, ensuring they meet the necessary obligations and standards set forth by the relevant legislation. 

In addition to classifying a product as a medical device, companies have the option to offer services or service components, such as telemedicine. Although the Portuguese legal framework does not extensively regulate these aspects, it is important to understand that certain services may only be provided by specific professionals. In any case, telemedicine services are limited to healthcare professionals, including nurses, pharmacists, doctors, dentists, nutritionists, and psychologists. 

In Portugal, the provision of telemedicine services is subject to specific regulations and limitations. There is a recognition that telemedicine encompasses the delivery of healthcare and, therefore, should be conducted by qualified healthcare professionals. This requirement ensures that individuals seeking telemedicine services receive appropriate and safe care from professionals with the necessary expertise. It is important for companies and healthcare professionals offering telemedicine services to adhere to professional standards, ethical guidelines, and any applicable licensing requirements to ensure the quality and integrity of the services provided. 

Finally, it should also be considered that mere software which does not encompass any medical act/service may be provided without the aforementioned regulatory restrictions, since it would not be qualified as a medical device.  

Healthcare technologies play a vital role in processing personal data, often of a sensitive nature, emphasising the critical importance of adhering to the General Data Protection Regulation (“GDPR”) and complying with Law no. 58/2018, of the 8 of August (“Portuguese Law on Data Protection”). As data controllers, healthcare technology operators shall establish a legal basis for data processing. While the performance of the usage contract suffices for ordinary personal data, processing special categories of personal data, such as personal health data, requires a stricter legal basis, as specified in Article 9 of the GDPR. Consequently, obtaining the informed consent of users becomes essential to ensure compliance and safeguard user privacy. 

Transparency is key in complying with the GDPR’s information requirements, specifically Articles 12 et seq of the regulation. Healthcare technologies, such as websites and mobile application, shall provide users with comprehensive data protection notices. These notices should offer clear explanations of the data processing activities, legal basis for processing, and other relevant information. It is crucial for healthcare technologies to ensure that users have easy access to the data protection information within the concerned technology at all times. This empowers users to understand and review how their personal data is handled, promoting transparency and informed decision-making regarding privacy. 

In addition to the importance of data security measures, it is essential to highlight the legal obligations regarding confidentiality and transparency in data processing. Under Article 29(4) of the Portuguese Law on Data Protection, employees of the healthcare technologies are bound by a duty of confidentiality. This obligation ensures that personal data accessed by employees is processed with the necessary confidentiality and protects the privacy of data subjects. In line with this reasoning, Article 29(1) of the Portuguese Law on Data Protection states that the processing of health and genetic data is governed by the information acknowledgement principle. 

Furthermore, according to the Portuguese Law on Data Protection data subjects have the right to be informed about any access made to their personal data. Healthcare technologies must establish a traceability and notification mechanism to ensure that data subjects are notified in case of any access to their personal data. This mechanism enhances transparency and allows individuals to be aware of who has accessed their data, promoting accountability and reinforcing data protection practices. 

Aligned with the fundamental principles of the GDPR, healthcare technologies operators have a responsibility to conduct and document a Data Protection Impact Assessment (“DPIA”) for processing operations that pose a particularly high risk to data subjects. According to Article 35(1) of the GDPR, this requirement applies to scenarios where processing activities may significantly impact individuals’ data protection rights. Furthermore, according to Regulation no. 798/2018 of the Portuguese Data Protection Authority there are further processing activities which require a DPIA to be performed by controller, including, namely, processing operation of information arising from the use of electronic devices transmitting personal data concerning health over communication networks. 

Relevant bodies, including other competent authorities within the EU Member States,1 have clarified that the regular processing of health data through mobile applications falls under the category of high-risk processing operations. As a result, healthcare technology operators in the healthcare sector must conduct a DPIA to assess and mitigate potential risks associated with processing health data in their applications. 

Ensuring the integrity and confidentiality of data processing is of utmost importance, particularly in the healthcare sector. Healthcare technologies shall be embedded with robust technical and organisational measures to ensure adequate data security. While the GDPR does not provide specific requirements in this regard, it is crucial to determine the level of security measures based on the specific risk potential associated with the sensitivity of the health data being processed. In line with this, the Portuguese Data Protection Authority has issued guidelines that offer further clarity on the technical, organisational, and security measures that should be implemented. These guidelines include examples of such measures, which encompass various aspects such as organisational measures, authentication mechanisms, infrastructure and systems security, protection against electronic threats (such as malware), secure emailing practices, security considerations for using equipment outdoors, secure storage of paper-based data, and secure transport of information containing personal data.2 Furthermore, pursuant to the Portuguese Law on Data Protection additional security measures related to the processing of health data may be determined by a government’s decree. 

Considering the highly sensitive nature of health data, the risk potential is significantly elevated. Thus, healthcare technologies are expected to include comprehensive protective measures that surpass basic security standards. These measures may include data encryption, access controls, regular security audits, secure storage and transmission protocols, as well as thorough employee training on data protection practices.  

By following the aforementioned requirements and technical and organisational measures , healthcare technology operators may ensure compliance with the applicable data protection legal framework, foster user trust, and prioritise the privacy and security of personal data within their technologies. 

To ensure compliance with the requirements for placing software on the market, it is crucial to determine whether the product qualifies as a medical device according to DL 145/2009. If the software is considered a medical device, manufacturers must ensure that it meets the requirements specified in Annex I of DL 145/2009, possesses the CE marking, and ensure that a conformity evaluation has been performed. These measures are necessary to demonstrate the software’s compliance with safety, performance, and quality criteria for medical purposes. By satisfying these requirements, manufacturers can ensure that their software meets the necessary criteria for market placement as a medical device. It is important to consult relevant regulations and guidelines for additional details and procedures related to conformity evaluation. 

Non-compliance with the requirements for placing medical device software on the market, as outlined in DL 145/2009, may lead to the application of administrative fines of EUR 12,000 to EUR 24,000. It is important for manufacturers to ensure that their software meets the necessary criteria and undergoes the required evaluations to avoid potential financial penalties. 

In Portugal, there is currently no established reimbursement system for software of this nature. However, there has been a gradual inclusion of medical devices in reimbursement schemes, as explained in Section 3(d) below. When it comes to the requirements for eligible devices, Decree-Law no. 97/2015 (“DL 97/2015”), of 1 June, specifies that an important and unconditional aspect for financing is the demonstration of adequate addressing of market introduction, commercialisation potential, and usability. Additionally, the software must undergo an assessment of its quality, economic viability, efficiency, and effectiveness to qualify for reimbursement. 

In Portugal, the promotion of software medical devices is governed by two key legal instruments: Decree-Law no. 330/90, known as the Code of Advertisement, and DL 145/2009. According to the latter, specific requirements must be met when advertising these products. Firstly, the advertisement should align with the information provided in the device's instructions for use and technical documentation. Secondly, it should objectively promote the safe use of medical devices, avoiding any exaggeration of their properties. Lastly, the advertisement must not be misleading to consumers. 

It is crucial to emphasise that the advertising of medical devices is prohibited until they have undergone the conformity evaluation process mentioned earlier. This evaluation ensures that the medical device meets the necessary standards and regulations, safeguarding the interests of consumers and maintaining the integrity of the healthcare system. 

DL 145/2009 regulates the advertising of medical devices to both the general public and healthcare professionals. Regarding the general public, advertising activities shall adhere to the following requirements: 

1. Clearly indicate that the product is a medical device; 
2. Include the name of the medical device or the trademark; 
3. Provide essential information regarding its safe use, including its purpose and any special precautions; 
4. Advise users to read the labelling and instructions for use carefully. 

Additionally, this legal instrument includes an extensive list of elements that medical device advertisements must not contain. For instance, references to recommendations from scientists, health professionals, or individuals known for their celebrity status that may encourage the consumption of medical devices are prohibited. Similarly, any statements that are abusive, frightening, or misleading regarding the device's curative capabilities are also prohibited. Comparative advertising in any form is also strictly forbidden. 

DL 145/2009 additionally places obligations on manufacturers to establish and maintain a scientific service that is responsible for providing information about the medical devices they produce. Furthermore, manufacturers are required to maintain comprehensive and detailed records of all advertising activities. These records must be made available to supervisory authorities for a period of 5 (five) years. DL 145/2009 sets forth several other requirements that manufacturers must adhere to. 

Even if the product does not fall within the definition of a medical device, general requirements established in the Code of Advertisement must be met. 

According to DL 145/2009, giving or promising prizes, gifts, bonuses, or other benefits to health professionals by manufacturers, companies responsible for device promotion, or wholesale distributors is prohibited, except for items of insignificant value relevant to their practice. Similarly, health professionals themselves are prohibited from directly or indirectly soliciting or accepting such benefits, even if received abroad or under foreign law, regardless of consideration for the supply or use of medical devices. The exception to this rule can be defined by the relevant government official. However, payment of fees to health professionals for active participation in scientific events or training activities related to medical devices does not violate these provisions, as long as it is not dependent on or in exchange for device use or dispensing. 

When it comes to free samples available to the general public, it is mandatory for them to include the statement "free sample" and "sale forbidden" or similar expressions. Additionally, samples provided without charge to the general public must be properly labelled and accompanied by a copy of the instructions for use. 

The entities responsible for supplying these samples are obligated to establish an appropriate control and accountability system. This system must be maintained and made available to regulatory authorities for a period of 5 (five) years. 

Non-compliance with the provisions concerning these prizes, or free samples, as outlined in DL 145/2009, may lead to the application of administrative fines of EUR 12,000 to EUR 24,000.   

If the software is classified as a medical device, it may be eligible for sponsorship. In such cases, sponsored congresses, symposia, or other scientific events or activities for the direct or indirect promotion of medical devices must include sponsorship information in the related promotional documentation. Additionally, the sponsorship must be publicly disclosed after the completion of these events. The sponsoring entity must notify in advance Infarmed, I.P. (“Infarmed”) — the Portuguese National Authority of Medicines and Health Products —regarding the sponsorship arrangement. 

Additionally, insurers can collaborate with medical device companies or well-being software developers to include their products as part of insurance coverage plans. This collaboration ensures that customers can access and benefit from these technologies while the insurer establishes reimbursement policies and coverage criteria. For instance, insurers can partner with telehealth platforms or companies that provide remote healthcare services through medical devices or well-being software (as long as these services are provided by healthcare professionals as previously mentioned). This collaboration enables insurers to offer virtual medical appointments, remote monitoring, and other telehealth services to their policyholders, improving access to healthcare and promoting preventive care. Although this is a possibility, not many partnerships regarding this type of software devices (being it medical or well-being apps) have been seen in Portugal, as this technology is still quite new and not specifically regulated. 

Regarding the pitfalls to avoid, it is relevant to highlight the improper contractual terms, and, to avoid them, one would have to ensure that the contracts are clear, comprehensive, and properly drafted to protect the interests of all parties involved. Seek legal advice to avoid common pitfalls and ambiguities that could lead to disputes or legal issues later on. 

Additionally, failure to comply with applicable laws and regulations, such as data protection, medical device regulations, or advertising requirements, can result in legal consequences and reputational damage. Staying updated with the regulatory landscape and seeking legal guidance to ensure compliance is advisable. 

Lastly, conduct thorough due diligence on potential partners, investors, or insurers before entering into any cooperation or partnership. Assess their reputation, financial stability, and alignment with your business objectives to minimise risks. 

If the software qualifies as a medical device, "wholesale distribution" refers to the business of supplying, stocking, or delivering medical devices for resale or use in medical services, healthcare facilities, pharmacies, and other public sales locations, excluding supply to the general public.  

According to DL 145/2009, wholesale distribution requires notification to the competent authority and subsequent supervision. 

In addition to other obligations outlined in the aforementioned decree-law, the entity engaged in the wholesale distribution of medical devices must: 

1. Adhere to the principles and standards of good distribution practices; 
2. Provide written notification to the competent authority, including mandatory information; 
3. Maintain records of all medical device transactions for a period of five years; 
4. Comply with surveillance regulations and grant access to inspection agents. 

The manufacturer should establish and keep up to date a process for systematic review of experience gained with devices in the post-production phase, including the provisions referred to in Annex XVI of DL 145/2009, and develop appropriate means for implementation of any necessary corrective actions, considering the nature and risks related to the product. 

The manufacturer is required to establish a surveillance system and promptly report all incidents related to medical devices covered by DL 145/2009 that occur in Portugal. These incidents include: 

• Malfunctions, breakdowns, or deteriorations in device characteristics or performance, as well as any inaccuracies, omissions, or insufficiencies in labelling or instructions for use that have caused or are likely to cause death, serious health deterioration, or harm to patients, users, or third parties; 
• Indirect harm resulting from incorrect medical decisions made based on the manufacturer's instructions for the use of a medical device; 
• Technical or medical reasons related to device characteristics or performance that have necessitated safety corrective actions by the manufacturer for devices of the same type in the Portuguese market; 
• Other information that experience has shown should be notified. 

Upon notification, the manufacturer is obligated to investigate the incidents to determine the need for corrective measures aimed at minimising risks associated with the use of medical devices. Within 10 (ten) days of completing the investigation, the manufacturer must communicate the results to the competent authority through a final report. 

The revised text provides a summary of the original passage while retaining the essential information regarding the manufacturer's obligations regarding incident reporting and investigation related to medical devices. 

In what regards sales to healthcare organisations, software developers can sell their solutions directly to healthcare organisations such as hospitals, clinics, or medical practices in Portugal. This may involve offering software solutions for patient management, electronic health records, telemedicine, or data analytics. 

DL 97/2015 established the National Health Technology Assessment System (“SiNATS”). SiNATS is a system that evaluates the technical, therapeutic, and economic aspects of health technologies. SiNATS operates under the authority of Infarmed. Infarmed plays a pivotal role in assessing health technologies and making decisions regarding reimbursement and co-funding for medical devices and healthcare software. SiNATS uses an information system to gather and provide information to entities involved in assessing the quality, cost-effectiveness, efficacy, efficiency, and effectiveness of medicines, medical devices, and other health technologies. Technical bodies support SiNATS by validating information and evaluating the application of health technologies, promoting rational decision-making in reimbursement and acquisition processes. 

An important feature of the approved scheme is the recognition that the introduction, commercialisation, and availability of health technology in the market alone do not guarantee funding by the Portuguese National Health Service (Sistema Nacional de Saúde). Meeting quality, cost-effectiveness, efficiency, and effectiveness requirements is essential. The decision to incorporate a specific health technology into the Portuguese National Health System is based not only on the quality, safety, and efficacy controls required for market introduction but also on an assessment of efficiency and effectiveness. This assessment ensures that public resources allocated to healthcare are used for health technologies that provide significant added value. The establishment of control mechanisms to evaluate these aspects is one of the primary objectives of the approved scheme. 

Additionally, collaborating with insurance companies in Portugal can be a monetisation strategy. Insurance companies may be interested in integrating software solutions that promote health and wellness, remote monitoring, or personalised healthcare services. This may involve negotiating contracts or partnerships with insurers to provide software solutions to their customers. 

Finally, despite direct sales to patients or consumers may be a less common route in Portugal's healthcare system, there may still be opportunities for software developers to offer specialised healthcare software solutions directly to individuals. This may include wellness apps, personal health management tools, or chronic disease management applications. 

When considering the private route for monetising healthcare software in Portugal, it is essential to keep a few key points in mind. 

Firstly, it is important to structure the monetisation strategy by identifying potential private payors who could benefit from your software. These may include private insurance companies, private hospitals, clinics, or individual healthcare professionals operating in the private sector. Once more, a manufacturer will need to ensure that the software complies with applicable privacy laws, data protection regulations, and any other relevant legal requirements. 

When the target private actor is identified, the next step would be to establish clear and well-defined contracts with private payors that outline the terms and conditions of the software usage, pricing, support, and any other pertinent aspects. 

There is also more flexibility regarding pricing, as the SiNATS, which has consolidated provisions applicable to pricing and reimbursement, namely, of healthcare technologies, applies only to medicines and medical devices to be acquired and integrated by the Portuguese National Health Service. Nevertheless, manufacturers still have to comply with the obligations set out regarding the placing of products in the market.  

However, thorough market research must be conducted to understand the demand for healthcare software in the private sector and assess the competitive landscape. Consider pricing flexibility, market size, and potential challenges in reaching and convincing private payors to adopt software.

Firstly, it is, once again, relevant to structure the monetisation approach by establishing contractual arrangements or specific agreements with public payors such as public sick funds or the healthcare system (such as by complying with mandatory requirements and passing the evaluation conducted by SiNATS, as previously mentioned). These arrangements may involve negotiations regarding pricing, reimbursement, and the terms and conditions applicable to the use of software. 

Secondly, it is important to bear in mind the legal requirements and regulations that govern the sale and reimbursement of healthcare software within the public healthcare system. Understand the specific contracting processes, documentation requirements, and any compliance measures necessary to engage with public payors. 

It is also relevant to consider that pursuing the public route involves competition and stringent evaluation criteria. It is, therefore, crucial to ensure that the software meets the necessary quality standards, interoperability requirements, and regulatory certifications to increase chances of success. 

Currently, in Portugal, there is no specific broad reimbursement mechanism akin to the "app on prescription" model like the DiGA in Germany. Nevertheless, it is crucial to understand the status quo and ongoing discussions regarding the introduction of such reimbursement schemes in the country, which has been addressed in the last few years. Therefore, staying updated on these discussions and potential changes in order to comply with the legal requirements is of the utmost importance. 

Understand the key requirements and the applicable criteria that need to be met in order to be considered for reimbursement is crucial. This may involve demonstrating the effectiveness, safety, and clinical value of your DTx, as well as compliance with relevant regulations and standards. 

Following the creation of the National Health Technology Assessment System (SiNATS), and the entry into force of DL 97/2015, a specific medical device reimbursement scheme was established, introducing a paradigm shift in the way health technologies are used and acquired. By identification of the need and following the respective health policies in Portugal, several schemes and respective criteria have been defined, which provide SNS users access to this type of health technologies in a more simplified manner. According to DL 97/2015, in situations where there are public health justifications or proven economic benefits, the Portuguese State has the option to partially fund the acquisition of medical devices for beneficiaries of the Portuguese National Health Service and other public health sub-systems. This funding request can be made by the manufacturer or their authorised representative. The decision regarding reimbursement or the authorisation for entering into a reimbursement contract lies with the government official responsible for the health sector. This authority can be delegated to the management board of Infarmed. 

The specific medical devices eligible for co-funding and the conditions for such funding will be defined through an executive order issued by the relevant government official in charge of the health sector. 

For the purpose of reimbursement, each medical device will be assigned a code by Infarmed, upon which the payment of the reimbursement value will depend. The maximum reimbursement value for a particular device or a group of devices will be determined in the aforementioned executive order. 

In addition, the executive order may establish maximum prices for reimbursement purposes, following the procedures outlined in the same order. 

Furthermore, in Portugal, the reimbursement of medical devices and well-being software by insurers is subject to the regulations and guidelines set forth by the regulatory authorities, such as Infarmed and the Portuguese Health Regulatory Authority (Entidade Reguladora da Saúde). These regulations define the criteria and conditions under which reimbursement may be provided. 

Lastly, it is important to highlight the importance of the awareness of potential pitfalls that may arise during the reimbursement process. These could include challenges related to evidence generation, pricing negotiations, market access barriers, and complex regulatory pathways.