Key legal aspects of implementing digital therapeutics (DTx) in Bulgaria

The introduction of Regulation (EU) 2017/745 has brought significant changes to the regulation and implementation of medical software in the EU and in Bulgaria, respectively. Some of the software systems providing services in the healthcare sector can be classified as medical devices. The software within a digital health system is classified as a medical device if the software is intended to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:

• diagnosis, prevention, monitoring, treatment, or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability.
• investigation, replacement, or correction of an anatomical part or of a physiological process; or
• control of conception

and does not achieve its principal intended action by pharmacological, immunological, or metabolic means, in or on the human body, but which may be assisted in its function by such means.

The standalone software is deemed to be an active medical device.

For devices that incorporate software or are for software that is itself a medical device, the software must be validated according to developments in new technologies, taking into account the principles of lifecycle development, risk management, verification, and validation. /According to Art. 39a of Ordinance on the essential requirements and the procedures for assessment of the conformity with the essential requirements of the medical devices under Art. 2, para. 1, item 3 of the Medical Devices Act. /

The manufacturer is liable for the placing on the market and putting into service of the medical device. No specific exception is available for the software in the form of digital health apps.

Medical software is categorized based on its intended use and potential risk to patients. Depending on the risk level, software may fall into different classes, each with specific regulatory requirements. They are assigned to Classes I, IIa, IIb or III, whereby Class I comprises those products with the lowest risk potential. The classification rules for software devices are listed under Annex VIII chapter III, rule 11 of Regulation (EU) 2017/745 and Annex No. 8 to the Ordinance on the essential requirements and the procedures for assessment of the conformity with the essential requirements of the medical devices. Software can fall into risk Class I.

A medical device may be placed on the market or put into service only if it complies with the Regulation (EU) 2017/745 and when it is duly supplied and properly installed, maintained, and used in accordance with its intended purpose. The device must meet applicable general safety and performance requirements as set out in Annex I to the Regulation and the Ordinance. Manufacturers and importers of medical software must register their products with the Bulgarian Drug Agency (BDA) before placing the device on the market. The registration process involves the submission of comprehensive documentation on the software's technical specifications, clinical evaluation, and safety measures. BDA issues a certificate of registration of the medical device.

BDA exercises control over the medical devices. The administrative sanctions in the event of breach of the requirements for the medical devices are set out in the Medical Devices Act. As an example, the fine for placing on the market and/or putting into service of a medical device without conformity assessment in accordance with the applicable requirements is in the range of approximately EUR 5,000 to EUR 10,000.

In addition to the characterization of the product itself, companies operating in this sector often seek to extend their offerings to include services or service components, such as coaching or elements of telemedicine.

It is important to note that there are currently no specific provisions for obtaining a licence for online coaching or telemedicine in Bulgaria. However, according to Bulgarian legislation, practising a profession related to public health, which includes consultations and other related activities, without the required licence is punishable by penalties, including imprisonment for up to three years. The provision of health services requires a licence, either as a licensed physician or as another authorised health professional. The professional organization of physicians in Bulgaria is the Bulgarian Medical Association (BMA). All physicians must be members of the BMA in order to practise medicine.

Therefore, if a digital service such as software does not meet the requirements and is not registered with the BDA, it is essential that the software does not engage in the provision of healthcare services to customers. In general, the provision of medical advice or consultation through software requires that the advice be given by a licensed medical practitioner. As mentioned above, manufacturers and importers of medical software are required to register their products with the BDA in order to obtain a certificate of registration and may need to employ a licensed physician to ensure that the software is used safely and in accordance with Bulgarian law.

If the patient has suffered damage due to the malfunction of the medical device, the manufacturer (or importer) is liable. If the damage is caused by the physician's misuse of the medical device, the physician is liable for the damage. The allocation of liability depends on the facts of the case.

Digital health software related to processing of personal data is also regulated by the Bulgarian Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR).

Such personal data are information that allows, directly or indirectly, the identification of a natural person (i.e., by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person).

GDPR territorial scope provides that the Regulation applies to the data processing “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Art. 3, para. 1). The GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.

According to Article 9 of the GDPR processing of special categories of personal data shall apply in cases of processing data concerning health, as defined in Article 4, paragraph 15 of the GDPR (“data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status).

As per Article 51 of the Bulgarian Personal Data Protection Act the processing of personal data concerning health shall be allowed where this is strictly necessary, where there are appropriate safeguards for the rights and freedoms of the data subject, and where this is provided for in EU law or in the Bulgarian legislation. Specific grounds for data processing of personal data concerning health are provided in the Bulgarian Personal Data Protection Act, Article 51, para. 2 where this is strictly necessary, there are appropriate safeguards for the rights and freedoms of the data subject, and: (i) processing is necessary to protect the vital interests of the data subject or of another natural person, or (ii) if processing relates to data which are manifestly made public by the data subject. In addition, suitable measures for non-discrimination must be taken in cases of processing of personal data concerning health.

There is a principal set forth in the Bulgarian Constitution that tracking of any individual requires his/her consent. Bulgarian Electronic Communications Act (“ECA”) ensures the confidentiality of communications by prohibiting any taping, recording, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned. 

When introducing medicinal software into the Bulgarian market, manufacturers must comply with all legal requirements. Non-compliance may lead to significant penalties, fines or other issues/restrictions. Briefly:

1. Bulgarian Drug Agency (BDA):

The BDA holds authority over medical devices, imposing strict regulatory control. Failure to meet the requirements set forth in the Medical Devices Act can result in administrative sanctions. Placing a medical device on the market or utilizing it without undergoing the conformity assessment, can incur fines ranging from approximately EUR 5,000 to EUR 10,000.

2. Commission for Personal Data Protection:

The Commission for Personal Data Protection serves as the supervisory entity responsible for upholding data protection provisions within Bulgaria. Manufacturers of medicinal software must uphold the personal data privacy standards, ensuring the proper handling of sensitive personal information. Manufacturers must exercise due diligence to prevent any violation of the GDPR.

3. Compliance with Electronic Communications Act:

Manufacturers should be in compliance with the Electronic Communications Act (ECA) to ensure lawful and ethical practices. Breaches of the ECA can potentially be classified as cybercrime, warranting penal proceedings as stipulated by the Bulgarian Penal Code. Unauthorized utilization of software to access information or duplicate computer data without appropriate authorization may be considered cybercrime. Manufacturers must exercise due diligence to prevent any violation of the ECA.

In summary, manufacturers entering the field of medical software in Bulgaria need to be aware of these key regulatory requirements and follow them carefully. By adhering to these standards, manufacturers can navigate the complex regulatory landscape and ensure that their products meet the highest legal and ethical standards.

Bulgaria has no specific regulations on the advertising of medical devices. Advertising of medical devices in Bulgaria is not subject to control by a specialized authority, such as the BDA. Advertising of medical devices must comply with the general advertising requirements of the Protection of Competition Act and, if addressed to consumers, the Consumer Protection Act. Article 7 of Regulation (EU) 2017/745 sets out specific requirements for the advertising of medical devices and has direct effect in Bulgaria.

According to Article 7 of Regulation (EU) 2017/745 in advertising of medical devices it is prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user or the patient with regard to the device's intended purpose, safety and performance of the device, by: “(a) ascribing functions and properties to the device which the device does not have; (b) creating a false impression regarding treatment or diagnosis, functions or properties which the device does not have; (c) failing to inform the user or the patient of a likely risk associated with the use of the device in line with its intended purpose; (d) suggesting uses for the device other than those stated to form part of the intended purpose for which the conformity assessment was carried out.”

Bulgarian legislation prohibits in principle the provision of benefits in connection with the promotion of medical devices. According to Art. 57 of the Code of Professional Ethics for Physicians in Bulgaria, all forms of agreements between representatives of pharmaceutical companies and physicians for the prescription of medication and consumables, aimed at obtaining material and other benefits, are not permitted. The provision of material and non-material benefits to health care professionals is prohibited, in particular if such benefits are provided in order to induce the healthcare professional to unduly favour the product in question.

In Bulgaria there are several ways to distribute Digital Therapeutics (“DTx”), both to healthcare professionals and to consumers.

Pursuant to Article 83 of the Medical Devices Act, entities that hold a wholesale medical device authorisation may trade with the following entities:

1. Other wholesalers as defined in the Medical Devices Act;
2. Healthcare establishments under the Healthcare Establishments Act and veterinary establishments under the Veterinary Medicine Act;
3. Health institutions (national public health centers, health cabinets, opticians’ cabinets);
4. Veterinary pharmacies;
5. Drugstores;
6. Persons engaged in activities related to the provision of aids, adaptations, equipment and medical devices for persons with disabilities under the Disabilities Act;
7. Persons owning commercial establishments where certain medical devices are offered pursuant to an order of the Minister of Health
8. Municipalities, state authorities and state institutions conducting public procurement procedures for medical devices;
9. Educational institutions.

Persons that are in process of building and equipping future medical and healthcare facilities, after the obtaining of building permit.

The retail of medical devices is conducted by pharmacies (there are also online pharmacies), opticians’ cabinets, and the entities listed in d-g above.

Another option is to distribute through cooperation partners, such as pharmaceutical companies or specialized promotional companies, who know the Bulgarian market and have access to potential customers, be they healthcare professionals or companies.

There are many opportunities for cooperation in Bulgaria for better distribution and sale of DTx, for example, the manufacturer can cooperate with hospitals, clinics and other healthcare facilities that use medical devices as part of their operations.

A manufacturer can also contact doctors, nurses and other medical personnel who use and prescribe medical devices in their practice, private healthcare facilities that provide specialized medical services and may have a need for your software medical device, as well as companies that produce pharmaceutical products and may be interested in integrating your software medical device into their offerings, or non-profit organizations that represent the interests of patients.

In Bulgaria, possible routes for monetization of DTx include payment by the patient. This is especially so in the cases where the patient is looking to obtain access to digital applications quicker without having to undergo the rather slow process of obtaining reimbursement from the state.

Another route is for provision of such services by private or public insurance companies. This can be done by voluntary health insurance on the basis of a medical insurance contract within the meaning of Chapter Forty, Section IV of the Bulgarian Insurance Code.

Other than that, medically insured persons may opt for reimbursement by the National Health Insurance Fund shall pay for the medical devices included in the list under Ordinance No. 7 of 2021 on the conditions and procedure for drawing up a list of medical devices under Article 30a of the Medical Devices Act and for determining the value up to which they are paid.

The medical devices in question shall comply with the requirements of the Medical Devices Act and its implementing ordinances and shall be included in the list of medical devices.

In Bulgaria, there are no specific provisions regulating the prices of medical devices paid by private parties. Therefore, manufacturers of DTx are especially free in price setting as well as other contractual conditions.

Regarding medical devices, a distinct registration protocol is implemented for items that are eligible for compensation through public financial resources. A dedicated electronic registry overseen by the Bulgarian Drug Agency (BDA) is utilized for this specific purpose. The pricing of medical devices eligible for reimbursement by the National Health Insurance Fund undergoes an annual negotiation process. The upper limit of reimbursement established by the NHIF is governed by an internal reference framework applicable to the pertinent categories of medical devices.

Currently, there is no reimbursement process specifically designed for DTx so they would fall under the general reimbursement process for medical devices.

Overview on general reimbursement mechanism for medical devices in Bulgaria:

BDA maintains on its website a list of medical devices that can be reimbursed. The reimbursement can be achieved by the budget of the National Health Insurance Fund, the state budget, outside the scope of mandatory health insurance, the budget of healthcare establishments under the Healthcare Establishments Act, as well as the budget of healthcare establishments with state and/or municipal ownership.

Disbursements from the National Health Insurance Fund are directed towards contracted medical facilities, encompassing both public and private hospitals. These disbursements are contingent upon adherence to established clinical pathways and subsequent to public tender proceedings initiated by the respective hospitals. Moreover, the NHIF directly reimburses outpatient pharmaceuticals via agreements with dispensing pharmacies. These agreements are subject to annual negotiation and conclusion. In specific instances, centralized tender procedures overseen by the (Ministry of Health) MoH may also be employed.

The National Health Insurance Fund will provide payment for certain medical devices as medical establishments that have signed contracts for hospital medical care under the Health Insurance Act. This also applies to manufacturers, wholesalers, or their authorized representatives who have contracts with the NHIF for supplying these medical devices. The payment for these medical devices is subject to the following conditions:

1. they are used in the performance of a clinical pathway in accordance with the requirements of the diagnostic-treatment algorithms for the performance of the respective clinical pathway established in the national framework agreements applicable in the relevant year.
2. the requirements related to the provision of hospital medical care laid down in the national framework agreements applicable in the relevant year, as well as the guidelines for their implementation, have been met.
3. medical establishments must comply with the procedures outlined in the national framework agreements for the relevant year.

The National Health Insurance Fund will make payments for the specified medical devices to the medical establishments. The medical establishments need to submit specific documents, including invoices, details of the medical devices used in the clinical pathway, and information about medical devices covered by NHIF costs outside the clinical pathway price.

The reporting documents must be submitted monthly to the Regional Health Insurance Fund, following an approved schedule determined in accordance with the procedures outlined in the national framework agreements for the relevant year. The format of these reporting documents will be determined in the national framework agreements.