Digital health apps and telemedicine in Austria

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

The primary legal sources are the Austrian Medical Devices Act 2021 and the Austrian Product Liability Act. Since May 2021, the EU Medical Devices Regulation is applicable. According to the EU Medical Devices Regulation, software is considered a medical device if it forms part or is an accessory of a medical device or – where it constitutes stand-alone-software – has a medical purpose and the processing of the data goes beyond mere storage, archiving, communication or simple search.

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

Software can be considered a product according to the Austrian Product Liability Act if it is embedded and supplied as part of a physical device. The Austrian Product Liability Act provides for no-fault liability. In addition, fault-based liability under Austrian tort law is possible.

1.3 If your response to (b) is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

Where the software is considered a product, liability according to the Austrian Product Liability Act is limited to the manufacturer or importer (importing into the EEA) of a faulty product causing death, physical injury or damage to physical property. Compensation is limited to death and personal injury. Property damage is only compensated if it has been sustained by a consumer and only to the extent it exceeds the amount of 500 EUR. There are further exceptions under the Product Liability Act, in particular will the manufacturer/importer not be liable if the fault was caused by a legal order or obligation that the product had to comply with or if the fault was not apparent according to the state of the art in science and technology at the time of distribution.

The General Data Protection Regulation (“GDPR”) and the Austrian Data Protection Act (“DPA”) apply to the processing of personal data within the meaning of Art 4 (1) GDPR – being any information relating to an identified or identifiable natural person. Hence, if the use of digital health software involves the processing of personal data, the requirements of the GDPR and DPA must also be met.

The Austrian Health Telematics Act 2012 regulates the processing of personal electronic health data and genetic data by healthcare providers pursuant to Section 2 no. 2 of this Federal Act. The law was amended so that the legal framework for the electronic vaccination certificate is also laid down in this act. Furthermore, a new eHealth regulation was introduced as the legal basis for the eHealth application “electronic vaccination card” (in German: “eImpfpass”).

The Austrian Telecommunications Act 2021 (“TKG 2021”) (also implementing the EU ePrivacy Directive 2002/58/EC) applies to digital health software that involves the processing of personal data in connection with electronic communication.

The Austrian E-Commerce Act, which covers inter alia the information obligations of online service providers, the conclusion of online contracts, the responsibility of service providers and the country of origin-principle regarding electronic services in general, may also be applicable. In order to protect public health, the free movement of online services from another Member State may be restricted under this Act.

Furthermore, trade law can be applicable if the software is considered a medical device. According to Sec 94 (33) of the Austrian Trade Act, the manufacturing, processing, distribution and rental of medical devices constitute a regulated trade. The operation of a regulated trade must be notified to the competent authority and a certificate of competence must be provided by the trader.

Moreover, software falls within the scope of the Austrian Copyright Act.

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

With regard to the territorial scope of the GDPR and ePrivacy Directive (concerning the processing of personal data in relation with electronic communications), it is required that the data processing is carried out in the context of the activities of an establishment of a data controller or a data processor in the European Union or that the digital health software is offered to a data subject in the European Union. It is therefore crucial whether users use the software within their jurisdiction, as this is likely to mean that either the controller/processor providing the software also has an establishment in the EU or at least that the software is offered to users within the EU. In both cases, this leads to the application of the GDPR/ePrivacy Directive.

Austrian trade law regulations may be applicable if users are Austrian residents using the service in Austria. If the service provider can rely on the country of origin rules of the E-Commerce Directive, this may exclude the application of Austrian trade law regulations.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

For B2C-transactions, consumer protection law is applicable and contract clauses and terms and conditions must be in compliance with the strict requirements of the Consumer Protection Act, Consumer Warranty Act (providing specific requirements in regard to software) and the Austrian Distant Sales Act. Additionally, where the software constitutes a medical device, advertising to consumers is restricted.

The processing of personal data as part of particular features of digital health software does not trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the GDPR or ePrivacy Directive. This is mainly due to the fact that both European and national legislators are aiming to introduce regulatory frameworks that are as technology-neutral as possible.

However, if certain features are used by the controller to evaluate certain aspects related to the individual, this will regularly be subject to the provisions on profiling pursuant to GDPR.

Where the software constitutes a product according to the Austrian Product Liability Act, the producer or importer (into EEA), rather than the physician, will bear no-fault liability under the Product Liability Act. The physician may still be liable under general rules. However, such liability would require causation by the physician as well as fault, which may both be lacking if the inaccuracy is due to a fault of the software rather than the physician's error.

Violations of the Austrian Medical Devices Act are subject to administrative fines, for example, if an unsafe medical device has been put on the market or if no instruction manual has been provided. Moreover, competitors or consumer protection organizations may initiate unfair competition proceedings based on non-compliance with the provisions of the Medical Devices Act (breach of law), asking for an injunction, publication of the judgment, recovery of lawyers' fees and (rarely) damages.

Damage claims that are based on the Austrian Product Liability Act or general tort law must be brought before the competent civil court by the injured party.

Compliance with trade law falls under the jurisdiction of the administrative courts and authorities. If a regulated trade is conducted unlawfully, administrative fines may be imposed.

There are also enforcement mechanisms with regard to data protection. Infringements of the GDPR are subject to administrative fines – depending on the violation – of up to 10,000,000 EUR, or in the case of a company, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; in case of severe violations up to 20,000,000 EUR, or in the case of a company, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

With regard to the Austrian Telecommunications Act 2021, administrative fines of up to 100,000 EUR may be imposed in case of violations. Fines will be accumulated in case of several violations. According to case law of the Austrian Data Protection Authority, a violation of the Austrian Telecommunications Act or the ePrivacy Directive may at the same time constitute a violation of the fundamental right to data protection pursuant to Sec. 1 para 1 of the Austrian Data Protection Act and also a violation of those provisions of the GDPR which do not impose any additional obligations on the controller within the meaning of Art 95 GDPR.

There are currently no anticipated legal developments in this regard.

Amongst the primary legal sources in this regard are the Austrian Doctors Act, the Ordinance of the Austrian Doctors Association on the type and form of permissible advertisement and the Code of Conduct of the Austrian Doctors Association.

The Austrian Doctors Association is a self-governed professional body which may enforce disciplinary sanctions. It is also responsible for maintaining the Austria Doctor’s list – all physicians located in Austria must be included in this list. It makes its decisions independently but is subject to legal supervision by the Federal Ministry of Health.

There are no specific laws in the field of telemedicine, expect for the Austrian Health Telematics Act 2021, which regulates the processing of personal electronic health data and genetic data by healthcare providers as pointed out under question 2. above. Moreover, Austrian social security law has been adapted to introduce the use of electronic  prescriptions.

The Federal Ministry of Health provides guidance regarding telemedicine on its website. Among other things, a framework directive for the IT infrastructure for the use of telemonitoring is being provided there. The directive concerns the collection of patient data through telemonitoring and lays out the ideal telemonitoring-procedure including how the relevant IT systems should be set up.

With respect to other aspects of telemedicine there are no specific rules, so the general rules that are applicable to physicians, such as the Austrian Doctor's Act, have to be referred to.

It is not explicitly regulated by law under which circumstances telemedicine can be used by physicians, and although such offerings are available in Austria to some extent, there is so far no case law on point. While there is no express prohibition to use telemedicine to treat patients, some stakeholders have expressed the view that this would not be allowed under Austrian law. However, the stakeholders’ opinion seems to be turning towards the permissibility of certain telemedicine applications.

10.1 What are the requirements?

The Austrian Doctors Act requires physicians to exercise their profession directly and in person. According to some, this means that if the physician’s diligence and care requires to see the patient in person, online healthcare may not be provided.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

During the COVID-19 pandemic, the possibility of issuing e prescriptions has been introduced. Since July 2022, the digital e-prescription has fully replaced paper copies. When a physician enters the issued prescriptions into the electronic administration system, patients can pick it up at the pharmacy by showing a QR code. The QR code can be downloaded at the health insurers website or app. However, patients can still demand a paper copy at the doctors office.

There is no change regarding the applicable standard of care. Rather the standard of care is a relevant factor for deciding whether telemedicine is admissible in a specific case at all.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

There are no specific provisions in this regard. Informed consent in accordance with the specifics of the case has to be obtained if medical treatment is to be administered. According to the Austrian Supreme Court the relevant information must be provided in a personal consultation and not through written documents.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

The risk of liability is increased indirectly. Liability depends on whether the physician has acted according to the relevant standard of care. In the case of telemedicine, it will additionally be considered whether it was suitable in the specific case to use telemedicine according to the relevant standard of care.

Currently, only such prescriptions which fall under the responsibility of the public health insurance fonds will be issued electronically. Moreover, medicinal products subject to the Austrian Narcotics Act can never be  prescribed digitally.  

During the COVID-19 pandemic, the Austrian Sick Fund has temporarily introduced reimbursement for the provision of telemedicine services.

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

No, there are no specific provisions for apps. The above-mentioned reimbursement concerns the provision of telemedicine services by doctors rather than the use of apps.

The GDPR and the Austrian Data Protection Act apply to to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The Austrian Telecommunications Act 2021 applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form in the context of electronic communication.

In addition, the Austrian Health Telematics Act must be observed. 

There are currently no anticipated immediate legal developments in this regard. However, stakeholders are beginning to ask for a clarification of the legal situation, so we expect that there will be some changes in the next couple of years.