Digital health apps and telemedicine in France

(a) Software within digital health apps may be considered a “medical device”. In line with Regulation (EU) 2017/745, the French legal definition of “medical device” includes software with medical purposes under certain conditions (Article L.5211-1 Public Health Code).

The software must have been “intended by the manufacturer to be used, alone or in combination, in humans for one or more of the following medical purposes and whose primary intended action in or on the human body is not achieved by pharmacological or immunological means or by metabolism, but whose function may be assisted by such means:

1. Diagnosis, prevention, control, prediction, prognosis, treatment, or mitigation of a disease;
2. The diagnosis, control, treatment, mitigation or compensation of an injury or disability
3. Investigation, replacement or modification of an anatomical structure or function or a physiological or pathological process or condition
4. Communication of information through in vitro examination of samples from the human body, including organ, blood, and tissue donations.”

The French health authority doctrine in respect of the qualification of medical device is in line with EU law, i.e., the Medical Devices (“MEDDEV”) guidelines and ECJ case law (in particular, decision in Case C‑329/16 dated 7 December 2017, SNITEM, Philips France v. Premier Ministre & Ministre de la santé). The French Authority considers that, to qualify as a Medical Device (or an in vitro diagnostic device (“IVD”)), the software must meet the following criteria:

• it must be intended for medical purposes, for example, a diagnosis, an aid to diagnosis, a treatment or an aid to treatment;
• it must provide a specific result for the benefit of a single patient; and
• the patient-specific data should be processed in order to provide new medical information.

(b) We are not aware of any specific liability exclusions/exemptions applicable to digital health apps considered as “medical device”. General liability principle would apply. A digital health device can then be regarded as a product from a liability perspective.

In this regard, please note that the new EU Directive 2024/2853 on liability for defective products clarifies the notion of a product, which comprises any movable item, even if it is incorporated into or interconnected with another movable item or immovable property; the term notably includes digital manufacturing files and software (Article 4).  Member States must implement this Directive by 9 December 2026 at the latest.

Yes. Digital health software should also comply with the following:

(a) Data protection rules, i.e., The French Data Protection Act, Law n° 78-17 dated 6 January 1978 and GDPR.

(b) Pursuant to article L.1111-8 Public Health Code, any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medico-social aftercare on behalf of the patient or the healthcare professionals must be a certified health data hosting service provider (Hébergeur de Données de Santé or “HDS”). 

The new version of the French Health Data Hosting (“HDS”) certification standard reinforces data sovereignty requirements in terms of localisation and transparency (Order of 26 April 2024).  In particular, the physical hosting of health data will now have to be carried out exclusively in the European Economic Area (EEA).  Read our article on this topic (in French):  Nouveau référentiel HDS.  Health data hosting providers already HDS-certified must comply with the new standards by 16 May 2026 at the latest, while those who have not yet obtained HDS certification will be assessed according to the new standards from 16 November 2024.

(c) According to the same article, any act of transferring identifying health data for consideration, directly or indirectly, including with the consent of the person concerned, is prohibited under penalty (Article 226-21 of the Criminal Code).

(d) Under article L1470-5 Public Health Code, “In order to guarantee the exchange, sharing, security and confidentiality of personal health data, digital health services intended for use by the [patients and healthcare professionals] must comply with the interoperability, security and ethics standards developed by the [French Digital Health Agency (“ANS”)] for the processing of this data, its storage on computer media and its transmission by electronic means”. These standards need to be published via an order; in terms of safety, the ANS published 2 enforceable standards under French law:

• The Electronic Identification standard, as part of the General Health Information Systems Security Policy (“PGSSI-S”) (Order of 28 March 2022), for the identification of the user of the solution; and
• The National Health Identifier (“INS”) standards (Order of 12 December 2024), for the referencing of health data related to patients.

There is no specific restriction as to the localisation of the user when using the app to the extent that the user cannot be qualified as a data controller or data processor under the GDPR. Should it be the case, there might be a risk that the using of the app in a territory outside of the EEA would imply a transfer of data within the meaning of the GDPR, and therefore would require adequate protection in line with the GDPR requirements (art. 44 and seq.).

There are no specific implications from a data protection standpoint regarding health data aspects whether the app is used in a B2B rather than B2C service. However, the use of a health app in a B2B context may raise specific issues where the users are not the data subjects. In such a case, it must be ensured in particular that: (i) there is a data processing agreement and adequate protection for any transfer of data outside the EU as specified above, (ii) the processing of health related data is duly authorised with regards to the requirements of article 9 of the GDPR and that consents of data subjects have been duly collected where required, and that (iii) sufficient information compliant with data protection law is delivered to data subjects.

Besides health-related data specific regulation in France:

1. guidelines from the French HAS (Haute Autorité de Santé) dated Oct. 2016 recommend obtaining the data subject’s explicit consent prior to using location tracking functionalities via his/her device or any other specific functionality or content of his/her device;
2. French data protection law provides for a strict regulation regarding the processing of social security numbers. In the context of telemedicine, processing of social security numbers is allowed for invoicing purposes and to the extent necessary to the coverage of telemedicine acts related expenses, subject to certain conditions;
3. moreover, if the processing of health-related data is implemented in the context of a research in the health sector, it might require a prior regulatory approval from the French supervisory authority (CNIL) and the filing of certain formalities before the CNIL.

In a broader manner, the French CNIL underlines the high security levels which must be applied in the context of telemedicine apps. In particular, the following measures must be implemented:

1. a solution of strong authentication combining at least 2 factors (including the use of the health professional chip card for health professionals);
2. each user must be granted a unique login;
3. organisational measures and in particular authorisation management with distinct levels of access authorisation;
4. logging measures with periodic review; and
5. secured emails with encrypted attachments where medical reports are communicated.

According to art. L1142-1 Public Health Code, physicians or healthcare establishments are liable for the “harmful consequences of acts of prevention, diagnosis or care only in the event of fault”, except in the case where they are liable for a defect in a health product such as a medical device (including digital health apps qualifying as a medical device).

However, in this case, it is the manufacturer of the defective product who is, by principle, liable under French civil law – i.e., the producer of the software implemented in a digital health app (art.1245 French Civil Code). According to caselaw 1 , it is only when the producer could not be identified that the physician might be found liable.

Besides, if the producer is also responsible for the personal data treatment/hosting, it can also be responsible in this respect.

French authorities are responsible for the compliance to applicable regulations. CNIL is responsible for data protection matters and Agence Nationale de Sécurité du Médicament et des Produits de Santé (“ANSM”) for compliance with medical devices regulation. Breaches of ethical rules by a physician fall under the Board of physician’s authority. The ANS is responsible for ensuring the compliance of digital health apps and software with the interoperability, security and ethics standards it develops.

Competitors can either report a breach to the relevant authorities or bring a claim for unfair competition against the non-compliant company.

Legal consequences for non-compliance will vary depending on the type of breach and on the gravity/repetition of such breaches. Non-compliance to the above-mentioned legal provisions are subject to administrative, civil and criminal sanctions.

Recently, the CNIL has published general recommendations which can apply to digital health apps and software, in particular:

1. CNIL Recommendations of 24 September 2024 on mobile applications, to help professionals design privacy-friendly mobile applications; and
2. CNIL Recommendations on GDPR & AI between 2024 and 2025, to enable the development of innovative and responsible AI. 

Following the approval of the European Health Data Space Regulation, the French government is preparing in 2025 a new act for its implementation in France.

Following the approval of the NIS 2 Directive, the French government presented in October 2024 a new act for its implementation in France, which will be discussed in 2025 with the Parliament.

Three conditions are necessary to practice medicine in France (Article L.4111-1 of the French Public Health Code):

1. Diplomas: at a minimum, a French state diploma of doctor of medicine;
2. Nationality, as the case may be;
3. Registration on the register of the Order of Physicians.

The French National Order of Doctors (Conseil national de l’Ordre des médecins, “CNOM”) is the regulator as far as disciplinary breaches are concerned.

From a broader point of view, the French healthcare system is administered at national and regional level by the State, which finances and organises health services:

1. At National level: The Minister in charge of health and solidarity and national agencies such as the French National Authority for Health (Haute Autorité de Santé, “HAS”) or the French national agency for medicines and health products safety (ANSM); and
2. At the regional level: Regional Health Agencies (Agence Regionale de Santé, “ARS”) coordinate prevention and health care.

The French Public Health Code includes all regulations related to patient and professional rights and obligations with respect to medical products and health services.

The National Union of Health Professionals (Union Nationale des Professionnels de Santé) brings together healthcare professionals in private practice in France and aims to put forward proposals relating to the French health care system organisation.

Telemedicine has been permitted in France for more than 20 years. Telemedicine was introduced in the French Public Health Code (Articles L. 6316‑1 and R. 6316‑1), by the law reforming hospitals of July 21, 2009 and its implementing decree (Decree no 2010‑1229, October 19, 2010). Acts of telemedicine are the following:

• Tele-consultation, whose purpose is to allow remote consultation between a health professional and a patient;
• Tele-expertise, whose purpose is to allow a health professional to consult with other health professionals;
• Tele-surveillance, whose purpose is to enable a medical professional to remotely interpret the data necessary for the medical follow-up of a patient and, if necessary, make decisions regarding the management of the patient; and
• Tele-assistance, which allows a medical professional to remotely assist another health professional carrying out a medical act;
• Medical regulation.

Furthermore, tele-healthcare has also been implemented into the French Public Health code and presents in the form of remote healthcare using information technologies, which connects a patient with one or more pharmacists or medical assistants (art. L.6316-2 of the French Public Health Code).

Yes, French law regulates under what circumstances physicians can use telemedicine. The requirements are the following:

1. Firstly, restrictions applicable to any medical practice must be complied with (conditions of practice, rules of ethics and standards of clinical practice).
2. However, there is no restriction regarding the health professional providing the medical act, as long as they are allowed to practice medicine in France. Any health professional may use tele-consultation, whatever the field of specialty, location and sector of practice (sector 1 or 2), and whether exercising in hospital or private practice. Health institutions may also bill tele-consultations under the same conditions as face-to-face consultations.
3. The French National Health Authority (Haute Autorité de Santé, the “HAS”) has published guidelines to facilitate the implementation of telemedicine by health professionals (in French):

• a memo for professionals (Fiche Mémo Téléconsultation et téléexpertise - Mise en oeuvre);
• a good practices guide (Qualité et sécurité des actes de téléconsultation et de téléexpertise).

The conditions for the implementation of telemedicine are specified in articles R. 6316-2 et seq. of the French Public Health Code:

1. telemedicine must be carried out with the free and informed consent of the patient (in application of the requirements set forth by articles L. 1111-2 and L. 1111-4 of the French Public Health Code);
2. professionals providing care via telemedicine (a “telemedicine act”) may, unless the duly informed patient objects, exchange information relating to that patient, in particular by means of information and communication technologies;
3. when providing care through telemedicine, it must be carried out under conditions that guarantee the following (article R.6316-3 of the French Public Health Code):
   1. the authentication of the health professionals involved in the act;
   2. patient identification;
   3. access by health professionals to the patient's medical data necessary for the performance of the procedure; and
   4. if the situation requires it, training or instruction of the patient in preparation of using the telemedicine device.
4. care provided via telemedicine/the telemedicine act must be recorded in the patient’s record kept by each health professional involved in the care and in the observation sheet (art. R. 6313-4 of the French Public Health Code):
   1. the report on the performance of the act carried out, and, if applicable, the series of activities, tele-healthcare;
   2. the acts carried out and drug prescriptions made during the provision of care via telemedicine or tele-healthcare;
   3. the identity of the health professionals involved in the act;
   4. the date and time of the act, and
   5. where applicable, technical incidents that occurred during the act.
5. Organizations and private health professionals[GR1]  who organize a telemedicine or tele-healthcare activity ensure that the health professionals and psychologists participating have the training and technical skills required to use the corresponding devices (Art. R. R6316-5 of the French Public Health Code).
6. Since the Law No. 2023-1250 of 26 December, 2023 on the financing of social security for 2024, during a telemedicine procedure, the prescription or renewal of a sick leave may not cover more than 3 days nor have the effect of extending the duration of a sick leave to more than 3 days (except in specific cases, such as the attending physician). (Art. L6316-1 of the French Public Health Code)

The Convention organizing the relationship between private practitioners and the Assurance Maladie (the French national health insurance fund) approved in an order, dated 20 June 2024, adds conditions for teleconsultation:  the cumulative respect of the following principles is a condition for reimbursement of the teleconsultation by the Health Insurance.

1. Teleconsultations are organized in accordance with the coordinated care pathway.  Thus, for the teleconsultation to be eligible for billing to the Health Insurance, the patients benefiting from it must be initially referred by their attending physician in cases where the latter does not carry it out.
2. To ensure the quality of teleconsultation care, regular patient follow-up is carried out via both face-to-face and teleconsultation consultations, according to the patient's needs and the doctor's assessment, so that the doctor has the necessary information to provide quality medical follow-up.
3. Teleconsultation must be carried out in accordance with the principle of territoriality.  The teleconsulting doctor must be located near the patient's home to ensure regular monitoring of the patient's state of health and organize a face-to-face consultation if necessary.

In addition, the convention states that, “the care of patients, exclusively by teleconsultation, could undermine the ethical requirements of quality, safety and continuity of care.  The consultation activity of a doctor cannot therefore be carried out remotely for the most part.”  A maximum threshold of acts carried out by teleconsultation at 20% of the doctor's overall contractual activity volume over a calendar year has been set.  (For psychiatrists, this threshold is increased to 40%.)

Teleconsultation must be carried out by means of an oral exchange via video transmission, with equipment, support and organization adapted to the clinical situation of the patient, in order to guarantee a high-quality consultation.  It must also be carried out:

• in places that allow for confidentiality of exchanges between the patient and the consulting doctor, and under conditions that comply with the recommendations of the Haute Autorité de Santé (High Authority of Health);
• under conditions that guarantee the security of the transmitted data (confidentiality, protection of personal data, etc.) and the traceability of the invoicing of the procedures carried out, under conditions that comply with the applicable security and interoperability standards for the transmission and exchange of data.

Doctors wishing to use teleconsultations must use digital health services with a certificate of compliance when this is required, as provided for in Article L. 1470-6 of the Public Health Code.  They must also refer to the charter of good practice for teleconsultation, as well as to the various reference documents, specifications and recommendations governing these conditions of implementation issued by health authorities or operators or other public authorities.

The Convention organising the relationship between private practitioners and the Assurance Maladie (the French national health insurance fund), approved in an order dated 20 June 2024, contains specific provisions applicable to telemedicine. 

Telemedicine must be carried out with the free and informed consent of the person (in application of Articles L. 1111-2 and L. 1111-4 of the Public Health Code which are applicable to any medical act).

There is no specific provision regarding liability with regards to telemedicine. The liability regime for physicians is the same as that for face-to-face consultations or medical acts.

Tele-surveillance has been introduced in the common law by the Law of Social Security Financing Act for 2022, 23 December, 2021 (art. 36).  Published on 31 December, 2022 in the official journal, two decrees allow the entry into force of this common law model specific to remote monitoring, as well as the end of the ETAPES experiment on 1 July, 2023.  This new framework combines the remuneration of remote medical monitoring by a healthcare team and that of the associated digital medical device.  Thus, the 1st decree deals with the procedures for evaluating and registering remote monitoring for reimbursement, and the 2nd deals with the declaration of remote monitoring activities of healthcare teams to the regional health agencies (ARS).

Tele-surveillance is limited in terms of scope and can only be prescribed in relation to the pathologies that have received a favourable opinion from the Haute Autorité de Santé (“HAS”) and have been published in the official journal by interministerial decree as being eligible for reimbursement under common law.  These are the following pathologies: 1) heart failure (order dated 22 June 2023); 2) renal failure (order dated 22 June 2023); 3) respiratory failure (order dated 22 June 2023); 4) diabetes (order dated 22 June 2023); 5) oncology (order 25 October 2023); and 6) cardiac arrhythmia (order 23 February 2024).  Other conditions may be considered and covered in the future, subject to a favourable opinion from the HAS.

A declaration of telemedicine activity is still required by health professionals and by providers of technical solutions. Health professionals shall send such declaration to the Regional Health Agency (Agence Régionale de Santé, “ARS”) of their place of practice, and doctors shall send it to the Departmental Council of the Order (Conseil Départemental de l'Ordre, “CDOM”).

For providers of technical solutions for telemonitoring, a declaration of activity must also be sent to the ARS of their place of practice, as well as a certificate of compliance with the provisions of the specifications relating to the pathology concerned and the regulations in force governing telemedicine.  In addition, in the case of a medical device, they must send a CE-marking certificate to the General Directorate for Healthcare Services (“DGOS,” Direction Générale de l'Offre de Soins). Providers of technical solutions are responsible for:

• its installation according to the agreement with the health professional;
• its maintenance in perfect working order; and
• its recovery at the end of the remote monitoring and the elimination of any waste.

The healthcare professional must be trained in the use of the equipment and the remote monitoring solutions.  The patient must be trained in how to use the technical solution.

Teleconsultation

Before the pandemic, to be eligible to coverage by the Assurance Maladie, the tele-consultation must be part of the “care pathway” (“parcours de soins”). Therefore, the patient must go through his registered General Practitioner (who may carry out the tele-consultation him/herself or refer the patient to a specialist who will carry out the remote consultation). The patient must be known by the health professional: the patient must have had at least one face-to-face consultation with the professional in the previous 12 months before any tele-consultation. If such conditions are not met, tele-consultation remains possible but will not be reimbursed.

By way of exception, tele-consultation may be reimbursed even if the above conditions are not met: patients under 16 years of age, or in case of direct access to some specialties (gynecology, ophthalmology, stomatology, oral or maxillofacial surgery, psychiatry or neuropsychiatry and paediatrics). For patients who do not have a registered General Practitioner, or whose registered General Practitioner is not available in a time-frame compatible with their state of health, a tele-consultation where the patient is not previously known by the professional is also reimbursed.

Reimbursement is possible for services provided by healthcare professionals, either self-employed (see (z)) or employed by another healthcare professional, […] a healthcare establishment (see (x)), or a teleconsultation company (see (y)) (L.162-1-7 of the French Social Security Code).

(x) If the healthcare services are provided by a healthcare establishment employing the healthcare professionals, reimbursement is only possible where such establishment has been authorized to provide services (L.162-21 of the French Social Security Code read together with L.6122-1 of the French Public Health Code).

(y) If the services are provided by a teleconsultation company employing the healthcare professionals, such company must:  1) have received a license to that end (L.4081-1 of the French Public Health Code), 2) have a commercial form under the French commercial code and the object (possibly nonexclusive) to propose teleconsultation (L.4081-2 of the same code), 3) not be under the control of an entity acting as a manufacturer, distributor, or provider of medical devices, except for those required to provide the teleconsultation (L.4081-2 of the same code), 4) ensure that their digital services comply with the GDPR as well as French interoperability and security standards (L.4081-2 of the same code), 5) Organize a medical committee and an action plan with regards to its obligations (L.4081-3 of the same code).

(z) If the services are provided directly by self-employed healthcare professionals however, these rules will not apply.

In any case, reimbursement of a teleconsultation requires that the transmission happens via videocall (L.162-14-1 Social Security Code). 

Tele expertise 

According to the Ministry of Health, since 2022, tele-expertise is now available to all patients.  All healthcare professionals can request the opinion of a doctor pursuant to the decree of June 3, 2021 on telehealth, or midwife pursuant to the Amendment 5 to the national agreement, on the basis of their training or particular skills on the basis of medical information linked to the care of a patient.

The patient does not need to be known to the physician who is requested.  They simply need to be informed of the conditions under which the tele-expertise will be carried out, and to have given their prior consent to the procedure.

Like all medical activities, tele-expertise must be carried out under conditions that guarantee the quality and safety of care, but it must also comply with specific requirements:

• A report must be drawn up by the requested physician, entered in the patient file and sent to the attending physician and the requesting healthcare professional who requested the procedure.
• Traceability of the medical act performed
• Digital tools must comply with the various legal frameworks applicable to health data. 

Organizations and private healthcare professionals organizing telecare activities must ensure that healthcare professionals and psychologists involved in telemedicine or telecare activities have the training and technical skills required to use the corresponding devices (Article R6316-5 of the French Public Health Code).

In practice, tele-expertise is not billed to the patient concerned, but directly to the Assurance Maladie.  It is reimbursed at 100% by compulsory health insurance.  In particular, the Assurance Maladie specifies that for the requested physician, tele-expertise is billed at €20 per physician, up to a limit of 4 procedures per year, per requested physician, for the same patient.  For the requesting physician, tele-expertise is billed at a rate of €10 per physician requesting tele-expertise, up to a limit of 4 acts per year, per requesting physician, for the same patient.  In any event, the fees for telecare activities carried out by medical auxiliaries, and the associated surcharges, may not exceed those set for the same activities involving the physical presence of the healthcare professional and the patient (Article R. 162-5 of the French Public Health Code).

Remote monitoring

Concerning tele-surveillance, the reimbursement by the health insurance scheme has been integrated into common law by the Law of Social Security Financing Act for 2022, December 23, 2021 for 2022 (Art. L. 162-48 of the Social Security Code).  The reimbursement is subject to certain conditions, such as prior registration (Art. L162-52 of the Social Security Code), the quality of the medical professional of the tele-surveillance operator (Art. L. 162-50 of the Social Security Code), a prior declaration to the regional health agency (“ARS”) (Art. L. 162-51 of the Social Security Code), or, if applicable, the holding of a certificate of compliance with the interoperability and security reference systems (Art. L162-52 of the Social Security Code).  The Decree No. 2022-1767 of December 30, 2022 specifically concerns the coverage and reimbursement of tele-surveillance activities, while Decree No. 2022-1769 of December 30, 2022, defines the content of the declaration of tele-surveillance activities to the ARS.

In France, the French Social Security Financing Act for 2022 (LFSS) introduced an early coverage (“PECAN”) for therapeutic digital medical devices (“DTx”).  Under PECAN, DTx can be reimbursed by the health insurance scheme for a non-renewable period of 1 year (Article L. 162-1-23 of the Social Security Code), if it satisfies the following conditions: 

• The digital medical device is presumed to be innovative (particularly in terms of clinical benefit or progress in the organization of care, based on the first available data and taking into account any relevant comparators); 
• The device is CE marked. In this respect, please note that the GMED has been designated as a Notified Body in France by the ANSM; 
• The operator guarantees compliance with the rules on personal data protection, as well as applicable interoperability and security standards; 
• The system enables processed data to be exported in appropriate, interoperable formats and nomenclature, guaranteeing direct access to the data. 

Please note that both digital medical devices for therapeutic purposes (or digital therapies) and digital medical devices used in the context of a telemonitoring activity fall within the scope of the early coverage.  

In practice, the Decree No. 2023-232 of 30 March 2023 implements these new rules regarding (i) the procedures for assessing the conditions for reimbursement, (ii) the rules for setting the amount of financial compensation and (iii) the procedures for paying it. 

In any event, physicians and health professionals shall comply with applicable data protection regulations. There is no specific data protection rules applicable to telemedicine.

The French Data protection authority, the CNIL, published guidelines (accessible here in French) about telemedicine and data protection. The CNIL reminds that when the processing resulting from telemedicine is likely to imply a high risk for rights and freedoms of the persons, the data controller shall carry out an impact assessment of the contemplated processing operations.

In general, processing of personal data in the context of telemedicine should not oblige the data controller to perform any formalities. However, depending on the nature of the processing, a prior authorisation might be necessary, if the processing is performed in the context of research.

In particular, security measures are essential (authentication, authorisation management, traceability and incident management, etc.) and the data subjects must be able to effectively exercise their rights, in particular their rights of access, rectification and opposition.

Finally, the health professional must ensure that the service provider complies with the regulations, as the data processor. The data processing agreement must clearly state that the subcontractor:

• processes personal data only on your instructions;
• ensures that confidentiality undertakings are signed by the staff
• takes all required security measures;
• does not hire a data processor without the prior written consent of the data controller;
• cooperates with the data controller to fulfil its obligations, especially when patients have inquiries about their data;
• deletes or returns all personal data to the data controller at the end of the services; and
• cooperate in audits.

As previously stated in the Digital Health Apps/Software section, or health data, the platform must be hosted by an approved or certified health data host.

No, but telemedicine regulation is a fast-changing sector.