Digital health apps and telemedicine in Italy

  1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) If yes, please indicate these.
    3. 3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 
    4. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    5. 5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 
    6. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software contained in digital health apps. What are the legal consequences for non-compliance?
    7. 7. Are you aware of any future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    6. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    7. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.
    8. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what

The software in the form of digital health apps is likely to be classified either as a medical devices or in-vitro medical devices under the EU Regulations no. 745/2017 (“MDR”) and no. 746/2017 (IVDR), depending on the software’s intended purposes.

In particular, software may qualify as a medical device if:

  • it is a computer programme (and not a mere digital document);
  • performs a function other than and in addition to the mere storage or transmission or search of data;
  • operates for the benefit of specific patients;
  • performs one of the functions included in the definition of a medical device (i.e., diagnosis, prevention, control or therapy; study, replacement or modification of anatomy or a physiological process; intervention in conception). 

A software may fall within the scope of application of the Italian Consumer Code implementing EU Directive 2011/83/UE on consumers’ protection.

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

Liability can be excluded:

  • if the manufacturer did not put the product into circulation;
  • if the defect that caused the damage did not exist when the manufacturer put the product into circulation;
  • if the manufacturer did not manufacture the product for sale or any other form of distribution for consideration, nor did he manufacture or distribute it in the exercise of his professional activity;
  • if the defect is due to the conformity of the product with a mandatory legal norm or binding measure;
  • if the state of scientific and technical knowledge at the time the manufacturer put the product into circulation did not yet permit the product to be regarded as defective.

The Italian Data Protection Authority, by means of measure no. 55 of 7 March 2019, has provided for some clarification on the application of the data protection regulation on digital health software.

By means of said guidelines, in fact, it has been specified that the exceptions to the general prohibition of processing the so-called “special categories of data,” including those on health, on the basis of which the processing of such data is allowed, are now to be identified in Article 9 of the GDPR which lists a series of exceptions that legitimize the processing and which, in the health sector, are generally attributable to the processing necessary for the following:

  1. reasons of public interest relevant on the basis of Union or Member State law;
  2. reasons of public interest in the field of public health;
  3. purposes of preventive medicine, diagnosis, health or social care or treatment or management of health or social systems and services on the basis of Union law/Member States or in accordance with a contract with a health professional, carried out by (or under the responsibility of) a health professional subject to professional confidentiality or by another person also subject to the confidentiality obligation.

In addition, with reference to processing in the health sector that does not fall within the hypotheses described above and, therefore, which require the explicit consent of the data subject, the Data Protection Authority has identified, by way of example, processing relating to the use of medical apps, through which independent data controllers collect data, including health data of the data subject, for purposes other than telemedicine or when, regardless of the purpose of the app, subjects other than health professionals or other subjects bound to professional confidentiality may have access to the data of the data subject.

In this case, the obtaining of consent, as a condition of lawfulness of the processing, is mandatory as required by art. 75 of the Italian Privacy Code.

Therefore, the minimum requirements provided by the general principles underlying GDPR must be adopted by device manufacturers and developers of e-health apps. It is always necessary that the interested parties provide their free, specific, informed, unequivocal and explicit consent.

3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 

No specific provisions have been provided for the case in which the use takes place outside of Italy.

As a general rule, data protection regulations apply to B2C relationships where the processing of personal data usually takes place. It is not excluded that also in B2B businesses personal data processing may be relevant downstream (e.g., B2B2C). In that case, the professionals involved should clarify their roles and responsibilities in the data processing activity. 

The processing of health data is subject to a number of limits and guarantees. Specifically, the Italian Data Protection Authority has provided that the processing of such data through the use of healthcare apps by healthcare professionals for purposes of treatment (i.e., purposes of preventive medicine, diagnosis, assistance or health or social therapy, or management of health or social systems and services) does not require additional consent.

Any processing relating, only in a broad sense, to care, but not strictly necessary, therefore requires, even if carried out by healthcare professionals, a separate legal basis to be identified, possibly, in the consent of the person concerned or in another assumption of lawfulness. This hypothesis, according to the Italian Data Protection Authority, also includes processing operations connected with the use of medical apps, through which autonomous data controllers collect data, including the data subject's health data, for purposes other than telemedicine, or when, regardless of the purpose of the app, the data subject's data may be accessed by persons other than health professionals or other persons required to maintain professional secrecy.

5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 

In the context of physicians relying on digital health apps a distinction should be made between:

  1. damages caused by incorrect use of the software by the physician, or otherwise resulting from incorrect medical advice in circumstances where the software does not present anomalies;
  2. damages caused by incorrect installation, operation or maintenance of the software;
  3. damages caused by software malfunction.

In the cases referred to in point a), it is reasonable to state that the responsibility will be borne by the physician only.

In the cases referred to in point b), the responsibility could be either of the manufacturer, if it has not provided sufficient information for the implementation of the new system, or of the health care facility where the doctor operates if it has not properly maintained or installed the software.

In the cases referred to in point c), the responsibility will presumably be borne by the software manufacturer only.

In each scenario, however, a case-by-case assessment will be required

Product liability is presumed, and not strict liability, since it does not depend on the manufacturer's fault being established, but rather on the existence of a defect in the product. It is therefore up to the injured party to prove the causal connection not between the product and the damage, but between the defect and the damage, and, once such proof has been provided, it is up to the manufacturer to provide the corresponding discharging proof, consisting in demonstrating that the defect did not exist at the time the product was put into circulation, or that it was not evident at that time on the basis of the state of technical-scientific knowledge.

Both physical damage, i.e., damage caused by death or personal injury, and material damage, i.e., destruction or deterioration of something other than the defective product, are compensable.

Should the software included in the digital health app be considered a medical device as it is used to monitor physiological processes or otherwise collect and provide information and assume diagnostic or therapeutic decisions, it is likely that it falls within class IIA or IIB of medical devices that require CE marking through the involvement of the so called “Notified Body.” Should it not fall, for any reason, within classes IIA or IIB, it would probably fall within the definition of class I of medical devices which would still require CE marking but without involvement of the CE marking process by the “Notified Body.”

In addition, all medical devices, irrespective of their class, shall be notified to the Ministry of Heath for registration before they are launched on the market.

Failure to comply with the above-mentioned rules could result in both criminal and pecuniary sanctions up to €128,400.

As far as the Data Protection regulation is concerned, it is necessary to point out that, beyond the cases in which the app is used for telemedicine purposes, the consent of the person concerned to the processing of his/her health data is necessary.

The consent must be given even before the actual installation of the medical app on one's own device and, with the same easiness, all the other rights granted to the user by GDPR (right of revocation, oblivion, etc.) must be properly granted.

Consent must be given for every purpose specified in the information notice with simple and clear language, in a transparent form and easily accessible by users and patients.

The Italian Data Protection Authority has stated that it is also appropriate for the data controller to establish (“Privacy by design and privacy by default”), all the appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed by default. This obligation applies to the amount of personal data collected, the scope of processing, the retention period and accessibility. In particular, such measures ensure that, by default, personal data is not made accessible to an undefined number of persons.

In addition, with regard to storage methods, duration and security measures adopted, the developer and/or producer of e-Health apps must provide, always within the information notice all the necessary information also in accordance with the Privacy Code of Conduct on Mobile Health APPs and articles 32 and 35 of the GDPR.

In the event of violations of data protection obligations, significant fines may be imposed on operators. The sanctions, depending on the violation, can be up to 10 or 20 million Euros or up to 2% or 4% of the annual worldwide turnover of the previous year, whichever is higher.

No specific reforms and/or new regulations are currently being discussed  in Italy.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

The practice of health care professions is subject to the reaching the age of eighteen and the obtaining of a university degree issued following the final qualification exam for the profession. This university degree is valid throughout the national territory in compliance with European legislation on the free movement of professions and is issued following a training course to be carried out in whole or in part at the companies and facilities of the National Health System, including institutions of hospitalisation and care of a scientific nature, identified by the regions, on the basis of special protocols of understanding between them and universities.

In compliance with article 32 of the Italian Constitution, to practise as a medical professional, it is necessary to be enrolled in the corresponding Professional Association.

The Professional Associations are independent in terms of assets, financial, regulation and discipline. They are subject to the supervision of the Ministry of Health. In addition, the Associations are financed exclusively with the contributions of the members, without charges for public finance.

The Professional Associations supervise the practice of the medical profession. In particular, they verify the qualifications required for professional practice and maintain and publish the registers of professionals, held by the Associations themselves.

In addition, the Professional Associations supervise their members, in whatever legal form they carry out their professional activity, imposing disciplinary sanctions in case of violation of their obligations imposed by law or deontological rules.

9. What laws and/or regulations apply to physicians regarding telemedicine?

Although there is not yet a specific law concerning telemedicine, the most important reference is the document "National Guidelines for the provision of telemedicine services" approved following an agreement between the Government and the Regions on 17 December 2020. The Guidelines should represent the national unitary reference for the implementation of telemedicine services and the use of such systems within the National Health Service.

According to the Guidelines, Telemedicine services can be divided into four categories:

  • Services that can be assimilated to any other traditional diagnostic and/or therapeutic healthcare service, representing an alternative to it;
  • Services which, since they cannot replace the traditional healthcare service, support it by making it more accessible and/or increasing its efficiency.
  • Services which complement traditional services by making them more effective in meeting patients' needs;
  • Services which can completely replace traditional healthcare services.

In the context of telemedicine, the Guidelines identify the following services, which should be traced back to the same regime under which they are provided also in the presence of the patient.

  • Televisiting: this is a medical act in which the professional interacts at a distance in real time with the patient, also with the support of a caregiver. Televisiting is, however, limited to the monitoring of patients whose diagnosis has already been made during an in-person visit. This means that services that do not require palpation, percussion or auscultation can be provided in this way.
  • Teleconsultation: this is a medical act in which the professional interacts at a distance with one or more doctors to discuss, also by means of a video call, the clinical situation of a patient, based primarily on the sharing of all the clinical data, reports, images, audio-video regarding the specific case.
  • Teleconsulting: this is a health activity, not necessarily medical but in any case, specific to the health professions, which takes place at a distance and is performed by two or more persons who have different responsibilities with respect to the specific case. It consists in the performance of clinical activities, followed by a video call in which the requested health professional provides the other with indications for the correct performance of care services for the patient.
  • Telecare by health professions (nurse/physiotherapist/logopedist/etc): this is a professional act based on remote interaction between the healthcare professional and the patient by means of a video call, to which data, reports or images may be shared if necessary. The telecare professional can also use suitable apps to administer questionnaires, share images or video tutorials on specific activities.
  • Telereferral: is a report issued by the doctor who has examined the patient, whose report is transmitted by means of digital and telecommunication systems.

For all healthcare services provided at a distance, the national/regional regulatory framework regulating access to the same services in traditional form applies.

In addition, the Guidelines provide some recommendations with reference to:

  • Information to patients about the opportunity and scope of the service provided through Telemedicine, as well as the tools used and how to store and process data; and
  • Training of patients and health professionals with reference to the use of the technologies necessary for Telemedicine services.

Finally, as to the physician’s liability, it should be noted that the Italian Law on Medical Liability has expressly stated that the same liability regime applies even when the service is performed through telemedicine.

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

10.1 What are the requirements?

Telemedicine is not a separate medical discipline, but a different way of providing health services. Therefore, provided that the service complies with the general requirements identified by the Guidelines on Telemedicine in terms of access to the service, technology, professionalism, adequate organisation and compliance with good clinical practice for the pathology treated, it is suitable to be used each area identified by the Italian Regions through specific programmes.

In order to perform Telemedicine activities, the facilities/physicians involved, must:

  • be licensed by the Region for the specific discipline (cardiology, diagnostic imaging, ophthalmology, clinical diagnostics, etc.) for which they intend to use individual services of Telemedicine and/or clinical care programs integrated with the activities of Telemedicine;
  • comply with the service standards for Telemedicine  defined by the Region, if any;
  • stipulate, if necessary, specific contractual agreement(s) with the Regions/Local Health Facilities for Telemedicine services;
  • appoint a director/manager to ensure that the appropriate performance standards are met for activities provided through Telemedicine;
  • adopt cybersecurity management systems;
  • adopt a risk assessment plan, appropriate to the kind of services provided.
10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

The Italian High Institute of Health (“ISS”) has published a document containing “Indications for telemedicine care services during the COVID-19 emergency,” which provides support for the provision of services in Telemedicine during the COVID-19 emergency, thus providing indications, identifying operational problems and proposing solutions supported by evidence, which are easily feasible in practice.

The document does not provide specific measures aimed at simplifying Telemedicine’s use but mainly aims at encouraging healthcare professionals to use distance-health tools.

According to the above mentioned document, where telemedicine is not yet structured in a system of a national relevance, in consideration of the health emergency situation, it is necessary first of all to implement and make available those solutions that can be activated quickly, within a few days, which are usable by people at home with the technological equipment immediately available to them and that can be activated for periods of time appropriate to the needs of the emergency situation.

The document also identifies the reference principles which it is advisable that healthcare professionals focus on:

  • preconditions for making telemedicine services possible (e.g., connectivity, entirely digital prescriptions, cybersecurity);
  • health responsibility during the performance of telemedicine activities;
  • elements necessary to carry out the services at home;
  • functioning of health-related video calls;
  • activation steps of the telemedicine service.

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

The performance of health services through telemedicine, requires the adoption of a number of additional safeguards by healthcare professionals.

In particular, physicians must adequately inform the patient the service in Telemedicine will be provided through Telemedicine. To this purpose, the patient must receive appropriate information on the opportunity and scope of the service, as well as on the means used and the methods of storage and processing of his/her data.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

The use of telemedicine systems requires a different approach to the physician's liability in the case of incorrect medical assessment.

In such a scenario, some factors that influence liability may be detected, such as defects in the construction of the devices used, incorrect installation of the device, ineffective maintenance, incorrect use of the devices, including incorrect transmission/evaluation of the data.

Such circumstances may lead to a diagnostic error caused by the alteration of the transmitted data or by device’s failure/malfunction.

In the context of a diagnostic error, it must therefore be assessed whether it is due to a technical deficiency that would exclude the physician's responsibility.

From a general point of view, the physician will instead be responsible for his/her culpable error due to the wrong interpretation of the data.

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

The Guidelines on Telemedicine do not impose particular limits with regard to the medicines that can be prescribed. However, it should be noted that e-prescription is a tool already regulated regardless of the use of telemedicine systems.

The e-prescription, regulated by the Interministerial Decree of 2 November 2011, is now a widely used tool for access to pharmaceutical services of the National Health Service.

The spread of dematerialized prescription has reached a very high level of coverage. The Ministry of Health has declared that almost 90% of pharmaceutical prescriptions are electronic prescriptions.

However, not all prescriptions allowing access to the services of the National Health System have been, shifted to electronic prescriptions. Therefore, a working group is active between the Ministry and the Regions to extend the prescriptions that are still in paper format. Such prescriptions concern:

  • therapeutic plans;
  • drugs in direct distribution;
  • thermal performance;
  • prescriptions for supplementary care and prosthetic assistance; and
  • prescription of drugs containing narcotics, with indications other than pain therapy.

In addition, a working group at the Ministry of Health is actively dealing with the dematerialization of vouchers for the provision of gluten-free products for coeliac disease patients, vouchers that will be spendable anywhere in Italy, even outside the Region where the patient resides.

With regard to the e‑prescription system, it is stipulated that following the prescription, the physician must release to the patient:

  • the Electronic Prescription Number
  • the paper memo of the recipe.

The paper memo is issued to guarantee the provision of the service even in case of unavailability of computer systems. However, the Interministerial Decree of 25 March 2020 initiated a process to digitise the memo and thus making the prescription completely digital.

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

The services provided by the Italian National Health System (“NHS”), whether through public or accredited private facilities, are only those identified in the LEAs (Essential Levels of Care), defined by the Prime Minister Decree of 12 January 2017; therefore, if a citizen wishes to benefit from a healthcare service which is not included in the LEAs, the cost would be entirely at his or her own expenses whether the healthcare service was provided in a public or accredited private facility. Therefore, a telemedicine service can be reimbursed by the NHS provided that the concerned healthcare service is included in the LEAs.

The Guidelines on Telemedicine state that the use of ICT technologies can allow the provision of services that fall into the following two categories:

  1. services already provided by national and regional tariffs, but which are provided, thanks to the use of technology, in Telemedicine and which, in any case, maintain the substantial content unchanged;
  2. services already provided by national and regional tariffs, but which, thanks to the use of technology, are performed in ways (in particular in relation to the place, time and duration of observation) that can improve the diagnostic and therapeutic content and strengthen the continuous monitoring.

With reference to Telemedicine activities referred to in a) above, such services should refer to the corresponding description and tariff, assessing in each case - with specific and analytical reference to the use of technology (hardware, software and connectivity) – whether the use of Telemedicine represents an added value for the purpose of changing the tariffs.

With reference to Telemedicine activities referred to in b) above, reference shall always be to the tariff already in force, but the description and value will necessarily be modified in relation to the different content of the service.

The Guidelines on Telemedicine do not provide special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine.

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.

For what concerns the protection of the users’ personal data, the relevant provision of the EU Regulation 2016/679 (GDPR), together with the Italian data protection law on the processing of health data, would apply. In this regard, the Italian Data Protection Authority has issued a decision in which it has clarified that the processing of personal data for telemedicine purposes (i.e., where the data is strictly related and necessary for the provision of the healthcare service by the professional) does not require the user’s consent.

The Ministry of Health has launched a monitoring system for the various telemedicine programs that have been activated at the regional level. Based on the data collected, an evaluation of the experiences in terms of both effectiveness and cost-effectiveness will be carried out and then the Guidelines and, if necessary, the legislation on Telemedicine will be amended.

The Ministry of Health has also created a working group that will define the ways in which to achieve the complete digitalisation of prescriptions.

Portrait ofLaura Opilio
Laura Opilio
Partner
Rome
Portrait ofMaria Letizia Patania
Maria Letizia Patania
Partner
Rome