Digital health apps and telemedicine in Poland

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

Under the Polish Act of 7 April 2022 on Medical Devices (“AMD”) and Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (“Regulation 2017/745”), software may be considered a medical device provided it is intended by the manufacturer to be used for human beings for the purpose of:

• diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability;
• investigation, replacement or modification of the anatomy or of a physiological or pathological process or state;
• providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations; or
• control or support of conception.

Please note that the Polish AMD does not currently provide for a separate definition of a medical device. Instead it refers to the definition in the Regulation 2017/745.

Pursuant to Regulation 2017/745, it is a manufacturer of the medical device that is responsible for the medical device, for performing a conformity assessment of the medical device before it is placed on the market, for implementation and maintenance of a system for risk management, for registration of the device, for implementation of a quality management system and for placing the medical device on the market. If the manufacturer is not domiciled or established in a Member State, responsibility for that medical device is borne, jointly and severally, by the authorised representative and the manufacturer of that device. If the manufacturer has not appointed an authorised representative or if the medical device is not placed on the market under the responsibility of the manufacturer or the authorised representative, the person who has placed the medical device on the market bears this responsibility. Under Regulation 2017/745, it is also possible for a third person (other than a manufacturer) to assume the obligations of manufacturers. This happens in the case the third party also if:

• they have changed the intended purpose of a device already placed on the market or put into service; or
• they have modified a device already placed on the market or put into service in such a way that compliance with the applicable requirements may be affected.

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

As a rule, there are no exclusions/exemptions applicable with regard to the rules of liability as described above.

There are other legal regimes that may govern digital health software, including Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”):

• rules for processing personal data.

Act of 18 July 2002 on Electronically Supplied Services (“ESS Act”):

• obligations of the service provider relating to Electronically Supplied Services, rules for exempting the service provider from liability for Electronically Supplied Services, rules for protecting personal data of natural persons using Electronically Supplied Services.

Act of 16 July 2004 – Telecommunications Law (“Telecommunications Law”):

• in particular with respect to storing of or gaining access to information already stored in the telecommunications terminal equipment (e.g., smartphone) of a subscriber or end user.

Act of 4 February 1994 on Copyright and Related Rights (“Copyright Act”):

• in principle, computer programs have the same protection as literary works; and
• economic rights belong to employer of the author, unless agreement between them states otherwise.

The Act on the National Cybersecurity System of 5 July 2018 (“Cybersecurity Act”):

• Healthcare sector entities may be covered by the obligations set out by the Cybersecurity Act, including those related to cybersecurity risks and incident management, e.g., to implement appropriate security and organisational measures. In consequence, such obligations may influence indirectly digital health software providers operations.

The Act of 6 November 2008 on Patient’s Rights and on the Patient Ombudsman (“Act on Patient’s Rights”),

• The Act on Patient’s Rights sets out the rules of outsourcing that apply to healthcare entities in addition to those stemming from the GDPR. Given that digital health software providers may be considered as data processors, they could be contractually obliged to comply with those requirements.

As a side note, certain aspects of digital health software may be governed by the Polish Act on Competition and Consumer Protection. This act may apply, in particular, where digital health software is designed in such a way that it requires consumers to give access to their data, e.g., phone book, camera, exact location, making it a necessary condition to download the software. In addition, it is often the case that the software providers use the acquired data in unspecified or unknown ways.

Pursuant to Polish law, undertakings are obliged to provide consumers with reliable, truthful and comprehensive information on the products and services sold. In the case of digital health software, consumers should be provided with clear information about which parts of their data will be used and how. More importantly, consumers should be informed of this fact prior to downloading the app.

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

GDPR

GDPR applies if the health app is offered to residents of Poland or another member state, regardless whether a user actually uses it in Poland/another EU member state, or If the health app includes monitoring of behaviour if it takes place in Poland or in another EU member state.

ESS Act

In principle no, application is based on domicile or establishment of the service provider.

Telecommunications Law

No.

The Cybersecurity Act

N/A

The Act on Patient’s Rights

N/A

Copyright Act

No, application is based on domicile of the author or place/language of original publication.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

GDPR

GDPR applies towards natural persons. Hence, even in case of B2B service, GDPR will apply to the extent natural persons use it.

ESS Act

In case of B2C service, the ESS Act does not apply to the extent consumer law provides protection.

Telecommunications Law

No, applies to subscribers and end users.

Copyright Act

No.

The Cybersecurity Act

N/A

The Act on Patient’s Rights

N/A

The consents are required under the acts indicated in Q1/Q2 (GDPR and Telecommunications Law).

There are no specific rules for liability in the context of the use of digital health apps/telemedicine.

GDPR

• Administrative fines up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; or
• Criminal liability of a fine, restriction of freedom or imprisonment of up to two/three years (in case of unauthorised data processing).

Enforcement: UODO (the Polish supervisory authority – Prezes Urzędu Ochrony Danych Osobowych: President of the Office for Protection of Personal Data); prosecution office (for criminal liability)

ESS Act

• A fine of up to PLN 5,000 (approx. EUR 1,115) under petty offense regime.

Enforcement: police

Telecommunications Law

• An administrative fine of up to 3% of the revenue generated in the previous calendar year.

Enforcement: UKE (Urząd Komunikacji Elektronicznej: Office for Electronic Communication)

We are not aware of any future legal developments.

In Poland, physicians are affiliated by a professional self-governing body. Pursuant to the Polish Act on Chambers of Physicians (“ACP”), the self-governing body of physicians is an entity which is independent in the performance of its tasks and subject only to the provisions of the law.

The organisational units of the self-governing body of physicians are the Supreme Chamber of Physicians, the Military Chamber of Physicians and district chambers of physicians.

In addition, pursuant to the Polish Act of 15 April 2011 on Medical Activity (“AMA”), the Ministry of Health is entitled to conduct inspections of the medical entities. Such inspections may, among other things, include the inspections of the premises, internal documents (for example rules and regulations) or evaluations of the medical records obtained.

The main provisions relating to the organisation, functioning and competences of the chambers of physicians are provided for in the ACP, the Polish Act of 5 December 1996 on the Medical Profession (“AMP”), the AMA, as well as the Code of Medical Ethics.

General provisions regarding telemedicine are provided for in various legal acts applicable to the profession of physicians (there is no one, comprehensive act regarding telemedicine), such as (i) the AMP, which indicates that physicians may also provide medical services through ICT systems, (ii) the AMA, which states that medical activity which consists of the provision of health services may also be provided through ICT systems, (iii) the Polish Act of 28 April 2011 on the Healthcare Information System, and (iv) the Regulation of the Polish Ministry of Health of 12 August 2020 on the organisational standard of telemedicine in primary healthcare (“Regulation”). The Regulation defines, in a general way, the organisational standard of medical services provided as part of primary healthcare via the ICT systems.

Moreover, the Supreme Chamber of Physicians issued guidelines on 24 July 2020 regarding telemedicine (“Guidelines”). The Guidelines are addressed to physicians. They concern the rules of telemedicine services and consist of three documents regarding the provision of telemedicine services, the ethical aspects thereof, as well as indications concerning a telemedicine visit.

In order to treat patients using telemedicine, physicians have to fulfil general requirements under the AMA and AMP, which include: (i) being a licensed physician; (ii) holding civil liability insurance; (iii) being entered in the register of medical activity; and (iv) detailed record-keeping.

The Regulation provides for some specific requirements that must be met when physicians use telemedicine in order to treat patients.

At the time of this advice, we have not identified any new regulations regarding the Sars-CoV-2 pandemic. As of 4 August 2022, the last provisions regulating telemedicine in the Polish Act of 2 March 2020 on Preventing, Counteracting and Combating COVID-19 have lost their effect on 8^th March 2021.

10.1 What are the requirements?

Pursuant to the Regulation, physicians are obliged to take into the consideration the health condition of each patient when determining whether an in-person consultation with the patient at hand is necessary. Additionally, the Regulation sets out various technical requirements to be met by physicians and in general providers of a healthcare services via ICT systems in order to treat patients using telemedicine, as specified in Q11a.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

At the time of this advice, we have not identified any new regulations regarding the Sars-CoV-2 pandemic. As of 4 August 2022, the last provisions regulating telemedicine in the Polish Act of 2 March 2020 on Preventing, Counteracting and Combating COVID-19 have lost their effect on 8^th March 2021.

Physicians should apply the same standard of care whether they are providing a healthcare service through ICT systems or carrying out an in-person consultation.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

Pursuant to the Regulation, physicians providing a healthcare service via ICT systems are obliged to: (i) inform the patient of their right to an in-person consultation; in particular, to inform the patient of the possibility of benefitting from the provision of a healthcare service provided in direct contact, if the healthcare service is necessary due to the patient's state of health cannot be provided via ICT systems - this circumstance should be determined in consultation with the patient or his/her statutory guardian; (ii) inform the patient of how to use e-prescriptions, e-sick leave certificates, e-order for medical devices, of how to carry out an order for additional tests, in particular laboratory or radiological, as well as the possibility for the patient to set up an Internet Patient Account; (iii) guarantee confidentiality; and (iv) confirm the identity of the patient before discussing medical records via the ICT system.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

From the point of view of the applicable Polish laws, physicians are legally responsible for their actions and omissions on the same basis and to the same extant, both when providing healthcare services to a patient directly or through ICT systems. The physician is subject to the same liability regimes and their prerequisites (e.g., fault, damage, existence of an adequate causal link in case of civil liability). Telemedicine activities, however, have their own specificity and pose challenges to physicians, such as technical malfunctions, protection of privacy or the risk of sudden health deterioration of a patient, which must be considered in order to reduce the risk of legal liability in connection with the provision of healthcare services via ICT systems.

Polish law does not provide for any restrictions as regards the type of medicine that can be prescribed though telemedicine. However, physicians who provide healthcare services via the ICT systems are obliged to determine whether information obtained through telemedicine is sufficient to assess the state of health of the patient and to prescribe adequate medicines to the patient.

Yes. Pursuant to Annex 1 to the Regulation of the Ministry of Health of 24 September 2013, on guaranteed benefits in the field of primary health care, telemedicine is covered by the universal health insurance, but only if performed by physicians whose services are already covered by the insurance.

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

No, but there are public health information systems that are free of charge for everyone.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

Not applicable.

There are no data protection regulations relating to telemedicine specifically.

We are not aware of any future legal developments in Poland regarding telemedicine.