Digital health apps and telemedicine in Portugal

­­­Software in the form of digital health is considered a “medical device” according to article 2 (1) of Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (“MDR”) ­­­­insofar as it is software intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:

• diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability;
• investigation, replacement or modification of the anatomy or of a physiological or pathological process or state;
• providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations;

and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.

In this regard, the following local legislation is also applicable:

• Decree-law no. 29/2024, of April 5, executes the MDR on the Portuguese territory;
• Decree-law no. 5/2017, of January 6, on the general principles for advertising medicines and medical devices;
• Decree-law no. 145/2009, of June 17, establishes the rules governing the research, manufacture, marketing, putting into service, surveillance and advertising of medical devices and their accessories;
• Law no. 95/2019, of September 4, establishes the fundamental principles of healthcare, including the use of technology on healthcare. 

Yes, there are multiple legal regimes that may apply to and govern digital health software, depending on the business and technology. Below, we emphasise the ones related to Technology and the promotion of its development:

Technology and Cybersecurity

Depending on the purposes and functionalities of the particular piece of software, Artificial Intelligence, Cybersecurity and Data EU Regulations and their respective local laws implementing particular aspects set forth in said regulations may be of relevance.

Data Protection

From a data protection point of view, according to Article 9 (2) (h) and no. 3 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and Article 29 of Law 58/2019 of August 8th, insofar as the digital health software collects and processes health data for the purposes of medical diagnosis and healthcare treatments, such data shall only be processed by or under the responsibility of a person subject to professional secrecy or by any other entity under confidentiality duty. Therefore, where health related personal data is collected, the data controller must always be a physician or other entity subject to a confidentiality duty.

Intellectual Property

Decree-Law no. 252/94, of October 20, establishes the applicable rules on copyright over software.

Tax

Depending on the corporate structure and the nature of the activities, tax programmes to promote the develop of start-ups and technological programmes may apply from time to time.

The legal regimes governing digital health software can indeed be influenced by whether the users are residents using the software within their jurisdiction or outside their jurisdiction. Here are the key implications:

• Within Jurisdiction:  When users are residents using the software within their jurisdiction, the local laws and regulations will primarily apply.  For instance, in the EU, the GDPR will govern the processing of personal data, including health data. Compliance with local cybersecurity laws and data protection regulations will be mandatory.  Additionally, local intellectual property laws, such as Decree-Law no. 252/94 in Portugal, will apply to software copyright.
• Outside Jurisdiction:  If users are residents using the software outside their jurisdiction, the software provider must consider the data protection and cybersecurity laws of the jurisdiction where the users are located.  For example, if EU residents use the software while in another country, the GDPR may still apply due to its extraterritorial scope.  The software provider must ensure compliance with both the home country’s regulations and the regulations of the country where the users are located.

The nature of the service—whether it is B2B (business to business) or B2C (business to end consumer)—also has significant implications:

B2B Services:  In a B2B context, the contractual agreements between businesses will play a crucial role.  These agreements will typically outline the responsibilities and liabilities of each party concerning data protection, cybersecurity, and intellectual property.  Businesses will need to ensure that their contracts comply with relevant regulations, such as the GDPR for data protection and local cybersecurity laws.  Additionally, B2B services may involve more complex tax implications, especially if the businesses are located in different jurisdictions.

B2C Services:  For B2C services, the software provider must ensure compliance with consumer protection laws in addition to data protection and cybersecurity regulations. The GDPR will apply to the processing of personal data of end consumers in the EU.  Providers must also consider local consumer rights laws, which may impose additional obligations regarding transparency, data security, and user consent. Intellectual property laws will protect the software, but the provider must also ensure that end consumers are aware of their rights and limitations regarding software use.

Law No. 41/2004 and Its Relevance to Healthcare Software in Portugal

In Portugal, Law No. 41/2004, enacted on August 18, 2004, transposes the European Directive 2002/58/EC into national legislation, focusing on the processing of personal data and the protection of privacy in the electronic communications sector.  While this law primarily addresses electronic communications services, certain provisions are pertinent to healthcare software, especially when such applications involve electronic communications or handle sensitive personal data like health information.

• Definitions: The law defines "data of location" as any data processed in an electronic communications network or service that indicates the geographic position of the terminal equipment of a user.
• Data Processing and Consent: Processing of location data is permissible only when it is anonymised or with the explicit consent of the user.  Users must be informed about the type of data being processed, the purpose, and the duration of the processing.
• Security Measures: Entities offering electronic communication services must implement appropriate technical and organisational measures to safeguard the security of their services, ensuring the protection of personal data against unauthorised access or disclosure.

For healthcare software that incorporates features such as location tracking or real-time monitoring, compliance with Law No. 41/2004 involves several critical steps:

Obtaining Explicit Consent:  Prior to processing location data, healthcare software providers must obtain clear and informed consent from users.  This consent should detail the specifics of data collection and usage, ensuring users are fully aware of how their data will be handled.

Ensuring Data Security:  Providers must implement robust security protocols to prevent unauthorised access to sensitive health and location data.  This includes both technical measures, such as encryption, and organisational measures, such as access controls and regular security audits.

Providing Transparency:  It is essential to clearly communicate to users how their data will be processed and stored.  Providers should also inform users about the measures in place to protect their privacy, ensuring transparency in data handling practices.

It's important to note that Law No. 41/2004 complements the broader data protection framework established by the General Data Protection Regulation (GDPR) and Portugal's Data Protection Law (Law No. 58/2019).  Therefore, healthcare software providers must ensure compliance with all relevant legislation to uphold user privacy and data protection standards.  This comprehensive approach to data protection helps maintain trust and security in the use of healthcare software, particularly in the context of sensitive health information.

According to Decree-law no. 383/89 of November 6, regarding liability arising from defective products, producers are liable, regardless of fault, for damage caused by defects in the products they put into circulation (cfr. Article 1).

In this context, a product is considered defective if it is not safe to rely on, considering all the circumstances, in particular its presentation, the use to which it can reasonably be put and the time of its entry into circulation (cfr. Article 4 (1)).

On the other hand, damage resulting from death or personal injury and damage to something other than the defective product (in this case, up to the value of EUR 500,00), provided that it is normally intended for private use or consumption and the injured party has mainly used it for this purpose, are compensable (cfr. Articles 8 and 9).

Nevertheless, for there to be liability on the part of the producer, it is of course necessary to be able to demonstrate the lack of any responsibility on the part of the physician, i.e., that the physician has acted with due diligence and expertise and that, as such, the cause of the damage is exclusively attributable to the product/software (cfr. Article 799 (1) of the Portuguese Civil Code).

On the other hand, it shall be noted that, with regard to telemedicine, the physician has a duty to ensure the quality and safety of the system used (cfr. Article 48 of Portuguese Order of Physicians Ethics Code (Order no. 707/2016 of July 21^st) (“PED”).  Namely, the physician shall:

• use telemedicine after making sure that the team responsible for carrying it out guarantees a sufficiently high level of quality, works properly and complies with the stipulated standards;
• have support systems and use quality controls and evaluation procedures to monitor the accuracy and quality of the information received and transmitted;
• only use telemedicine after making sure that the system used and its users guarantee medical confidentiality, in particular by encrypting names and other identifying data.

Medical Device Legislation

The MDR and Decree-law no. 29/2024 of April 5 set forth multiple obligations for manufacturers, importers and distributors.  Infringement of these obligations constitutes misdemeanours punishable by fines of up to EUR 24.000,00 (twenty-four thousand euros). Ancillary sanctions may be applicable depending on the seriousness of the infraction and the agent’s culpability.

The commission of misdemeanours does not exempt an individual from criminal, disciplinary and civil liability where applicable.

Data Protection

Violation of Article 9 (2) (h) of the GDPR and 29 Law 58/2019 of August 8th constitutes a very serious misdemeanour, punishable by a fine of up to EUR 20,000,000.00 (twenty million euros) or 4 % of the Company’s annual turnover worldwide, whichever is higher (cfr. Article 37 (1) (d), (l) and (2) of Law 58/2019 of August 8th.

Artificial Intelligence Act (AIA):

The EU's Artificial Intelligence Act (AIA) aims to establish a comprehensive regulatory framework for AI systems, including those used in healthcare.  Once fully enacted, the AIA will be directly applicable in Portugal, classifying certain AI applications in healthcare as high-risk, thereby subjecting them to stringent requirements.  These include obligations related to data quality, transparency, human oversight, and robustness to ensure the safe and ethical use of AI in medical contexts. ​

European Health Data Space (EHDS):

The EU's proposal for a European Health Data Space (EHDS) seeks to promote the secure exchange and use of health data across member states.  This initiative will impact digital health applications by standardising data sharing protocols, enhancing interoperability, and ensuring robust data protection measures.  The EHDS aims to facilitate better healthcare delivery and foster innovation in health technologies.

Physicians that exercise medicine in the Portuguese territory are regulated by the following legal instruments:

• The Portuguese Physicians’ Association (“Ordem dos Médicos”) and its Statutes (Decree-law no. 282/77 of July 5th (“OM Statutes”); and
• PED.

Additionally, establishments/companies that provide healthcare services are regulated by the Portuguese National Health Regulator (“Entidade Reguladora da Saúde”) (“ERS”) (cfr. Article 4 (2) of Decree-law no. 126/2014, of August 22.

Guidance no. 7/2024 of ERS on the Patients’ rights in the provision of teleconsultations also holds a particular relevance in this matter.

The relevant laws in this matter are:

• Portuguese Law no. 85/2019, of September 9th (“Lei de Bases da Saúde”, “LBS”) which defines the fundamental principles of healthcare;
• OM Statues; and
• PED.

The provision of healthcare, whether delivered remotely or in person, is subject to a set of general obligations primarily outlined in LBS.

Besides the need to comply with the national requirements set forth in the OM Statutes to practise medicine in the Portuguese territory, with regard specifically to telemedicine, Chapter VII of PED defines the principles and obligations that must be observed by Physicians when exercising telemedicine.  In a nutshell, it defines the following:

• Physician-patient relationship: Trust, patient autonomy, and medical confidentiality must be maintained. Telemedicine is not a substitute for in-person consultations and requires adequate clinical evaluation.
• Medical responsibility: The physician can accept or refuse telemedicine and remains responsible for treatment.  Physicians should only provide opinions with sufficient information.
• Quality and safety: The physician must ensure that the systems used are reliable, with data protection and quality control measures in place.
• Clinical record: Every consultation must be properly documented, ensuring traceability and confidentiality of information.

Yes.

Before using telemedicine services, the Patient shall provide their informed, free and clarified consent for the provision of care via telemedicine (cfr. Article 20 of PED and Guidance no. 7/2024 of the ERS regarding Patients’ rights in the provision of telemedicine services).

In relation to telemedicine, physicians are subject to additional responsibilities, namely concerning the system’s quality and safety (cfr. Article 48 PED).   Additionally, physicians shall only provide medical advice that is adequate based on the information provided by the patient.

For example, a physician must use their medical discernment and knowledge to avoid providing medical advice where a fitness certification is requested by the patient, due to the clear inadequacy of telemedicine as a means to provide this type of medical advice requested.

In Portugal, the practise of telemedicine is governed by the Code of Ethics of the Portuguese Medical Association, which establishes standards to ensure the safety and quality of remote healthcare services. ​

Regarding electronic prescriptions, they have been standard practice in Portugal for several years, with non-electronic prescriptions permitted only in specific cases. ​

Recent regulatory changes have further defined the rules for prescribing and dispensing medicines. Ministerial Order 263/2023, enacted on August 17, 2023, introduced measures to improve access to medications, particularly for patients with chronic conditions.  Under this order, certain medicines intended for long-term treatment can be prescribed in quantities sufficient for up to 12 months. For short or medium-term treatments, prescriptions may include a higher number of packs than previously allowed, provided the prescription is justified by factors such as dosage requirements or prolonged absence from the country. ​

While these regulations outline the general framework for prescribing medications, they do not specify particular restrictions on the types of medicines that can be prescribed via telemedicine.  However, healthcare professionals are expected to exercise clinical judgement to determine the appropriateness of prescribing certain medications remotely. For instance, prescribing controlled substances or medications with a high potential for abuse may require an in-person consultation to ensure patient safety and compliance with legal requirements. 

The Portuguese National Health Service provides free telemedicine services for all non-urgent patients who are referred via triage after calling to SNS24.

SNS24 is a public health service in Portugal that offers free medical advice and support to people through phone calls or online.

However, it should be noted that the above information only relates to public healthcare, i.e., if the patient wants to use telemedicine services in a private hospital, the price is charged according to the price list of the respective hospital. Nevertheless, in the latter case, the patient may have health insurance that covers telemedicine services, but this possibility and the level of coverage will depend on the insurance policy of each insurer.

No. However, the legal framework provided on answer to Q2 shall be considered.

Portugal is actively enhancing its telemedicine framework through various legal and strategic initiatives to improve the quality and accessibility of remote healthcare services.

Regulatory Clarifications by the Health Regulatory Entity (ERS)

In September 2024, the Portuguese Health Regulatory Entity (ERS) issued Supervisory Alert No. 7/2024, providing detailed guidance for telemedicine healthcare providers.  Key directives include the requirement for providers to obtain explicit consent from patients before conducting teleconsultations, ensuring patients are fully aware of the nature and scope of remote medical services.  Teleconsultations should be conducted in environments that uphold patient confidentiality, mirroring the privacy standards of in-person consultations. Patients are entitled to receive comprehensive clinical information and, upon request, documentation confirming their participation in teleconsultations.  Telemedicine services must adhere to the Guaranteed Maximum Response Times (TMRG) as mandated for healthcare services, ensuring timely medical attention for patients.  Non-compliance with these guidelines may result in penalties, emphasising the importance of adherence to these standards.

Update and Implementation of the National Strategic Plan for Telehealth (PENTS)

On October 27, 2024, the Portuguese Parliament recommended the government update and implement the National Strategic Plan for Telehealth (PENTS). This plan aims to integrate telehealth more comprehensively into the National Health Service (SNS), enhancing accessibility, efficiency, and patient empowerment within the healthcare system.

Implementation of the Electronic Health Record (RES)

The Portuguese government has committed to implementing the Electronic Health Record (RES) by the end of 2025.  This initiative is expected to facilitate seamless information sharing among healthcare providers, thereby improving the coordination and quality of patient care, including in telemedicine contexts.

These developments reflect Portugal's dedication to enhancing its telemedicine landscape through clear regulations, strategic planning, and technological advancements, aiming to provide more accessible and efficient healthcare services to its population.