Digital health apps and telemedicine in Russia

Depending on the intended use and the functionality of digital health apps and software, they may or may not be deemed medical devices. According to Russian law, medical devices include instruments, apparatus, devices, equipment, materials and other products used for medical purposes separately or in combination with each other, as well as together with other accessories necessary for the use of these products for their intended purpose, including special software, and designed by the manufacturer for prevention, diagnostics, treatment and medical rehabilitation of diseases, monitoring health conditions, conducting medical research, restoration, replacement, changes in the anatomical structure or physiological functions of the body, and prevention or termination of pregnancy. Medical devices should not affect a human organism pharmacologically, genetically, immunologically and metabolically. 

However, there are no regulations specifically governing software and digital health apps being medical devices. So far, companies may be guided by recommendations and explanatory letters of the regulatory authorities in charge (which are not legally binding). These documents include but not limited to: 

• letter from the Federal Service for Surveillance in the Field of Healthcare dated 13 February 2020 No. 02И-297/20 (the “Letter”);
• recommendation of the Panel of the Eurasian Economic Commission dated 12 November 2018 No. 25 (the “EEU Recommendation”) (currently, the Eurasian Economic Union is comprised of Armenia, Belarus, Kazakhstan, Kyrgyzstan and Russia).

Even though these guidelines do not have binding effect, they may be useful for developers to assess whether or not their product may be considered a medical device (and as such requiring registration). 

According to the Letter, software may be considered as a medical device, provided that it meets the following requirements: 

• it represents software or its modules irrespective of what platform is used (e.g., PC, mobile apps) and how access to the software is provided (e.g., on the basis of licence by downloading software); 
• it is independent and does not constitute a part of another medical device;
• it is intended for provision of medical care; and
• it automatically interprets (including with the use Artificial Intelligence technologies) medical data affecting potential clinical decisions, regardless of whether such medical data is received from other medical devices or entered by the healthcare professional into the device. 

The EEU Recommendation is generally based on the same principles. In addition, it separately emphasizes that mobile apps can also be considered medical devices, if the application collects and processes the data for medical purposes (for example, for diagnostics or medical treatment). 

In turn, popular mobile apps such as health trackers or mobile apps which remind the user to take pills, should not be registered as medical devices. 

Considering that digital health software may deal with different information and personal data of patients, it also falls under the scope of the following laws: 

• Federal Law dated 27 July 2006 No. 152-FZ “On personal data”; and
• Federal Law dated 27 July 2006 No. 149-FZ “On information, information technologies and protection of information”. 

The key considerations implied by these laws are as follows:

1. Localisation of personal data. Russian law provides that when collecting personal data of the citizens of Russia, a personal data operator shall ensure that the record, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of such data are conducted through local databases (e.g. databases located in the territory of the Russian Federation); 
2. Obtaining consent to data processing. Processing personal data regarding health of a person is subject to written consent. A document providing consent should contain certain details (e.g., passport details) and can be obtained in electronic form, provided that it is signed by a certified electronic signature.   

Special rules (e.g., exclusions from general legal regime) could apply to digital health apps or software, should they be used within the frameworks of so-called “regulatory sandboxes” for digital innovations. The creation of such regulatory sandboxes is also possible to test some new decisions in the sphere of medical services and telemedicine. 

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

Localisation requirements apply regardless of whether a Russian citizen uses the app inside or outside of the Russian Federation, provided that a company targets its activity to the Russian Federation (e.g., a mobile app is available in Russian language, the app accepts payments in Russian roubles, etc.). 

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

Generally, it does not matter whether is a B2B or B2C service. The application of personal data rules depends on whether any personal data is collected whilst using a mobile application. 

There are no additional requirements to regulatory approval or consents. 

Russian laws allow claims for damages incurred by digital health apps from both healthcare organizations and software producers/suppliers. 

Healthcare professionals and healthcare organisations remain ultimately responsible for the provision of medical services and bear liability for damages incurred to patients. Technically, the Healthcare Professionals (“HCPs”) and Healthcare Organisations (“HCOs”) may refer to a technological error as a reason for release from liability. However, it shall be finally assessed by a court and, in most cases, Russian courts apply the principle of “strict liability” to HCOs (e.g., the HCO is deemed liable for damage incurred to patients by the used medical products even if the HCO is not at direct fault).

Furthermore, it is possible to claim the damages from the producer and/or health care app. In this case, general civil law provisions on liability apply. 

Breach of regulatory requirements to medical devices 

If an improper medical device (e.g., unregistered, falsified, or medical device of improper quality) is detected, its circulation is to be suspended. Furthermore, it may be recalled from the market.

Breaching the rules of medical devices circulation may lead to the following consequences:

• a fine of RUB 5,000 up to 10,000 (approx. EUR 55 up to EUR 110) for a company’s official (e.g., CEO); or
• a fine of RUB 30,000 up to 50,000 (approx. EUR 330 up to EUR 540) for a legal entity.

The special liability is envisaged for circulation of medical devices of improper quality or falsified medical devices. In such a case, the breach may result in the following penalties: 

• a fine of RUB 100,000 up to 600,000 (approx. EUR 1,080 up to EUR 6,480) for a company’s officials; or
• a fine of RUB 1,000,000 up to 5,000,000 (approx. EUR 10,800 up to EUR 54,000) or administrative suspension of the business activity for up to 90 days for a legal entity. 

The higher fines are also envisaged for the sale of improper medical devices through the Internet. 

Moreover, if the cost of improper medical devices exceeds RUB 100,000 (approx. EUR 1,080), an individual (i.e., CEO of a company) may be held criminally liable for the circulation of unregistered or improper medical devices. 

In such a case, the company’s official may be sentenced to imprisonment for up to five years. The more stringent sanctions may be implied if the medical devices are sold through the Internet, if the crime is committed in collusion, or if the non-registered medical devices inflict harm to the health or life of citizens. 

Breach of personal data rules

The following fines may be imposed on data controllers in case of breach of personal data rules (e.g., if the consent is not obtained):

• a fine of RUB 3,000 up to 20,000 (approx. EUR 32 up to EUR 216) for company officials; or
• a fine of RUB 15,000 up to 75,000 (from EUR 162 up to EUR 812) for legal entities.

The Russian Code on Administrative Offences was recently amended to introduce a separate sanction for breach of personal data localisation requirements. The following fines may be imposed: 

• on company officials, a fine of RUB 100,000 up to 200,000 (approx. from EUR 1,080 up to EUR 2,160); or
• on legal entities, a fine of RUB 1m up to 6m (approx. from EUR 10,800 up to EUR 64,900).

In addition to that, the website or mobile app may be blocked in Russia, if it breaches the localisation rules. 

It is expected that the regulations specifically governing medical software will be introduced in the future. The process may be started with some “pilot regulations” governing particular aspects of digital health apps circulation. 

Both the Ministry of Health of the Russian Federation and the Russian Federal Service for Surveillance in Healthcare govern and control the medical activity, including physicians’ activity. However, there is no special authority focusing on the physicians only. 

Provision of telemedicine services are regulated by the following laws and regulations: 

• Federal Law dated 21 November 2011 No. 323-FZ “On fundamentals of protection of health of citizens in the Russian Federation”; and
• Decree of Ministry of Health dated 30.11.2017 No. 965н “On approval of procedure of organisation and provision of telemedicine services” etc. 

10.1 What are the requirements?

According to the Russian laws, telemedicine services may be provided by a healthcare organisations holding a general licence for medical activity (e.g., no special licence for telemedicine is required).

Telemedicine services should be provided in the place indicated on the licence for medical activity and be in accordance with all applicable standards of care. 

Telemedicine services may be provided to patients for the following purposes: 

• prevention, collection, and analysis of patients’ complaints;
• assessment of the effectiveness of treatment;
• remote monitoring of patients’ health;
• decision on the necessity of an in-person meeting between a patient and a doctor; and
• follow-up correction of the treatment previously prescribed by a doctor in the course of an in-person meeting with a patient.

However, it is prohibited to remotely diagnose and prescribe medications during the first appointment. It may be done only through a face-to-face meeting between physician and patient. 

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Yes, the special rules of issuing electronic prescriptions for medicines combating COVID-19 were enforced in April 2020.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

For the time being, physicians shall follow the same standards of care as in the case of offline medical services. That said, standards of care are not significantly adjusted to be more suitable for telemedicine services. For example, there are no special requirements to giving disclaimers or any other notices relating to telemedicine. 

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

For the time being, the risk of liability in the case of telemedicine services is comparable to the same risk in the case of an offline medical aid. 

There are no special restrictions on the type of medicines that can be prescribed through telemedicine provided that the prescription is made not for the first time. (See the response to the Q10 above; the first prescription shall be made at an in-person consultation). 

Currently, electronic prescriptions are available only in certain regions of Russia. 

As a general rule, telemedicine services are not reimbursable under the state medical insurance in Russia. 

However, telemedicine services can be provided on a free-of-charge basis if they are within the frameworks of pilot programmes which are available in certain Russian regions and funded from regional budgets. 

No. 

It is highly debatable topic whether the scope of application of telemedicine services should be broadened. The industry is currently trying to lobby the following amendments: (i) allowing diagnosis and prescription of medicines during a first appointment through telemedicine; and (ii) relaxing of requirements for the location where a physician shall be located during the provision of telemedicine services (e.g., not only in his/her office as it is now).