Digital health apps and telemedicine in South Africa

  1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) If yes, please indicate these.
    3. 3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 
    4. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    5. 5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 
    6. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software contained in digital health apps. What are the legal consequences for non-compliance?
    7. 7. Are you aware of any future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    6. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    7. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.
    8. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

A digital health application (digital health app) as defined by the World Health Organization (WHO) involves the provision of medical services and information through the use of mobile technologies such as mobile phones and personal digital assistants (PDA). In terms of the Medicines and Related Substances Act 1965 (MRSA), a medical device includes any diagnostic reagent, apparatus or machine that is used in the diagnosis, treatment, mitigation, modification, monitoring or prevention of disease, abnormal physical or mental states or related symptoms. A key distinction to be drawn between the above-mentioned definitions of “medical devices” and “digital health apps” is the way in which the medical services contemplated above are delivered. In this regard, digital health apps require the facilitation of mobile devices and PDAs for the provision of medical services. However, it is worth noting that the wording of this indicates that digital health apps would satisfy the definition of a medical device as defined by the MRSA. In addition, to qualifying as a medical device, the digital health app would also qualify as a product under the Consumer Protection Act 68 of 2008 (CPA), and therefore, the concept of strict liability could be applied for all entities involved in the supply chain, should harm be caused by the product. For example, liability may arise if the product causes harm by the following ways:

  • illness of a person;
  • death or injury; and/or
  • economic loss.   
1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

Liability may only be excluded in instances where the software used in the digital health app meets the requirements needed in order to qualify as a safe medical device in terms of both the MRSA and the CPA. In this regard, the CPA defines a suitably qualified product as a product which is reasonably suitable for the purposes for which it was intended and requires that all goods supplied must essentially be of good working order and free from any defects. A safe medical device in terms of the MRSA is a device registered with the South African Health Products Regulatory Authority (“SAHPRA”) in terms of section 15 of the MRSA. 

The legal regimes applicable to digital health apps include the:

  • MRSA; 
  • National Health Act 61 of 2003 (“National Health Act”);
  • Health Professions Act 56 of 1974 (“Health Professionals Act”);
  • MRSA Control and the Medical and Related Substances Amendment Act 14 of 2015 (“Amendment Act”);
  • CPA;
  • Electronic Communications and Transactions Act 25 of 2002 (“ECTA”);
  • Protection of Personal Information Act 4 of 2013 (“POPI”); and
  • Promotion of Access to Information Act 2 of 2002 (“PAIA”).

3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

If users are residents using the medical device (software) either within or outside the republic of South Africa, such device must be registered with the SAHPRA. Such registration provides that the relevant formality requirements needed in order to classify the digital health app as being safe, have been complied with.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

The formalities and standard requirements as prescribed by the SAHPRA provide for the same standard whether a business provides medical services from B2B or B2C. However, a distinction is drawn with reference to the level of liability associated with the provision of services from B2B and B2C. As an example, in the case of the provision of services from B2B, a business responsible for the production of a defective medical device (“defective party”) would be limited to the claims brought by affected businesses (“affected party”), (collectively “the parties”) in terms of the agreement between the parties and the regulations as prescribed by the SAHPRA. In the case of the provision of medical devices from B2C, a defective party would be exposed to further liability in terms of the CPA in addition to the standards and requirements provided for by the SAHPRA.

The features mentioned will require the user of such digital health app to consent to the terms and conditions relating to live tracking/monitoring of the user’s real-life information in line with the relevant provisions of POPI (effective 1 July 2020), and the regulations applicable to medical practitioners as further referenced below. 

5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 

There are various legislative instruments that provide for the regulation of health care practitioners/providers, which includes providers of telemedicine as regulated by Health Practitioners Council of South Africa Guidelines on Good Practice in the Health Care Profession: General Ethical Guidelines for Good Practice in Telemedicine [Booklet 10] (“HPCSA”), Health Professions Act, and the National Health Act and other applicable legislative instruments. In addition to the above, any cross-border telemedicine providers who are serving South African patients must be registered with the relevant regulatory body in their own nations, as well as the HPCSA. The above regulatory bodies are responsible for regulating the conduct of health practitioners in South Africa and can impose liability on a medical practitioner for the relevant malpractice and/or misconduct in relation to the provision of medical services. The HPCSA does not require registration by the designer, owner, proprietor or operator of the software or telecommunications platform used by the healthcare practitioner to provide telemedicine services. Thus, there is a limitation on the liability of digital health apps as provided for by the HPCSA, but there can be various instances of liability conferred on a software provider in relation to a digital health app as provided for by the CPA, the MRSA and SAHPRA. 

Furthermore, the CPA provides for the ability of a service provider who, in conjunction with the provision of such services applies, supplies, installs or provides access to any goods, shall be regarded as a supplier under the CPA. While in the context of physicians, the CPA seems to confer liability, such liability would have to be directly connected to the harm caused and such physician could not be held liable where the harm is wholly attributable to compliance with a defective party’s instruction in the provision of goods and in this case, services. 

In summary, South African legislation provides for liability in various circumstances and such liability in the context of physicians, telemedicine providers and the producers of software that facilitates telemedicine services may vary on a case by case basis.

All medical devices must be registered with the SAHPRA, failing which a medical service provider and/or medical service devices shall not be legally permitted to operate with in South Africa. Furthermore, the MRSA provides for fines or imprisonment (for a period not exceeding 10 years) for contraventions of the provisions of the MRSA, which prohibits the operation of any business engaged in the manufacturing, distribution or export of a medical device without the requisite licence. 

In relation to the other regulations, various fines can be incurred as a result of non-compliance as well as reputational harm. 

No.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

All practising physicians in South Africa must be registered in terms of the Health Professions Act, which in turn means that they must abide by the HPCSA’s ethical rules of conduct.

9. What laws and/or regulations apply to physicians regarding telemedicine?

  • National Health Act;
  • Health Professions Act;
  • MRSA and Amendment Act;
  • CPA;
  • ECTA;
  • POPI;
  • PAIA; and 
  • HPCSA Telemedicine Guidelines.

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

  • A person who provides telemedicine services must be registered as a healthcare practitioner with the HPSCA in accordance with the provisions of the Health Professions Act the National Health Act. Any cross-border telemedicine providers who are serving South African patients must be registered with the relevant regulatory body in their own nations, as well as the HPCSA. The healthcare practitioner is required to be registered with the HPCSA, and the HPCSA does not require registration by the designer, owner, proprietor or operator of the software or telecommunications platform used by the healthcare practitioner to provide telemedicine services. 
  • Telemedicine may only be practised where there is an existing doctor-patient relationship between the patient and the healthcare practitioner (“consulting healthcare practitioner”) who conducts a “face-to-face” interview or examination with the patient and refers patient’s information to a remote location for further advice or intervention. 
  • The relationship between the patient and the healthcare practitioner is established when the practitioner agrees to treat the patient, and the patient agrees to be treated. 
  • Health care practitioners using telemedicine must ensure:
  • that all data message transmissions, websites or online software platforms which they use for telemedicine services, comply with the provisions of ECTA in respect of privacy, authentication and the collection of personal information;
  • compliance with the provisions of Health Professions Act, the National Health Act, MRSA and the CPA.
  • COVID-19 Amendments effect on current requirements.
  • On the 26 March 2020, the HPCSA released the Guidance on the Application of Telemedicine Guidelines During the COVID-19 Pandemic (“HPCSA COVID-19 Telemedicine Guidelines”). In terms of the HPCSA COVID-19 Telemedicine Guidelines the prerequisite that an existing doctor patient relationship must already be in place before a health practitioner can render a telemedicine service was relaxed in light of COVID-19.

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

No, the standards of care do not change when using telemedicine.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

Yes. The HPCSA Telemedicine Guidelines provide that the professional discretion of healthcare practitioners engaging in telemedicine regarding the diagnosis, scope of care or treatment should not be limited or influenced by non-clinical considerations of telemedicine technologies. A documented medical evaluation must be done, and the relevant clinical history necessary to diagnose underlying conditions as well as any contra-indications regarding the recommended treatment must be obtained before providing treatment, including issuing prescriptions, electronically or otherwise. The servicing practitioner must:

  • keep detailed records of the advice he or she delivers as well as the information he or she receives and on which the advice is based; and
  • ensure that the advice or treatment suggestions given were understood by the consulting practitioner and the patient;
  • when telemedicine is used the patient should be informed of the persons who will access their information, the purpose of the telemedicine service, the cost of the service and what the implications of the use of such information will be; and 
11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

No. A consulting healthcare practitioners and servicing healthcare practitioners are held to the same standards of medical practice as any other healthcare practitioners who conduct face-to-face consultations without the use of telemedicine diagnosis or treatment, including informed consent guidelines, confidentiality guidelines and general ethical guidelines for healthcare professions. The consulting practitioner remains responsible for the treatment, decisions and other recommendations given to the patient, as well as for keeping detailed records of the patient’s condition and information transmitted and received from the servicing practitioner. 

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

The only restriction on prescriptions being issued through telemedicine is the caution that any treatment/prescription based solely on an online questionnaire does not constitute an acceptable standard of care in terms of South African law. Any prescription issued by a health practitioner must comply with certain formality requirements as listed in Rule 2.3.8 of the Digital Health Association Guidelines for South African Telemedicine (“DHA Telemedicine Guidelines”), as well as the relevant legislative frameworks. 

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

As it currently stands, there are no laws, regulations, policies or guidelines that address a reimbursement framework for telemedicine consults in South Africa. Research reveals that there is a virtual consultation fee which is cheaper than the face-to-face consultation fee that would normally be charged, but the exact extent in the differentiation of price depends on the health insurance provider and the individual health practitioner providing the service.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

The cost for such apps is mostly covered by the hospitals themselves or a private company wishing to obtain such app for the benefit of the company. 

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.

When it comes to telemedicine, the right to privacy of a patient must be ensured in terms of the DHA Telemedicine Guidelines. The DHA Telemedicine Guidelines clearly states that technology providers must have a plan in place to provide a clear process for the responding and reporting of security breaches, data access control and appropriate encryption.
The DHA Telemedicine Guidelines further stipulate that any organizations offering telemedicine must be in compliance with the relevant regulatory guidelines regarding the usage of a patient’s personal information.

No.

Maud-Pia Hill