Digital health apps and telemedicine in Spain

Software as a medical device

• Royal Decree No. 192/2023 on medical devices.
• Royal Decree No. 1/2015 approving the consolidated text of the Law on guarantees and the responsible use of medicines and medical devices.
• Regulation (EU) 2017/745 on medical devices.

Software within digital health apps may be considered a “medical device” if it falls under the “medical device” definition provided by art. 2 of Royal Decree No. 192/2023 which refers to the definition provided by article 2(1) of Regulation (EU) 2017/745: “medical device” means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used alone or in combination for human beings for one or more of the following specific medical purposes:

• diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease,
• diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability,
• investigation, replacement or modification of the anatomy or of a physiological process,
• providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations,

and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.

The following products shall also be deemed to be medical devices:

• devices for the control or support of conception;
• products specifically intended for the cleaning, disinfection or sterilisation of devices as referred to in Article 1(4) and of those referred to in the first paragraph of this point.

Please note that the even if the software within digital health apps may not qualify as a medical device, it should also be checked whether it qualifies as an “accessory for a medical device” as defined by Article 2(2) of Regulation (EU) 2017/745:  an article which, whilst not being itself a medical device, is intended by its manufacturer to be used together with one or several particular medical device(s) to specifically enable the medical device(s) to be used in accordance with its/their intended purpose(s) or to specifically and directly assist the medical functionality of the medical device(s) in terms of its/their intended purpose(s).

Since Spain has not issued specific guidelines for the classification/qualification of software as a medical device, the guidelines issued by the European Commission should be considered in order to evaluate whether certain software qualifies as a medical device, including the latest document “Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745” issued by the European Commission.

If considered a medical device or an accessory to a medical device, the software would have to comply with the corresponding regulation, which includes, among others: (i) the obligations regarding the CE labelling; (ii) the obligation to submit a prior communication to the Spanish Agency of Medicines and Medical Devices and, in certain cases to be included in the corresponding Registry of Responsible entities; (iii) labelling obligations; and (iv) the maintenance of a documented record of the medical devices commercialised in the Spanish territory.

Yes.  Regardless of whether or not they qualify as a medical device, software within digital health apps may be considered a “product” to which civil liability can attach under the following regulations:

• Directive 85/374/EEC on defective products, which will be repealed with effect from 9 December 2026 and replaced by the Directive (EU) 2024/2853 of 23 October 2024 on liability for defective products;
• Royal Decree 1/2007 on the General Law for the Defence of Consumers and Users (the “Spanish Consumer Protection Law”); and
• Spanish Civil Code.

The liability regime on defective products provided for in the Spanish Consumer Protection Law provides some exclusions/exemptions applicable (nonspecific for health context). In particular the following grounds for exemption from liability are available:

• when the producer had not put the product in the market; or
• when, given the circumstances of the case, it is possible to presume that the defect did not exist at the time the product was placed in the market; or
• when the product had not been manufactured for sale or any other form of distribution for economic purposes, nor had it been manufactured, imported, supplied or distributed in the context of a professional or business activity; or
• when the defect was due to the fact that the product was manufactured in accordance with existing mandatory rules; or
• when the state of scientific and technical knowledge at the time when the product was placed on the market did not make it possible to assess the existence of the defect.

In addition, this regime provides a quantitative limit on liability under which the producer's overall civil liability for death and personal injury caused by identical products with the same defect shall be limited to EUR 63,106,270.96.

The general liability regime of the Spanish Civil law is very wide, and thus the exclusions/exceptions applicable should be assessed on a case-by-case basis.The liability regime on defective products provided for in the Spanish Consumer Protection Law provides some exclusions/exemptions applicable (nonspecific for health context). In particular the following grounds for exemption from liability are available:

• when the producer had not put the product in the market; or
• when, given the circumstances of the case, it is possible to presume that the defect did not exist at the time the product was placed in the market; or
• when the product had not been manufactured for sale or any other form of distribution for economic purposes, nor had it been manufactured, imported, supplied or distributed in the context of a professional or business activity; or
• when the defect was due to the fact that the product was manufactured in accordance with existing mandatory rules; or
• when the state of scientific and technical knowledge at the time when the product was placed on the market did not make it possible to assess the existence of the defect.

In addition, this regime provides a quantitative limit on liability under which the producer's overall civil liability for death and personal injury caused by identical products with the same defect shall be limited to EUR 63,106,270.96.

The general liability regime of the Spanish Civil law is very wide, and thus the exclusions/exceptions applicable should be assessed on a case-by-case basis.

General Data Protection Regulation (“GDPR”) and the instructions of the European Supervisory Authority;

• Spanish Data Protection Act and the instructions of the Spanish Supervisory Authority.
• Spanish Consumer Protection Law.
• Spanish Law on Information Society Services.
• Spanish Copyright Act.

Article 3 of the GDPR (territorial scope) provides that the Regulation applies to the data processing “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.  The GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:  (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

In a B2C relationship all the above-mentioned regulations would apply. In a B2B relationship, the consumer law would not be applicable nor would the GDPR and Spanish Data Protection Act, except if  the business is a natural person.  Please note that in B2B2C scenarios, GDPR and Spanish Data Protection Act will apply.

No.

In Spain, liability of health care professionals is assessed through the case law doctrine of the lex artis, defined by the Spanish Supreme Court as the evaluating criteria to assess the level of due care which should be complied with in all health care treatments. It implies not only complying with all techniques generally accepted by the medical science and adequate to a good practice, but applying said techniques with due care and preciseness in light of the circumstances and the risks inherent to each treatment according to its nature. 

Thus, the particular circumstances and techniques used by the health care professional should be assessed on a case-by-case basis. For instance:

• If a fault or inaccuracy of the software led to damage (or injury) but the health care professional was able to prove that use of the digital app was a generally accepted technique and that it had been correctly applied to the specific case, the health care professional could be found not liable, in which case the patient could try to seek a compensation for damages from the producer of the software.
• If a health care professional was found liable of a damage (or injury) which was caused by a fault or inaccuracy with the software or the final product/app, the health care professional could have a recovery right to seek damages from the software producer, unless the agreement between them stablished a limitation (such as an “as it is” clause). Accordingly, clauses regarding liabilities and liability waivers should be carefully drafted when commercialising digital health products/apps.

Medical devices regulation

According to Royal Legislative Decree No. 1/2015 on medicines and medical devices, national health authorities can carry out periodic inspections to verify compliance with its provisions. The infringement of this provisions could entail: (i) the adoption of precautionary measures; and (ii) penalties.

As for the infringements regarding medical devices regulation, article 112 provides the list of infringements and classifies them as minor, serious and very serious. According to said provision the classification is made attending to the following criteria: (i) risk to the health; (ii) amount of any potential benefit to be obtained; (iii) severity of the health and social disorder caused; (iv) generalization of the infringement; (v) and recurrence. The fines range from €6,000 to €1,000,000 and even surpassing said quantity to a maximum of five times the value of the products and services which have been part of the infringement. However, the maximum of each sanction will only be imposed if the infringement act has caused direct damage to the public health or created a serious and direct risk to the public health.

In cases of serious or very serious infringements, the sanction will be published in the corresponding official journal, and in cases of very serious infringements, the corresponding authority could order the temporary closing of the corresponding installation for up to 5 years.

Data Protection

Despite of the enforcement mechanism provided by the GDPR (art. 83), the Spanish Data Protection Act contains its own enforcement mechanism (Title IX Spanish Data Protection Act). In particular, the Spanish Supervisory Authority could—ex officio or at the request of a party or a national authority—initiate a sanctioning proceeding in the case of a possible infringement of the data protection regulation in force. Main milestones of this proceeding are:

• Individuals and national authorities should file before the AEPD a complaint for this purpose.
• Once this is admitted, the AEPD can initiate ex officio preliminary diligences to better determine the facts and circumstances that justify the initiation of a proceeding.
• In light of the result of these preliminary diligences, the AEPD will initiate the sanctioning

proceeding. In these proceedings, the facts of the case, the defendant and the appellant and the alleged infringement should be specified.

Within the context of this proceedings, the infringements can be classified as minor, serious and very serious. The sanction that may be imposed by the AEPD (if the infringement is finally confirmed) depends on each case and on the severity of the infringement. Aggravating and mitigating circumstances could apply.

Consumer law

Consumer-related offences will be subject to the corresponding administrative fines, after the appropriate investigation, without prejudice to any civil, criminal or other liabilities that may apply.  Consumer-related fines range from  €150 to €1,000,000.

There are no published future legal developments in Spain with regard to digital health apps/software.

Physicians in Spain are co-regulated by the General Council of Official Medical Associations (Consejo General de Colegios Oficiales de Médicos and the particular Associations established in the different Autonomous Communities) and the public administration (Ministry of Health and equivalents from the Autonomous Communities).

Spain does not have any specific regulation on telemedicine.

However, the Spanish General Council of Official Medical Associations has expressly stated that the use of telephonic means or other non-face-to-face communication systems to assist in professional decision-making is in accordance with Medical Ethics. The above is mainly subject to the services being clearly identified, confidentiality is ensured, and that the used communication channels guarantee the maximum available security. In any case, general legislation applicable to the particular services that physicians can be provided in person are also applicable when provided via telemedicine, among others they are regulated under the following laws and regulations:

• Law 14/1986, General Health (Ley 14/1986, General de Sanidad).
• Organic Law 15/1999, of 13 December, on the Protection of Personal Data and Royal Decree 1720/2007, which develops it (Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal y Real Decreto 1720/2007 que lo desarrolla).
• Law 41/2002, on Patient Autonomy (Ley 41/2002, de Autonomía del Paciente).
• Law 16/2003 of Cohesion and Quality of the National Health System (Ley 16/2003 de Cohesión y Calidad del Sistema Nacional de Salud).
• Royal Decree 81/2014, of 7 February, establishing rules to guarantee cross-border healthcare (Real Decreto 81/2014, de 7 de febrero, por el que se establecen normas para garantizar la asistencia sanitaria transfronteriza).
• Royal Legislative Decree 1/2007, of the General Law for the Defence of Consumers and Users (Real Decreto Legislativo 1/2007, de la Ley General para la Defensa de los Consumidores y Usuarios).

Additionally, it should be noted that Health competences are transferred to the Autonomous Communities, which means that there is not a uniform regulation in this matter.

Law 34/2002 of 11 July, on information society services and electronic commerce (Ley 34/2002 de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico) is also applicable on the basis that it is a service provided electronically.

Moreover, the physicians would also be subject to the applicable Codes of Good Practice of the medical associations to which they belong.  By ways of example, at the beginning of 2022, the Medical Association of Catalonia approved the Notebook of Good Practice (Cuaderno de Buena Práxis) dedicated to telemedicine, which includes fundamental aspects of this modality of care, with the aim of guiding professionals and organizations to incorporate it appropriately and safely into healthcare practice.

Spain does not have any specific regulation on telemedicine.

However, it should be noted that in the case of cross-border healthcare within the EU, the Spanish legislation, through Royal Decree 81/2014 of 7 February establishing rules to ensure cross-border healthcare (Real Decreto 81/2014, de 7 de febrero, por el que se establecen normas para garantizar la asistencia sanitaria transfronteriza) sets forth that the healthcare service is deemed to be provided in the Member State where the provider is established.

Requirements

The Spanish Code of Medical Ethics has addressed the issue of telemedicine by covering its use and establishing a series of principles that must be met:

• Proper Provision of medical services inevitably implies personal and direct contact between doctor and patient.
• It is ethically acceptable, in the case of a second opinion and medical checks, to use e-mail or other means of non-presential communication and telemedicine, provided that mutual identification is clear, and privacy is ensured.

Since Spain does not foresee a specific regulation on telemedicine, physicians that provide services via telemedicine must meet, and are subject to, the general lex artis of the medical profession.

Spain does not have any specific regulation on telemedicine. However, the patient should be clearly informed as to what the scope of services is/the patient could expect to be provided via telemedicine (particularly that no diagnostic can be offered). Further from that, data protection notices and rights of personality notices (in case of recording conversations) have to be made.

The use of telemedicine may increase the risk of liability, particularly because liability is mainly related to diagnosis and diagnosis which is, at times, trickier in the context of telemedicine. Liability in any event would be assessed on a case-by-case basis.  Therefore, it might be very convenient for the purposes of determining and/or excluding-mitigating liability (i) to have a proper record on the content of the service provided via telemedicine; and (ii) to clearly inform on the scope of the limited services that can be provided. Disclaimers of liability could be related to the amount of information provided (and not provided) by the patient. 

Spain does not foresee a specific regulation on telemedicine.

There is no specific regulation in Spain regarding reimbursement of telemedicine services/appointments. Thus, telemedicine appointments follow the same regulation as face-to-face appointments, which is as follows:

In Spain, the public health insurance only funds treatments which are provided by centres, establishments and services of the National Health System or those which are subsidised by the National Health System, except in situations of vital risk, when it is justified that the means of the latter could not be used (art. 4.3 of Royal Decree no. 1030/2006 and art. 9 of Law no. 16/2003 on the National Health Care System).

Indeed, in cases in which urgent, immediate and vital health care services have been provided outside the National Health System, the costs of such care shall be reimbursed if proven that the services of the National Health System could not be used in a timely manner and that it does not constitute a deviant or abusive use of this exception.

As per the private insurance coverage, telemedicine has taken hold in Spain during the pandemic and has become an additional benefit offered by many insurance companies in their health policies.

There is no specific Spanish data protection regulation specifically covering telemedicine services. 

Nevertheless, personal data processed through a telemedicine service might be considered as part of the “Clinical Record” as defined by Spanish Act 41/2002 regulating patient autonomy and rights and obligations in terms of clinical information and documentation. Thus, provisions under this Act regarding basic patients’ rights and health professionals/centres’ obligations (i.e., information rights, rights of access to Clinical Record, custody and conservation obligations concerning clinical documentation, etc.) might be applicable in conjunction with GDPR and Spanish Data Protection Act. 

During the last few years there have been proposals to regulate telemedicine by various associations and experts in health law. However, these proposals have not been taken up in general terms by political parties or institutions and it does not seem that a future development would be carried out soon.