Digital health apps and telemedicine in Switzerland

  1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) If yes, please indicate these.
    3. 3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable).   
    4. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    5. 5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 
    6. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software contained in digital health apps. What are the legal consequences for non-compliance?
    7. 7. Are you aware of any future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    6. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    7. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.
    8. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

The classification as a medical device is based on the Swiss Therapeutic Products Act and the Swiss Medical Devices Ordinance. Pure software such as an app or an algorithm could qualify as a medical device. According to the Federal Office of Public Health, an app "is a medical device as soon as it can detect or treat diseases, i.e., if it has a medical purpose for an individual and it does more than store, archive or communicate data. Accordingly, apps that measure fitness data or apps used for statistical analysis of clinical or epidemiological data are not medical devices. Similarly, electronic patient registries and information platforms are not medical devices". The Federal Administrative Court has, for example, qualified an app for monitoring the menstrual cycle as a medical device (BVGer C-669/2016, dated 17 September 2018).

1.2 Is it considered a “product” to which civil liability can attach, and if so, under what regulations?

A medical device within the meaning of the Therapeutic Products Act is not necessarily also a product within the meaning of the Swiss Product Liability Act (“PLA”). While a software-based device purporting to have a medical effect can be qualified as a medical device, it is controversial if it can also be qualified as a product under the PLA. Art. 3 para. 1 lit. b PLA explicitly mentions electricity as the only immaterial good to be treated as a product in the sense of the PLA. The grammatical interpretation of this provision would mean that software would not be covered by the definition of a "product" in the sense of the PLA. However, many voices in the doctrine advocate a contemporary interpretation in line with the purpose of the law and the interpretation of the EU Directive No. 85/374/EEC, which, according to the Federal Supreme Court, is to be consulted as an aid to interpretation (BGE 133 III 81, 83 ff.). Following this progressive interpretation, which we believe is justified, software qualifies as a product. However, there is no case law on this specific question.

Apart from that, civil liability may occur from general contract law. Since software is mostly provided as a service to the end customer, agency law according to art. 394 ff. CO is usually applicable.

1.3 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

If the PLA would be applicable on software, the grounds for exclusion of liability are to be found in art. 5 PLA. Accordingly, a manufacturer may exempt itself from liability if he/she proves that:

  • he/she did not place the product on the market; or
  • he/she can be assumed from the circumstances that the defect that caused the damage did not yet exist when it placed the product on the market; or
  • he/she did not manufacture the product for sale or any other form of distribution with an economic purpose, nor did it manufacture or distribute the product in the course of its professional activities; or
  • the defect is attributable to the fact that the product complies with mandatory regulations issued by the public authorities.

Since product liability is a causal liability, the grounds for exclusion of liability are not linked to a lack of fault. Rather, they require the absence/presence of one of the above mentioned factors.

The following two laws do not directly govern the actual use of digital health software as such, but rather the handling of the data obtained from or through it, which is in effect equivalent to a regulation of the use of the concerned software.

  1. Art. 321 and 321bis of the Swiss Criminal Code (“CC”) may establish criminal liability for persons who pursue a profession within the scope of the Medical Professions Act (e.g., doctor, dentist, physiotherapist, psychologist etc.) and, within their professional practice, violate the above-mentioned laws by using a digital health software.

    Art. 321 CC prohibits the disclosure of any secret that has been entrusted to a medical professional because of their profession or which they have observed in the exercise thereof. Art. 321bis CC prohibits the disclosure of any professional secret that a person has observed or has been entrusted to while performing medical research within the scope of the Human Research Act (HRA).

    Since the law does not specify the source of the unlawfully disclosed secret, the offence may also be committed by disclosing relevant secrets obtained through digital health software.
     
  2. The Federal Act on Data Protection (“FADP”) qualifies any personally identifiable data related to health as sensitive personal data (Art. 3 lit c N. 2 FADP).

    The standards of data security and the thresholds for justification reasons when processing such data in contravention of the law are substantially higher. If processing of such data is envisaged to be established by means of consent, then, the consent must be given explicitly (Art. 4 para. 5 FADP).

    Art. 35 FADP establishes that every non-authorised disclosure of sensitive personal data (hence, also any data related to health) in the course of a professional activity is, on complaint, liable to a fine.

3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable).   

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

The relevant prohibited act under the CC is the disclosure. If the disclosure is made in Switzerland, Swiss regulations apply regardless of whether the disclosed data has its origin abroad or within Switzerland. The FADP is only applicable to users who reside in Switzerland. Users who reside abroad (e.g., in EU-countries) would instead be subject to, and protected under, the EU-GDPR.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

The above-mentioned laws of the CC make no distinction of this type. Nevertheless, the secrecy protected under art. 321bisCC applies to patients who are not businesses per definition and thus, infringements of this provision are more likely to occur in B2C- than B2B-settings.

The currently valid Federal Act on Data Protection also does not make a distinction of this type and protects both personal data of natural persons and legal entities. However, in autumn 2023, a revised version of the Federal Act on Data Protection will come into force. Personal data from companies will be explicitly excluded from the scope of its protection in the revised version.

Location tracking and real time monitoring may both be components of a personality profile in the sense of art. 3 lit. d FADP. The creation and maintenance of a personality profile creates higher thresholds of data security and justification reasons for processing. If data processing is envisaged based on consent, such consent must be explicit (art. 4 para. 5 FADP).

If a person creates and maintains personality profiles frequently in the form of a data collection, i.e., when personality profiles are not only created as an exception in individual cases but systematically, a registration with the data protection officer is mandatory (art. 11a para. 3 lit. a FADP).

If personality profiles in the form of a data collection are established, the affected person must be informed about the holder of the data collected, the purpose of the processing and the categories of further data recipients, if data disclosure is foreseen (art. 14 FADP). 

5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 

In principle, a physician cannot be held liable for damages or injuries to a patient that are verifiably caused by a defective medical device (e.g., software). However, when using a medical device in the course of a treatment, a physician has numerous duties of diligence. A violation thereof may lead to a liability of the physician even if the root cause of the damage or injury lies within a fault or inaccuracy of the used medical device.

The operating physician is obligated to maintain the device as instructed by the manufacturer (e.g., perform software updates) and to strictly monitor the device before and while using it, so that the treatment procedure can be interrupted as soon as the defectiveness of the device is assumed. This also requires that the physician is appropriately trained on the device in order to be able to detect the defectiveness. If all of the above mentioned obligations are met by the operating physician, the liability for  damage/injury caused by defective software lies with the developer.

  1. Violations of the PLA (assuming it is applicable on software) are prosecuted upon civil complaint of the damaged party. The damaged party bears the burden of proof for i) a damage, ii) the defectiveness of the respective product, and iii) a causal link between the defectiveness and the occurred damage. Once all of these three elements are established, the manufacturer of the product is liable and must compensate the damaged party to the full extent of the damage (apart from a deductible of CHF 900 according to art. 6 para. 1 PLA).
  2. Claims arising from contract law are prosecuted upon civil complaint of the damaged party and may lead to a liability up to the full extent of the damage.
    If the software is offered as a service, agency law according to art. 394 ff. CO is applicable. In this case, the damaged party must prove that a damage has been caused by an improper and careless execution of the requested service. "Improper" in this sense generally includes the use of a defective software.
  3. A breach of professional confidentiality according to art. 321 or 321bis CC is prosecuted upon complaint and punishable by up to 3 years of imprisonment or a monetary fine.
  4. Art. 35 FADP establishes that every wilful, non-authorised disclosure of sensitive personal data (hence, also any data related to health) in the course of a professional activity is, upon complaint, liable to a monetary fine up to CHF 10,000.
    From autumn 2023 onwards, according to art. 52 of the revised Swiss Federal Act on Data Protection, the possible punishment for this offence will be aligned with the scale of punishment of the CC (up to 3 years of imprisonment or a fine up to CHF 250,000).

There are no legal developments known that directly address digital health apps/software. However, the above-mentioned revision of the Federal Act on Data Protection may affect the handling of digital health apps/software in an indirect way.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

The formal admission to medical professions and the professional duties are regulated by the Medical Professions Act. The material duties of physicians emerge from various general and sector-specific laws.

The competent supervisory authority is the respective Cantonal Office of Public Health.

9. What laws and/or regulations apply to physicians regarding telemedicine?

From a general legal perspective, all the contractual questions regarding telemedicine are subject to the Swiss Code of Obligations, the Data Protection Act and, in principle, every mandatory law. From a sector-specific point of view, the Medical Professions Act doesn't contain any specific regulation addressing telemedicine. Other general or sector-specific laws do not specially address and regulate telemedicine either. However, the professional duties/duties of diligence remain the same as in face-to-face practice. Several Cantonal Public Health laws address telemedicine and state that it is an activity that requires a  permit just as practising in the presence of the patient (§ 7 of the Public Health Act of the Canton Basel-Landschaft, § 41 of the Public Health Act of the Canton Basel-Stadt).

The code of conduct of the Swiss Medical Association, as one of the most important sector-specific soft law enactments to which public courts regularly refer to, provides the following: "Art. 7 para 3: Regular treatment solely on the basis of information or reports provided in writing, by telephone or electronically by third parties is incompatible with diligent professional practice".

However, this principle does not constitute a general ban on telemedicine as the Federal Supreme Court has stated that telemedical treatments cannot in principle be qualified as a breach of the professional diligence duties (BGE 116 II 519, E. 3d/bb).

This becomes even more clear in the light of Art. 33ter of the code of conduct of the Swiss Medical Association that reads as follows: "Institutions that offer medical teleconsultations to patients are part of medicine. These institutions must comply with standards that are defined in an annex."

Considering these principles, it can be stated, in particular, that only the exclusive telemedical treatment of a patient is a violation of the professional duties of a physician, whereas the use of telemedical tools as an auxiliary tool within a treatment is absolutely in line with the professional duties.

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

10.1 What are the requirements?

As described above, there are no specific rules that regulate the circumstances where telemedicine may be used. It is generally upon the physician to determine the most suitable method of treatment. The only limit to this principle is that a patient may not be treated only by the means of telemedicine. It is the physician's duty to recognize the limitations of the treatment method and invite or refer the patient for a physical visitation.

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

The Swiss Medical Association has published a factsheet regarding telemedicine in the beginning of the Sars-CoV‑2 pandemic, although the factsheet does not contain any regulations. It is only meant to inform physicians, who are practising telemedicine for the first time, about all of the aspects that need to be considered before practising via telemedicine.

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

The standards do not generally change, however there is a selective increase or shift in the duty of diligence. On the one hand, the attending physician has an increased duty to ask questions, since all other impressions that play a role in a diagnosis no longer exist. On the other hand, the physician must inform the patient about the limits of telephone diagnosis as such and, in case of doubt, order a personal visitation. Finally, when making diagnoses, greater restraint must be exercised with regard to concrete treatment recommendations.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

Generally, liability is not increased when the diagnosis or certification given virtually could have been given during an in-person consultation without having to perform a body examination. Although, this implies that a physician may be held liable for giving a diagnosis or certification via telemedicine regarding a medical condition that can hardly be evaluated without a body examination.

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

There is no actual restriction. It would possibly lead to a violation of the diligence duties, specifically if a physician would prescribe very complex or "severe" medicinal product to a patient that has not undergone a prior body examination and in-person consultation.

In this context, Art. 26 para. 2 of the Therapeutic Products Act (“TPA”) states that "A medicinal product may only be prescribed if the health condition of the consumer or patient is known." Translated to the prescription of medicinal products via telemedicine, the Federal Supreme Court and the Swiss Agency for Therapeutic Products (Swissmedic) have defined interactive communication (e.g., telephone or videocall) between patient and prescribing physician as a minimum standard for the prescription of drugs via telemedicine, without limiting the type of medicine that can be prescribed this way.

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

Yes, appointments held via telemedicine are considered equivalent to in-person consultations regarding the coverage by the mandatory health insurance. There are no legal provisions regarding this topic. The extent of the coverage is mainly regulated within the contract between the insurance company and the patient. It depends on the insurance model that a patient chooses and to what extent telemedicine and digital health applications are covered.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

As stated above, it depends on the insurance model.

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.

There are no specific data protection regulations addressing telemedicine. As stated above, though, the data shared via telemedicine is usually qualified as sensitive personal data and must be handled with the appropriate caution. In its factsheet regarding telemedicine, released in the beginning of the Sars-CoV‑2 pandemic, the Swiss Medical Association has summarized the data protection measures that it recommends to physicians practising telemedicine.

There are no legal developments known that directly address telemedicine.

Portrait ofChristoph Willi
Dr Christoph Willi, LL.M.
Partner
Zurich