Digital health apps and telemedicine in Turkiye

Pursuant to Medical Device Regulation No. 38657 (the “Medical Device Regulation”), software in digital health applications can be classified as medical devices if they meet the specific criteria set out therein.  The classification is based on the primary function of the software in terms of serving a medical purpose.  If the software is used to diagnose, prevent, monitor or treat diseases, injuries or disabilities; the modification of anatomy or physiological processes; or provide medical information through in vitro examination of body samples (including organs, blood and tissues), then it will be classified as a medical device and will fall under the scope of the Medical Device Regulation.

Software that is used exclusively for general health-related activities, such as step-tracking, does not fall into this category and is subject to general consumer product regulations.

If the software is classified as a medical device, it falls under the scope of the Product Safety and Technical Regulations Law No. 7223 and the Medical Device Regulation, making the manufacturer liable for product defects under the aforementioned legislation.

If the software is not classified as a medical device, it is treated as a general consumer product and is subject to the Consumer Protection Law No. 6502, which provides legal remedies for consumers in the case of defects.

The classification of software as a medical device necessitates its compliance with more stringent regulations and audit processes.  Such software is required to meet specific standards in terms of safety and technical conformity, given its direct relationship with human health.  These standards include quality and safety requirements, such as CE marking, and the responsibility to authorities, including the Turkish Medicines and Medical Devices Agency (TİTCK) (“Agency”).  In the event of a product malfunction resulting in harm, the manufacturer may face heightened legal consequences.

Liability exclusions and exemptions are dependent on the intended use, risk classification and regulatory status of the digital health software.  If the software is used exclusively by licensed healthcare professionals within a clinical setting, the legal framework may give priority to professional liability over consumer product liability.  In such instances, physicians and healthcare institutions may bear primary responsibility for ensuring that the software is used appropriately, particularly if the application requires medical expertise for its operation.

Additionally, under the Medical Device Regulation, certain low-risk software applications may be exempt from comprehensive clinical evaluation requirements, provided they do not pose a significant risk to patient safety.  Software that functions solely as an accessory to a larger medical device, rather than as an independent medical tool, may be subject to different regulatory and liability considerations.

Yes, digital health software is also governed by additional legal frameworks.  Personal data is protected under the Personal Data Protection Law (“PDPL”) (KVKK), requiring explicit consent for health data processing and ensuring secure data storage. E-Health and Telemedicine services in Türkiye are regulated under the Regulation on Distance Health Services.  This regulation requires health institutions offering Telemedicine services to have certain licences and stipulates that patient records must be stored securely.  In this respect, patient-related data must be stored as encrypted.

Cybersecurity aspects are governed by Law No. 5651 on Law on The Regulation of Broadcasts on The Internet and the Combating of Offences Committed Through Such Broadcasts (İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hk. Kanun) and the national Cybersecurity Strategy, which impose obligations on secure software infrastructure and log monitoring.

Consumer and e-commerce regulations apply under the Consumer Protection Law and E-Commerce Law No. 6563, requiring clear terms of service and transparency in pricing.

In the event of the software being used within Türkiye, all relevant Turkish laws apply, including the PDPL, Medical Device Regulation, and E-Health Regulations.  In cases of cross-border use, foreign data transfer restrictions under the PDPL come into play, requiring explicit consent and approval from the Turkish Data Protection Authority.

In terms of the basis for the application of the software, it will be evaluated within the scope of the Medical Device Regulation.  Further provisions may be applicable depending on the parties involved and their respective identities.  In this respect, if the software operates under a B2B model, it is governed by the Turkish Commercial Code, whereas a B2C model falls under the stricter provisions of the Consumer Protection Law.

Yes, certain features of digital health software require additional legal compliance.  Location tracking requires explicit consent under PDPL and may need the approval of the Ministry of Health for hospital systems. Cloud-based real-time data storage is subject to PDPL restrictions, requiring approval for cross-border data transfers.

Real-time health monitoring is subject to PDPL and Medical Device Regulation, and in some cases, the software may require registration with the Turkish Medicines and Agency if used for treatment purposes.

Under Turkish law, liability for physicians using digital health apps can be limited or transferred to the software producer if a fault or inaccuracy originates from the software rather than physician error. Relevant legislation includes the Turkish Code of Obligations (Article 49), the Turkish Penal Code (Articles 85 & 89), the Product Safety and Technical Regulations Law, the Medical Device Regulation, and the Regulation on Remote Health Services.

Compliance with regulations is enforced by different authorities depending on the regulatory area.  The Turkish Medicines and Agency oversees medical device and software safety, with penalties including registration requirements, audits, and market surveillance for non-compliance.

The Personal Data Protection Authority enforces data protection laws, issuing fines and banning unauthorised health data processing.

Cybersecurity compliance is overseen by the Information and Communication Technologies Authority (BTK), imposing security audits and compliance orders in cases of breaches.

The Ministry of Trade enforces consumer protection regulations, which can lead to fines, recall orders, and compensation claims for misleading product claims.

Several future legal developments are expected in Türkiye regarding digital health software.  Updates to the Medical Device Regulation aim to align Turkish law with the EU Medical Device Regulation (MDR 2017/745) and introduce stricter post-market surveillance requirements.  A proposed AI and Digital Health Applications Regulation will introduce AI transparency requirements, ethical AI guidelines, and approval procedures for AI-driven diagnostics.  Amendments to the PDPL will strengthen cross-border data transfer restrictions and increase penalties for unauthorized health data processing.  Cybersecurity regulations for digital health platforms will require end-to-end encryption for patient data and mandatory penetration testing for cloud-based health applications.  Additionally, digital health applications will be integrated into the Turkish E-Prescription and E-Health System, requiring compliance with centralised health records storage requirements. 1   2

In Türkiye, physicians are regulated by various regulatory bodies, each responsible for different aspects of medical practice.  The Ministry of Health serves as the primary authority, supervising medical practice, licensing, and compliance with national healthcare regulations. The Turkish Health Institutes Presidency (TÜSEB) plays a role in scientific and technical regulation, contributing to the advancement of healthcare standards.  Additionally, the Turkish Medical Association (TTB) ensures that physicians adhere to professional ethics and medical standards.

Physicians in Türkiye are subject to various legislative frameworks.  Law No. 1219 on the Mode of Execution of the Art of Medicine and Its Branches (Tababet ve Şuabatı Sanatlarının Tarzı İcrasına Dair Kanun) is the primary law outlining the authorisation and practice requirements for physicians. Healthcare Services Fundamental Law No. 3359 (Sağlık Hizmetleri Temel Kanunu) defines the duties and responsibilities of healthcare professionals.

The Medical Deontology Regulation (Tıbbi Deontoloji Nizamnamesi) establishes ethical and professional responsibilities that physicians must uphold in their practice.

Furthermore, Law No. 6023 on the Turkish Medical Association (Türk Tabipleri Birliği Kanunu) regulates the authority, structure, and membership obligations of the Turkish Medical Association, ensuring professional self-governance within the medical community.

Physicians providing telemedicine services in Türkiye are governed by several legal frameworks that establish their authority, responsibilities, and compliance requirements.  The primary legislation is the Regulation on the Provision of Remote Healthcare Services (Uzaktan Sağlık Hizmetlerinin Sunumu Hakkında Yönetmelik), which defines the framework for telemedicine, specifying the scope of physicians’ responsibilities and the conditions under which remote healthcare can be provided.

In addition to this main regulation, several related laws govern specific aspects of telemedicine.  PDPL regulates the processing and protection of patient data in telemedicine services, ensuring compliance with privacy and security standards.  The Patient Rights Regulation (Hasta Hakları Yönetmeliği) further outlines key aspects such as patient consent, information rights, and privacy protections in the context of remote healthcare services.

Further support for the implementation of telemedicine is provided by the Ministry of Health through the Guideline on Remote Healthcare for Chronic Diseases (Kronik Hastalıklar İçin Uzaktan Sağlık Hizmeti Sunumu Kılavuzu), which provides direction on managing chronic illnesses through telemedicine, ensuring continuity of care for patients.  The Remote Healthcare Information System (USBS) Guideline establishes the technical requirements for information systems used in telemedicine, setting standards for secure data management and interoperability within Türkiye’s healthcare system.

Remote health services encompass a range of services that can be delivered remotely, provided they are suitable for such delivery. These services may include medical observation, monitoring, follow-up and evaluation, as well as disease diagnosis, medical counselling, consultations and secondary opinions. If deemed necessary, a physical visit to a health institution may be recommended. Remote management and follow-up of diseases, such as monitoring blood sugar and blood pressure, as well as treatment and medication management, can also be conducted.  Services can extend to health protection, supporting healthy lifestyles, and providing psychosocial support.  Multidimensional assessments and follow-ups for high-risk or elderly individuals are possible, and interventional or surgical procedures, when appropriate technology and Ministry approvals are in place, may also be offered.  In cases of endemic or epidemic outbreaks, necessary medical procedures to protect individuals’ health may be carried out following national guidelines.  Wearable technologies and medical devices can be used to monitor health data, and physicians can issue e-prescriptions and e-reports based on their evaluations.  Additionally, healthcare facilities can provide remote services to individuals in other healthcare facilities, provided they have the required operating licence in the same branch for remote healthcare services.

An e-prescription and e-report can be issued by the physician to the person evaluated. There are no other special regulations for physicians.

Prior to the provision of remote healthcare services, patients must be made aware of several key points.  These include the identity and expertise of the healthcare professional, the nature of the service, and its limitations when compared to in-person care.  Patients should also be informed of the potential costs, the service scope, and whether the service is covered by insurance.  This includes the need for explicit consent for audio or video recordings, the necessity of functional audio/video connections, the ability to terminate the service, and the responsibility for securing the systems used.  All information must be provided in clear, comprehensible language.

The risk of liability indirectly increases.  Liability depends on whether the physician has acted according to the relevant standard of care.  For telemedicine, whether it was suitable in the specific case to use telemedicine according to the relevant standard of care will additionally be considered.

Treatment and medication management can be provided.  When providing remote healthcare services, except those provided abroad, remote healthcare service recipients are not allowed to use any medical devices other than the medical devices registered with the Agency.  The Agency shares the list of medicines with restricted use, and updates within this scope are also shared by the Turkish Pharmacists Association.

Telemedicine services in Türkiye can be reimbursed through state insurance systems such as Social Security Institution (“SSI”) (SGK), under specific legal frameworks.  However, the process for converting remote health services into income requires legal backing and pricing determined by the SSI.  Currently, mobile health applications are not yet fully integrated into reimbursement programs, meaning they can only reach their maximum potential once included by government reimbursement institutions or private insurers.  Costs are generally covered through out-of-pocket payments or insurance premiums.

In remote healthcare services, the healthcare facility and professionals are responsible for ensuring the protection of the patient’s privacy and personal data.  Data controllers and processors must handle personal data obtained through services in compliance with the PDPL and related regulations, taking all necessary technical and administrative measures to secure the data and fulfil their obligations to inform individuals.  Remote healthcare services cannot record audio or video or take photographs without the explicit consent of both parties.  However, with consent, audio or video recordings of the service may be taken, and these recordings are stored at the healthcare facility or secure data centres approved by the Ministry.  Access to these recordings is granted to authorised legal bodies or Ministry inspectors conducting administrative investigations.  Such recordings cannot be stored for more than 12 months and are automatically deleted without further notice once this period expires.

Telemedicine is playing an increasingly important role in transforming healthcare through digital technologies, offering benefits such as improved accessibility, efficiency, and equity.  It has the potential to support global challenges and contribute to sustainable development goals.  With regard to future legal developments, telemedicine’s increasing integration with AI and other technologies may influence future legal frameworks related to data privacy, security, and healthcare delivery standards. 3